New Frontiers Neal Koblitz - Nicolas Courtois · 2019-10-21 · 11 Applied Crypto-Frontierology...

1

New Frontiers in Symmetric Cryptanalysis

�� !�� "#��$

Applied Crypto-Frontierology

Courtois, Krack-ow, September 20072



The Curious “Science” of Security

“We need – today again -- to re-discover the frontiers of what is secure that have just moved

yesterday…



Are Cryptologists Always Wrong?

Neal Koblitz: “The Uneasy Relationship Between Mathematics and

Cryptography”, In Notices of the American Mathematical Society, September 2007, see www.ams.org

[…] Once I heard a speaker from NSA complain about university researchers who are cavalier about proposing untested cryptosystems. He pointed out that in the real world if your cryptography fails, you lose a million dollars or your secret agent gets killed.

In academia, if you write about a cryptosystem and then a few months later find a way to break it, you’ve got two new papers to add to your résumé![…]



Optimistic View

Nothing bad has ever happened.

Anybody ever broke DES in practical sense?



Claim:

The cryptographic research alone is changing so much that

some serious thinking is needed now to see

what it is and what it should be about.

2



Fundamental Research:

Claim:Some most fundamental

questions that pertain to more or less all symmetric cryptosystems were never seriously studied



Can one Reconcile Paranoia and Security?%'& (*) +-,/.10-2*0*0*354�0/6*687 39) :�;�7#<�0*= .1>*(#6?) :@>*(9=A3(*293�.1>9(/6?) :B2*7/68C

D�EF*G =A7 G 79:�0-( 2*0#.H6I7*7*& 6I7->*0*& G =A0*:�0*(*=J;�>*0*=A:+-(*KL) 2*M >*7*2*0*:N6 (*2*3 =A0*: G 7*29:�) O*& 0 :P6I(#6I0*+-0*2/68:�,

D�ERQ 0/68:B7*256I>*05S8T/6IT*=A0-(#6 6I(9;�K�:LC



New Tool - BetsU 7*=V6I>*05S8) =J:P6*68) +-0-) 2->9) :N6I7*= 4�W*) 6?) : G 7*:L:�) O*& 0�687-O*0/67*2-;L= 4 G 6I7*M*=A( G >9) ;@(9& M*79=A) 6I>*+-:�.X) 6I>X=J0*(*&�+-7*2*0#4�CY >*) :B>*(*:B2*0/<�09= O*0*0*2 G 79:�:�) O*& 0XO90/SI7*=A09C

Z[090 .'.'.XC ;�= 4 G 6I79O*0/68C ;�7*+ C\ T9= G 7*:�09, >*(/<�05S8T*2 (*2*3-:�>*7#.H6I>*0-(*3/<�(*2*;L0*+X092/67#S?;�= 4 G 6I7*M*=J( G >*) ;B=A0*:L0*(*=A;�>9C F 6?) :B(XM9(*+X09C



Current Bets:F 0*2*;L7*T*=A(*M*0G 097 G & 056I7G =A7 G 7*:�02*0#.]O*0#6I:=J0*& (/6I0*356I768>*0*) =^7/.12=J0*:�0*(*=J;�>*C





Science vs. FictionLaws of Prediction [Arthur C. Clarke]:When a distinguished elder scientist tells you

something is not possible => he is wrong…

Algebraic Attacks on AES/Serpent/Etc:“Provably” Secure [2000]

=> Speculative Fiction [2001] => Science Fiction [2002]

=> Science [2004-7] => Reality ???

3



What Can Said About Frontiers

They are natural: people from one place will naturally have trouble understanding other people.

• Some people come fromPure Orthodox Mathematics

• Some people are in Information Security

– Cryptology/Computer Science/Law/ Crime Science/Finance and Economics/Marketing/Sociology/…



Very Recent Paper

Neal Koblitz: “The Uneasy Relationship Between Mathematics and

Cryptography”, In Notices of the American Mathematical Society, September 2007, see www.ams.org

Cryptographic community:• “The “spy vs. spy mentality”• “constant competition and rivalry”• “excessive - and even childish at times”



Mathematics [overheard]

• Mathematics: direct relationship with God.• This cryptology is

a profane and stupid engineering science…

• Cryptologists =def=

people that have not grown big enoughto do maths.



Cryptology

Ignorance Trap:• We do NOT WANT TO KNOW about attacks

unless:– They are faster than other known attacks on the same

cipher (why so? major fallacy)

– Their importance is already widely recognised(conservatism)

Also unless:– It breaks their cipher, not ours…– You pay us consultancy fees for that…



Mathematics

Intelligence Trap:• Applied maths is bad maths. • We do not want to consider facts.

