Plan de análisis

We present key-recovery known-plaintext related-key slide attacks [42, 60, 61]. These attacks exploit the partial similarity of 4-round sequences, and works for any version of MULTI2 whose number of rounds is a multiple of eight.

Let F1...4 stand for 4-round encryption involving π1, . . . , π4 with subkeys k1, . . . , k4. Sim-

ilarly, let F5...8 stand for 4-round encryption involving π1, . . . , π4 with subkeys k5, . . . , k8; F1...4′

stand for π1, . . . , π4with subkeys k′1, . . . , k′4, and F5...8′ stand for π1, . . . , π4with subkeys k5′, . . . , k8′.

Given an unknown key pair (s, d), we consider a related-key pair (s′, d′) that gives k′ such that

k′₁ = k5 k2′ = k6 k′3= k7 k′4 = k8

k′₅ = k1 k6′ = k2 k′7= k3 k′8 = k4 . (6.1)

Thus, F_1...4′ _{≡ F}5...8 and F5...8′ ≡ F1...4.

For Eq. (6.1) to hold, it is necessary that the related key (s′, d′) satisfies d′₁ = k3 d′1⊕ d′2= k4

s′₁ = s5 s′2 = s6 s′3 = s7 s′4= s8

s′₅ = s1 s′6 = s2 s′7 = s3 s′8= s4 .

The conditions k′

1 = k5 and k′2= k6 require

k3⊕ π2(k4, s5) = d′1⊕ π2(d′1⊕ d′2, s′1)

k4⊕ π3(k5, s6, s7) = d′1⊕ d′2⊕ π3(k1′, s′2, s′3) .

The relation used is therefore valid, since constraints on the related key are only given in terms of relations, not of actual values.

A slid pair satisfies P′ _{= F}

1···4(P ), which implies C′ = F5···8′ (C) = F1···4(C), as shown

below. P F1···4 → XF5...8 → . . .F5···8 → C P′ F1′...4 → . . .F1···4′ → Y F5···8′ → C′ .

That is, one obtains two 64-bit conditions since both the plaintext and ciphertext slid pairs are keyed by the same subkeys. Thus one slid pair is sufficient to identify k1, . . . , k4. The attack

goes as follows:

1. Collect 232distinct (Pi, Ci) pairs, i = 1, . . . , 232 encrypted with k.

2. Collect 232distinct (P_i′, C_i′) pairs, i = 1, . . . , 232 encrypted with k′.

3. For each (i, j) ∈ {1, . . . , 232_}2_:

4. Find the value of k1, . . . , k4 that satisfy Pj′ = F1···4(Pi) and Cj′ = F1···4(Ci) (this can

be done in 272evaluations of F1···4).

5. Search exhaustively k5, . . . , k8 (there are 228+32+30.7 = 290.7 choices, exploiting the non-

surjectivity of π2 and π4).

We cannot filter the wrong slid pairs, so we try all possible 264pairs (Pi, Pj). But each potential

slid pairs provides 128-bit condition, because both the plaintext and ciphertext pairs are keyed by the same unknown subkeys. Thus, we can filter the wrong subkeys at once.

We briefly explain how to recover k1, . . . , k4: using the potential slid pair (Pj′, Pi), guess

the output of π2 (228 choices), then find the left half’s value after the XOR with π2’s output.

Then, guess k2 (232 choices), and find the k3 that yields the (known) output of π3, deduce k4,

and finally, for the 24valid values of k1, test whether the current choice of k1, . . . , k4is consistent

with the second potential slid pair (C′ j, Ci).

Finding k3 from k2, the input of π3, and its output, is not trivial: one has to solve an

equation of the form (x ≪ 16) ⊕ (x ∨ a) = b, then an equation (y ≪ 1) − y = c, where x and y are the unknowns. The first can be solved bit per bit, by iteratively storing the solutions for each pair (xi, xi+16). There are 16 such pairs, and for each pair there are at most two solutions.

