Fase IV Evaluación del proceso y de la estrategia empleada

7

2.8.1 Interpolation Attacks

8

Interpolation attacks can are the first algebraic attacks on block ciphers. The underlying in- 9

tuition of this attack is that the relationship between plaintext and ciphertext can always be 10

expressed as a set of polynomial expressions. If these have sufficiently low degrees, an attacker 11

can reconstruct them from known (or chosen) plaintexts and the corresponding ciphertexts. 12

Then, he can encrypt any plaintext of his choice without knowing the secret key. 13

Thomas Jakobsen and Lars Knudsen first presented this attack in [JK97], where it was shown 14

that S-boxes represented by functions of low degree, even if provably secure against linear and 15

differential attacks, could fall to interpolation attacks. The name of the attack comes from the 16

fact that the Lagrange interpolation formula is used to determine the interpolating polynomials 17

once a sufficient number of plaintext/ciphertext pairs have been computed. 18

To make matters worse, shortly thereafter Amr Youssef and Guang Gong [YG00] showed that in- 19

terpolation attacks are possible even when using monomial S-boxes (i.e. S-boxes representable 20

by a power function over a finite field) regardless of their degree. This observation is useful for 21

attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. 22

Also, ciphers of low non-linear order are vulnerable to higher order differential attacks. 23

Jakobsen and Knudsen give upper bounds on the number of required pairs for known-plaintext 24

interpolation attacks to succeed for selected examples. This number is exponential in the de- 25

gree of the polynomial function describing the S-box(es), the number of rounds and the size of 26

internal state. This means that in general interpolation attacks are difficult to mount, because 27

the ciphers must be quite special, and computing the polynomials may become prohibitively 28

expensive. 29

2.8.2 Algebraic Attacks

30

Algebraic attacks break a cipher by representing it a set of polynomial functions of its inputs, 31

then substituting in known data for some of the variables and solving the resulting multivariate 32

system of polynomial equations for the key. 33

Nicolas Courtois, Alexander Klimov, Jacques Patarin, Adi Shamir presented the framework 34

of these attacks at Eurocrypt 2000 [CKPS00]. The “XL algorithm” (eXtended Linearisation) – 35

an improvement on Aviad Kipnis and Adi Shamir’s relinearisation method [KS99] – is their 36

method for solving these systems. 37

Courtois applied the XL algorithm initially to stream ciphers [Cou03, CM03]. Later, he and 38

Josef Pieprzyk [CP02a] observed that Rijndael (and, partially, also Serpent) could be expressed 39

as a system of quadratic equations, and thus adapted XL to this setting. This attack has been 1

described also in the case of the DES [CB06,CB07], leading to a 6 round key recovery attack 2

and a 12 round plaintext recovery attack. 3

There is more than one method can be used for solving multivariate systems of polynomial 4

equations. Gröbner bases algorithms can be used, and the XL algorithm is sometimes pro- 5

posed as an alternative to, but in fact XL is just an inefficient Gröbner basis algorithm in dis- 6

guise [AFI+_{04]. Other methods include resultant-based methods, SAT solvers (for instance [ES])}

7

and a method by Håvard Raddum and Igor Semaev [RS06]. 8

The underlying algebraic structure can be chosen by the attacker: against one cipher he might 9

treat the text as a vector of bits and use Boolean algebra while for another he might choose to 10

treat it as a vector of bytes and use arithmetic modulo28, and for yet another cipher nibbles 11

may be interpreted as elements of𝔽₂4, or even as non-zero elements of𝔽₁₇.

12

The actual effectiveness of algebraic attacks is debated, often with heated tones. The following 13

quote is one of the polite responses: 14

I believe that the Courtois-Pieprzyk work is flawed. They overcount the number of linearly

15

independent equations. The result is that they do not in fact have enough linear equations

16

to solve the system, and the method does not break Rijndael.

17

Don Coppersmith, 2002

18

At the AES 4 Conference, Bonn 2004, one of the inventors of Rijndael, Vincent Rijmen, com- 19

mented, “The XSL attack is not an attack. It is a dream.” Promptly Courtois answered, “It will

20

become your nightmare.” The attack has not become a nightmare yet, but it has caused some 21

experts to express greater unease at the algebraic simplicity of the current AES. 22

However, its possibility can not be excluded a priori during the design of a new cipher. 23

The most significant successful algebraic attack so far is Nicolas Courtois, Gregory Bard and 24

David Wagner’s cryptanalysis of the block cipher KeeLoq, an NLFSR-based block cipher used 25

in the automotive industry with a 32-bit state and 64-bit keys [CBW08]. Using a combination 26

of slide attacks and SAT (boolean satisfiability problem) solvers, they were able to successfully 27

attack this cipher. 28

2.8.3 Gröbner Basis Attacks

29

Johannes Buchmann, Andrei Pyshkin and Ralf-Philipp Weinmann [BPW06] use Gröbner bases 30

to implement algebraic attacks leading to key recovery. They first step in their attack is to write 31

down polynomials{𝑝_𝑖}that fully describe the cipher – these are Boolean functions on the key 32

and plaintext bits. Then, a plaintext/ciphertext pair are used to create additional linear equa- 33

tions {𝑔_𝑖}and the variety defined by the union set{𝑝_𝑖}∪{𝑔_𝑖}(called the key recovery ideal) 34

is computed by Gröbner basis computations. This set of points represents, in fact, a list of key 35

candidates, which is then sieved using further plaintext/ciphertext pairs, as usual. 36

The bulk of the complexity is in the Gröbner basis computations, in particular the computation 37

of the variety (that amounts to solving the system) and in the creation of the Gröbner bases 38

themselves and their conversion. For this purposes, the FLGM algorithm is used [FGLM93] as 39

well as the Gröbner walk [CKM97]. 40

The attack has been demonstrated on toy ciphers Flurry and Curry – these ciphers are however 1

not trivial, since they show proven good resistance against differential and linear attacks. 2

2.8.4 Countermeasures

3

Despite the fact that no algebraic attack has successfully broken ciphers that have withstood 4

intense cryptanalysis of other types – for instance the2101time complexity attacks on AES-256 5

are not taken seriously by part of the cryptographic community – it would be unwise to ignore 6

the possibility and do not take at least some simple precautions. For instance, if the S-boxes do 7

not have high degree, the cipher may be easily defeated by algebraic attacks as it happened for 8

some toy ciphers. 9

Indeed, all forms of algebraic attacks can be made impractical when the system of equations 10

and their degrees can be made sufficiently large. Cipher designers therefore strive to make their 11

ciphers highly nonlinear. This is achieved not only by making the non-linear components, such 12

as S-boxes, of as high degree as possible. 13

To this purpose the algebraic normal form (ANF) of the boolean functions involved in a cipher 14

are considered and functions of as high degree and high algebraic immunity as possible should 15

be used. 16