– We want to study ONLY what is provable [+with our favourite tools]. • Control freak?

– Zero risk: Do not dare formulate a conjecture that is not true.• Cryptology: 40 % risk for experts, 99 % for beginners.

• We have a proof, we don’t need to experimentto verify if it’s true. • Many proofs are actually wrong, subtleties.

• We need to study attacks that are complex and clever.– Simple attacks are not interesting?



Mathematics vs. Cryptology

• Some mathematicians are maybe studying the empty set.– There are specific examples:

Inaccessible cardinals, Ramsey cardinals, etc…

• In cryptology we do it ALL the time.Conjectured assumptions collapse

on a daily basis.

4



Cryptology:

• Cryptology is almost a separate “science”that defines its own object of study

(formal security definitions).• We need to add axioms to mathematics.

– Not everything is provable, statements that we love to make are all like: ∀ algorithm…Very few such statements were ever proven and very few will ever be…

• We have a direct relationship with God that specifically made the world an encrypted message to decode…



***Remark:

“The discourse regarding the role of complexity in cryptography has degenerated to a point where it may take some time to recover.”

[Kevin McCurley, in post about Koblitz’scriticism of crypto, 14 Sept. 2007]



Cryptologic Community:

Not much is proven…and many things will never be. and many things will never be. and many things will never be.

A group of people withshared beliefs

• Some deeply rooted in a certain reality of hardness resulting from precisely this endless confrontationof clever designers and clever attackers…

• Some are spectacularly naïve and are to collapse next, as usual in cryptology.

– Like a religion in which the Gospels are rewritten each year.



Frontiers:

Frontiers are natural…We do not need to create extra

artificial frontiers (how unnatural the division of the European continent in two blocks was).

Natural ones are enough trouble!




Frontiers move:



AES_ 3/<`(*2*;�0*3-ab2*;�= 4 G 68) 792-Z96I(*2*3*(9=A3*,

•F 2-c*d*d*d-e F Z Y :L0*& 0*;N6I0*3-f') gh2*3*(*0*&L(*:�6I>*0 _ abZ[C

5



But in late 2001_ 2*0#.iK�) 293X7#S“6I0*=A=J7*=A) :N6

”( G*G 0*(*=J:(*293X:N6I=J) K�0*:B:�7*+-0-O*(*:L) ;B;�0*= 68) 6IT*3*09:�C

AL – GEB – RA ��

So far the terrorist he has not been captured and might strike again from his secret basement.



Frontier-ology:

Frontiers are opportunities for discovery and exploration.



Two Religions [Maths and Crypto]We will not agree on some questions any time soon…

Goal: learn each other’s language.

Mathematics Cryptography

tools

motivation



CryptologyMaybe:

Mathematical certitudes are an ideal to

look up to…

But: Let’s keep feet on the ground.





MQ Problem

6



Cryptography and MQ%'& (*) +-, j*k-l 7/S?(*& &�( G*G & ) 0*3X;L= 4 G 6I7*M*=A( G >/43*0 G 0*2*3*:B7*256I>*0->*(*=A392*0*:�:B7#S?m-nBCo*Cpf�Z _ ) :BO9(*:�0*3-7*2-m-nq.X) 6I> + D o (*293 2 D o ,S8(*;N6I7*=J) 2*M e

�:�79& <�) 2*M r*s D %H+-7*3-e C

t 29) <�0*=A:�(9& ) 6 4LuI;�7*+ G & 0#6I0*2*0*:L:�,(*2#4 G 7*& 4�2*7*+-) (*&L:P4`:P6I0*+;L(*2XO90�.X=A) 6v6I0*2X(9:Bw*T*(*3*=A(#6I) ;�:.X) 6I>-(*3*3*0*35<�(9=A) (*O*& 0*:…



MQ Problem



Jean Dieudonnéx U =A0*29;�>-mX(#6I>*0*+-(/6I) ;L) (92/yBook “Calcul infinitésimal”, Hermann, 1980

[..] Everybody in mathematics knows that going from one to several variables is an important jump that is accompanied by great difficulties and calls for completely new methods. […]



MQ Problem over GF(2)

d 2*zAo



More Applications of MQ{ }|��~�� B�J��B~P��!��!�� J� ��"�� X� ~�� J��~�� "��P!X��è� ��#��!� �A� �� ~�� J��'~P� � � ��" � �P��

�� }� � ��P�� X�� b��"��P�B~� �� P�� P!�� P�� !X~�� X~�� …�� }�� b��P�� !� � ��X|�� |�� P��B��b��"��X�� ~�� J� �� ~P��!��!�� J� ��

• �� N¡�� ¢ £N¤ ¥ �N¦�§N� ¢ £ �N£ ¨8��©��N¢ £ ª8©N¤ ¥ «¨8�N¬8 ¢ ��¤N¥ £ ¬8®�¬8¯ � °N� ¢



Schneier [Applied Cryptography book]

[…] Any algorithm that gets its security from the composition of polynomials over a finite field should be looked upon with scepticism, if not outright suspicion. […]

Written before AES ever existed…

Actually any cipher can be seen in this way…

7



Algebraization:

Theorem: Every function over finite fields is a polynomial

function.

False over rings!E.g. false for TE.g. false for TE.g. false for T---functions.functions.functions.




Frontiers move:

The process can be called CONQUEST. • Not always pejorative.



Algebraization:

Mathematics: Since, say the second half of XIX-th century,

algebra is “conquering” other areas of mathematics. E.g.

• Algebraic Topology• Algebraic Geometry • Etc..



Cryptology:

Since the 70s mathematics started conquering cryptology. Before cryptography meant “bad mathematics” [Koblitz].

In April 2006 the NSA have officially decided that people must use Elliptic Curves. The private sector failed to do the right choice [again].

Since the early 2000s, algebra is “conquering”cryptanalysis of ciphers, in order for:

• Algebraic public-key, like HFE [late 90s].• Symmetric ciphers with algebraic components:

– stream ciphers, AES. • Now, algebraization of ciphers that have no

algebraic structure AT ALL, such as DES [Courtois-Bard, IMA Cryptography and Coding 2007 and eprint.iacr.org/2006/402/].



Any Progress?

Not many block ciphers are broken so far…

Some are:KeeLoq, used by millions of people every day

to open their cars, can be broken by an Algebraic Attack in practice.



The Role of Finite Fields

They allow to encode any cryptographic problem as problem of solving Boolean equations.

8



**The Role of NP-hard Problems

Guarantee “hardness” in the worst case.

Many are not that hard in practice…There is hope and many concrete problems can be solved.– Multiple reductions allow to use algorithms that

solve one problem to solve another.



Algebraization:

• Algebraic Topology• Algebraic Geometry• Etc…Works both ways, algebraic problems can also be

viewed in geometric terms.

Example: Theory of T-functions is actually about ultra-metric Non-Archimedean geometry over 2-adic integers.

So maybe the “connection” will strike back!



Algebraization => Geometry-isation?!

Maybe now geometry may help to bring the topic of solving algebraic equations forward?

• Interesting new topics in cryptanalysis of symmetric ciphers to be studied now.

Maybe it is probably all already known in mathematics and we [cryptanalysts] just didn’t realise it was there and can be applied to build efficient algorithms to solve systems of equations…

This is already done in number-theory based crypto: LLL is the “geometry of numbers” approach.



Symmetric Cryptanalysis:

From what one can observe:

bad news: number of ciphers “broken w.r.t. claims”:

O(effort).

good news: number of ciphers “broken in practice”:

o(effort).





How Serious is Cryptanalysis ?

Do expect: • some nice research results

in algebraic cryptanalysis

• 0 casualties.

BTW: We will discover that this no different from LC/DC/Etc. We will also work on “metric of relative interest“ of cryptographic attacks.

9



Propose New Ciphers ?

Foolish, requires lots of courage:

# Ciphers “broken w.r.t. claims” = O(effort).

_ & M90*O*=A(*) ;B%'= 4 G 6I(92*(*& 4�:L) :@7#S Q & 7*;LKB%') G >*0*=A:B±Also foolish, requires lots of courage:

so far EXCESSIVELY POOR results, progress is slow. o(effort) ?