Hence in the worst case there will be 216 solutions (namely, when a = 0). On average, when a has weight 16, there will be 28 _{solutions. For the second equation, one can precompute the}

table of solutions (264 entries), then solve the equation with one memory access. This can also be applied to the first equation. More advanced, memoryless, techniques are probably possible. Finally, the expected cost of computing k3is 28trials. The attack complexity is thus about

264_{× ×2}72_{/r + 2}90.7 _{≈ 2}136_{/r encryptions, with required storage for 2}33 _{plaintext/ciphertext}

6.5

Conclusion

We showed that the 256-bit key of MULTI2 can be recovered in about 2185 trials instead of 2256 _{ideally, for any number of rounds, and using only three plaintext/ciphertext pairs. This}

weakness is due to the loss of entropy induced by the key schedule and the non-surjective round functions. We also described a linear (key-recovery) attack on up to 20 rounds, and a related- key slide attack in time 2136_{/r working for any number of rounds r that is a multiple of eight}

(thus including the recommended 32 rounds).

Although our results do not represent any practical threat when the 32-round recommen- dation is followed, they show that the security of MULTI2 is not as high as expected, and raise concerns on its long-term reliability. A practical break of MULTI2 would have dramatic conse- quences: millions of receivers would have to be replaced, a new technology and new standards would have to be designed and implemented.

Finally, note that the Common Scrambling Algorithm (CSA), used in Europe through the digital-TV standard DVB4 also underwent some (non-practical) attacks [220, 223]. For comparison, the American standard ATSC uses Triple-DES in CBC mode5.

4

Seehttp://www.dvb.org/.

5

Seehttp://www.atsc.org/standards/a_70a_with_amend_1.pdf.

Chapter 7

Cube Testers

Cube attacks, introduced by Shamir at CRYPTO 2008 [89, 201], are a type of algebraic attacks that exploit implicit low-degree equations in cryptographic algorithms, to recover a secret key. Such equations are generally due to the use of components with a low algebraic degree. For example, the four-bit S-boxes of the block cipher Serpent [45] are an example of component with algebraic degree at most three [204]1_.

Cube attacks only require a black-box access to the target algorithm, and were successfully applied by Dinur and Shamir to reduced versions of the stream cipher Trivium [74]. Roughly speaking, a cryptographic function is vulnerable to cube attacks if its algebraic normal form over GF(2) has degree at most d, such that 2dcomputations of the function is below 2κ, if κ is the security parameter. Cube attacks recover a secret key through black-box queries to a keyed algorithm with public variables (like an IV for a stream cipher, or a plaintext for a block cipher), followed by the solving a linear system of equations. Previous works by Vielhaber [216], and by Fischer, Khazaei, and Meier [96] proposed related methods for key recovery that also exploit, implicitly, low-degree equations.

Shortly after the presentation of cube attacks, I developed a variant technique called cube testers, inspired by previous works on “monomial tests” [92, 95, 166, 191]. To demonstrate the power of cube testers, we applied them to the stream cipher Trivium, extending the previous results of Dinur and Shamir with cube attacks. But our first target was the reduced compression function MD6, whose sparse and low-degree round function makes it an ideal target for cube attacks and cube testers. Independently of our work, Dinur and Shamir discovered key-recovery cube attacks on reduced-round MD6. We presented our results in a joint paper at FSE 2009 [10]. This chapter starts with a brief introduction to cube attacks in §7.1, then presents cube testers in §7.2_{, and finally describes their applications to MD6, Trivium, and Grain in §}7.3 and in §7.4. Table 7.1 summarizes our results, comparing them with the best known results at the time of writing this thesis.

7.1

Introduction to Cube Attacks

Let Fn be the set of all functions mapping {0, 1}n to {0, 1}, n > 0, and let f ∈ Fn. The

algebraic normal form (ANF) of f is the polynomial p over GF(2) in variables x1, . . . , xn such

that evaluating p on x ∈ {0, 1}n is equivalent to computing f (x), and such that it is of the

1

#Rounds Time Attack Authors MD6 (compression function) 12 hours inversion [185] 14 222 key recovery √ 18 217 nonrandomness √ 33 ? nonrandomness [125] 66⋆ 224 nonrandomness √ Trivium 736 233 distinguisher [92] 767⋄ 236 key-recovery [89] 790 230 _{distinguisher} √ 885 227 nonrandomness √ Grain-v1 81 230 distinguisher √ 160 255 related-key key-recovery [73] 160 242 _{related-key key-recovery [137]} Grain-128 180 2124 _{key recovery [96]} 192 230 distinguisher [92] 237 246 distinguisher √ 256 2127 _{key-recovery [73]} 256 250 related-key key-recovery [137] 256† 283 distinguisher √

⋆_{: for a modified version where S} i= 0 ⋄_{: cost excluding precomputation} †_{: extrapolation}

Table 7.1: Summary of the best known attacks on MD6, Trivium, Grain-v1, and Grain-128 (“√” designates our results). For the stream ciphers, complexity is given in terms of initializations of the cipher. form2 2n₋₁ X i=0 ai· xi11xi 2 2 · · · x in−1 n−1xinn for some (a0, . . . , a2n₋₁) ∈ {0, 1}2 n

, where ij denotes the j-th digit of the binary encoding of i

(and so the sum spans all monomials in x1, . . . , xn). In the following we shall identify function

in Fn with their representative polynomial.

An important observation regarding cube attacks is that for any function f ∈ Fn, the

sum of all entries in the truth table

X

x∈{0,1}n f (x)

equals the coefficient of the highest degree monomial x1· · · xnin the ANF of f . This observation

has previously been used by Englund, Johansson, and Turan [92] for building distinguishers 2

The ANF of any f ∈ Fnhas degree at most n, since xdi = xi, for xi∈GF(2), d > 0. 56

(which turn out to be particular cases of cube testers). For example, let n = 4 and f be defined as

f (x1, x2, x3, x4) = x1+ x1x2x3+ x1x2x4+ x3 .

Then, summing f (x1, x2, x3, x4) over all 16 distinct inputs makes all monomials vanish and

yields zero, i.e., the coefficient of the monomial x1x2x3x4 in the ANF of f .

Unlike the above example, cube attacks work by summing f (x) over a subset of its inputs. Continuing our example, summing over the four possible values of (x1, x2) yields

X

(x1,x2)∈{0,1}2

f (x1, x2, x3, x4) = 4x1+ 4x3+ (x3+ x4) ,

where (x3+ x4) is the factor of x1x2 in f :

f (x1, x2, x3, x4) = x1+ x1x2(x3+ x4) + x3 .

Indeed, when x3 and x4 are fixed, then the maximum degree monomial becomes x1x2 and its

coefficient equals the evaluation of (x3+ x4).

More generally, given an index set I ( {1, . . . , n}, any function in Fn can be represented

algebraically under the form

f (x1, . . . , xn) = tI· p(· · · ) + q(x1, . . . , xn) ,

where tI is the monomial containing all the xi’s with i ∈ I, p is a polynomial that has no

variable in common with tI, and such that no monomial in the polynomial q contains tI (that

is, we factored f by the monomial tI). In the example above, I = {1, 2}, tI = x1x2, and

p(x3, x4) = x3+ x4, and q(x1, x2, x3, x4) = x1+ x3.

In the context of cube attacks, we shall call the monomial tI a cube (regardless of its

dimension), and its factor a superpoly. Summing f over the tI for other variables fixed, one

obtains X I (tI· p(· · · ) + q(x1, . . . , xn)) = X I tI· p(· · · ) = p(· · · ) ,

that is, the evaluation of p for the chosen fixed variables. Following the terminology of [89], p is the superpoly of I in f . A cube tI is called a maxterm if and only if its superpoly p has degree

one (i.e., is linear but not a constant).

When attacking a cryptographic algorithm, the variables x1, . . . , xn are partitioned into

• Secret, or key, variables k = k1, . . . , km.

• Public, or tweakable, variables v = v1, . . . , vn−m.

In a classical attack model, the attacker queries the function f (k, · ) where k is fixed and unknown. If f models a stream cipher, for example, one can consider the function f (k, v) that returns the first keystream bit when initialized with key k and IV v. If f models a block cipher, v represents the plaintext, and f returns a specific bit of the ciphertext. For a MAC, v represents the message.