Algebraic Cryptanalysis [Shannon]Breaking a « good » cipher should require:

“as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type”

[Shannon, 1949]



Motivation² ) 2*0*(*=^(*2*3-3*) S S80*=A0*2#6I) (*&L;�= 4 G 68(*2*(*& 4`:�) :BT*:�T*(9& & 4=J0*w*T*) =A0 >*T*M*0Xw*T9(*2/68) 6I) 0*: 7/S?K�2*7#.12/u8;�>*7*:�0*2G & (9) 2#6I0/rL6I:LC

nB, ³´>*(#6?K�) 2*3X7#S?;�= 4 G 6I(*2*(9& 4�:�) :B) : G 79:�:�) O*& 0.X>*0*256I>*0-(/6v6I(*;�KL0*=^>*(*:7*2*& 4�7*2*0-K�2*7/.X2 G & (9) 2#6I0/rL6 µA7*=V<�0*= 4BSI0/.1¶^±

%'& (*) +-, Y >*) :@w*T*09:P68) 7*2-39) 3-2*7/6?=A09;�0*) <�0-:�T#S SI) ;L) 0*2/6(#6 680*2/68) 7*29C�m-) :�M*T9) 3*0935SI7*;�T9:@7*2 ² %H(*2*3-·'%�C



Two Worlds:• The “approximation” cryptanalysis:

– Linear, differential, high-order differential, impossible differential, Jakobsen-Knudsen approximation, etc..

– All are based on probabilistic characteristics true with some probability.

– Consequently, the security will grow exponentially with the number of rounds, and so does the number of required plaintexts in the attacks (main limitation in practice).

• The “exact algebraic” approach:– Write equations to solve, true with probability 1.– Very small number of known plaintexts required.



What’s New ?CLAIM:The two worlds CANNOT be compared.

They are going in a very different direction: what these two CAN ACHIEVE in practice are two very rich sets of cryptanalytic results that are rather disjoint.



Terra Incognita…two sets of cryptanalytic results that are

rather disjoint.

=> So we are really discovering a new frontier for the whole of symmetric cryptanalysis.

10



Symmetric Cryptanalysis:Problem:

current metrics for achievement in symmetric cryptanalysis is deeply flawed. For example:

243 KP is NOT better than 256 and 1 KP. DES was never really broken.

[Don Coppersmith, Crypto 2000].



Algebraic Attacks vs. DC/LC/etc..

• Algebraic attack in 270 operations => the only feasible in the real life !

• Attacks with 250 memory – infeasible.• LC in 230 operations – infeasible.

– Hard to get 230 KP !• DC in 220 operations – infeasible.

– Hard to get 220 CP !



Therefore:• Computing power is the CHEAPEST

resource. Should NO LONGER BE be the comparison metrics.

• Running time comparison with LC/DC is dishonest, makes little sense and should be avoided.



**Real-life Security Metrics:270 = 220:

An attack with 270 is worth as much as with 220

operations as both are feasible (!).

Compare these two attacks ONLY on: • the number of required plaintexts• KP/CP/CPCA etc.

=> Then, an algebraic attack in 270 is worth as much as a differential attack in 220 operations…



****Major Fallacy:Gets worse - Remark:

by assuming that 243 KP is feasible (it isn’t) block ciphers have too many rounds.

Paranoid approach.

As a consequence, attacks that are really feasible, e.g. 270 and 4 KP are never studied.



What to Expect from Algebraic Cryptanalysis_ :B+-T9;�>X(9:�SI=A7*+ ² %�u8·'%�u8a968;�Cv,•

·�=A7 G >*7 G 05SI7*= G =A(9;P68) ;�(*&�(#6 6I(9;�KL:@7*2 _ a[ZRSI79=2*7#.

…• ¸ 7*(9& ,*¹�T*:N6*6I7 (*3/<�(92*;�0-=A0*:�0*(9=A;�>-) 2:N4�+-+X0#6I=J) ;B;�= 4 G 6I(*2*(*& 4`:�) : ,�.X>*(/6?;L) G >*09=A:B;�(*2O*0-O*=A79K�0*2*W*>*7#.1W*(*2*35.1>/4`C

11



A Strategic Problem�b� ��º��A�P��!��!X~��!�� B� ��A�P�� »•

��P��J�� !��A�P�� P!��P��J�� ¼J�'� � � � �� J – ½N¯ ¾ °N¿ À��N¯ ¾ °N¿N¬�¯ �N° � ¢ ¨8ÁNÂN� ¨8¯ ¾N¡ �NÂ�¨8£ ¦��¿ ¯ ¦��© ¾N£ ÁN�N¿ ¬8Ã Ã– Ä�£N¡ ’¿N�NÅ8� �N¬8¿N¦��¿ £�¤ ¢ �N© ®�¿ °N� ¦�ÃNÆNÂ £N¡ ’¿N°N© ª8��¿ ° ��¨8�N� ¬8Ã