The key idea of cube attacks, in order to recover k from queries to f (k, · ) with a chosen v, is to find maxterms composed of public variables, i.e., such thatP

If (k, v) gives the evaluation

of a linear expression in key variables. Cube attacks thus proceed in two stages:

1. Offline (preprocessing), in which the attacker queries f ( · , · ) with chosen k and v’s to find maxterms and determine their superpoly’s.

2. Online, in which the attacker queries f (k, · ) with chosen v’s and recovers k. Those two stages are detailed below.

The preprocessing stage of a cube attack consists in finding sufficiently many maxterms, that is, subsets I of the public variables for which the sum

X

I

f (k, v)

yields the evaluation of a linear combination of key bits. The parameter to minimize, in order the online attack to be faster, is the size of the maxterms: if a maxterm contains n variables, then 2n queries to the algorithm attacked are necessary to evaluate the superpolys.

The finding of a maxterm goes in two steps:

1. Identifying a maxterm, i.e., for some choice of variables, checking that the corresponding superpoly is linear using the BLR probabilistic linearity test [67].

2. Reconstructing its superpoly, i.e., retrieving exactly which key variables it contains. This is done by iteratively testing the linearity of each key variable, with a variant of the BLR test.

The main challenge is to identify maxterms, rather than to reconstruct the ANF of their su- perpoly. A simple heuristical method, proposed in [10, 89], works as follows: one randomly chooses a subset I of public variables. Thereafter, one uses a linearity test to check whether the corresponding superpoly p is linear. If I is too small, p is likely to be nonlinear in the secret variables, and in this case the attacker adds a public variable to I and repeats the process. If I is too large, the sum will be a constant function, and in this case one drops a public variable from I and repeats the process. The correct choice of I is the borderline between these cases, and if it does not exist the attacker retries with a different initial I.

More advanced techniques can be proposed to optimize the search of maxterms of degree as low as possible. Indeed, for some algorithms there can be big differences between a “good” n-bit index set I and a random one. Roughly speaking, one should choose the variables that are the least nonlinearly combined in the first rounds of the function. The finding of such subsets may be done analytically or empirically, depending on the function’s structure, but generally one will combine the two approaches. Below we describe a purely empirical strategy, relevant when attacking a black-box, i.e., an algorithm whose structure is completely unknown.

The strategy we propose is a refined version of the above heuristic: start from a small, random, set of variables I. Reduce the number of rounds of the algorithm attacked to the highest number for which the superpoly of I is constant. Then, add a random variable to I, and again find out the highest number of rounds that yield a linear superpoly; repeat this for several random choices, and eventually add to I the variable that gives the lowest number of rounds. And that’s it. This simple strategy can be refined, for example, with the random removal of “bad” variables. The objective is to converge towards a local minimum in the search space. Due to the highly structured topology of this space, optimization techniques as genetic algorithms are likely to assist the search of good maxterms (cf. §§7.4.4).

After the preprocessing, the attacker has a list (Ii, pi)iof maxterms with their correspond-

ing linear superpolys. Ideally, one should have at least as many (linear independent) equations as key bits, in order to solve the system with certainty, and with no need to “guess” any key bit. Note that the maxterms Ii may have different degrees. When evaluating a linear expression,

the public variables that are not in the maxterm should be set to a fixed value, and to the same value as set in the preprocessing phase.

Now that the secret variables are fixed, one evaluates the pi’s by computing PIif (k, v) over all the values of the corresponding maxterm, to find the value of a linear combination of the key bits. One obtains a system of linear equations {pi(k1, . . . , kn) = vi}i, which can be

solved in polynomial time3_.

Assuming that the degree of the target algorithm is d, each sum requires at most 2d−1 evaluations of the derived polynomials. If there are n maxterms I1, . . . , Inor respective degrees

d1, . . . , dn, the total cost of the online attack is thus n2+Pn_i=12di. Put differently, complexity

is polynomial in the key size, and exponential in the number of differentiations.