•��Ç�� J��J��

…~�P�� P�Ç�Ç��P��!�� J� �P!��~P��J� �J�� X~� ��

–��A�P��J�� X� ��X�� @� �� P� �� È

•��b|�� b�É�� Ê ��AË�� P�� Ç��P!��

“�� B��P��

”

– Ì�£ ©N¥ §N¦�© ®8��¨8N¢ ��¿ ° ©N¿N¬8¯ � °N� ¢ ¨�© ¢ ��¤N¢ £N®8� ¡ ¤N� Í £ ¢ � ¤N� ¯ ¡N¾N¨8� ÂNÁN© ¡NÂ�¡ £N¿N¿ °N��£ �N� £N¨8¯ ¿ � …





“Glass House” for Algebraic Attacks of Block Ciphers³´0*O-:L) 6I0X3*0*3*) ;L(/6I0*35687-;�7*7 G 0*=A(#6I) 7*2-) 2-(*& M*0*O*=A(9) ;;L= 4 G 6I(*2*(9& 4�:�) :�,•

\ T*O9& ) :�>-(-:N4�:P6I09+Î7/S?0*w*T*(#6I) 7*2*:�68>*(/6?3*0*:L;�=A) O*0) + G 7*= 6I(*2/6 G =A(*;N6I) ;L(*&L;�) G >*0*=A: x 09C M9C�·�a[Z�yIC•

m-(*K�0-7#6I>*0*=^=A0*:�0*(9=A;�>*0*=J: ;�7*+ G 0/6I0 ) 2-:�7*& <�) 2*M68>*0*:�09C•

Zb0*05.1>*0*=A0-) :�6I>905SI=A7*2/68) 09=A,� � �� J� ��A�P�� JÏLÐ �P�ÇÑ�� J� ��X�� .'.�.1Cv;�= 4 G 6I79:P4�:N6I0*+-Cv2*0/6vuI(*0*:Puv6I7#4�;L) G >*09=A:LC >/68+X&



Research in Symmetric Cryptanalysis� ��X|�� Ç��Ë�� Ò�� P�X�� P�� Ë�� Pº8�� Ç�� A�P��J��X$�� P�A � �� ¼ ��¼ ��Ó�{

�B��A� �� Ô ��Õ�Ë Ç��P�� ~P�X~� ��J�� Ë �� B� �� P!1�� !�� Ö��A� �� !��× ��Ç��J� �P!��A�P��Ø



Phil Rogaway Talk:“obviously we cannot found a scientific theory based on what

people DO NOT know”Later he says: � “Can take a human-ignorance approach for formalising

properties of […] blockciphers, etc. “

Belief in hardness (classical)may be replaced by assuming ignorance ?

Maybe P = NP (there are fast algorithms) but they are hard to find/invent, and not hard to run.



Research in Symmetric Cryptanalysis�B�P��J� ��B�P��J� ��B��A� �� Ô ��Õ�Ë Ç�� P�� Ç�� P�� Ç��P�� ~P�X~� ��J�� Ë�� Ë�� Ë �� B� �� B� �� B� �� P!1�� !�� Ö��J� �� Ö��J� �� Ö��A� �� P��!�� P��!�� !�� ×× × ��Ç��A� ��!��J��Ç��A� ��!��J��Ç��J� �P!��A�P�� ØØ Ø

Ù�� A� ��Ô ��!��A��A� ��{ Õ�Ë Ú��P�� Ç��XÔ Ç�� A�� "~��J�� !��P!�� ~�� Õ�"��~� �� J��X�P��Û�� Ô ��!X�P�ÇÑ»Õ�

12



What Ciphers We Can Breakµ .X) 6I>X79T*=^) M*2*7*=J(*2*;�0 W�O*(9;�K�M*=J7*T*2*3X(92*3X(#<�(*) & (*O*& 0687*7*& :LÜÝ¶^) 256I>*0-2*0/rL6?k*d54�0*(*=A:B±

Þ �N¥ ¥ Á ¯ ¿NÂN� �N� ¡NÂ ¨�© ¥ ¨8£�À�° ©N¿N¬8¯ � °N� ¢ ¨�À�� Þàß�á�â/ã â/ä�å ¿ £�¤ ¢ �N© ®8Ã•

â ° ��¦�£N¨8¿N� ¢ �N¬8¯ £ N¨�¢ �N¨8£ N¢ ¬8��¯ ¨�¿ ¯ ¦��©N¡ Â�©N¿ ¿ � ¡N¿ ¯ £N¡�£ ÍN¬8¥ � ª8�N¢� �N£ �N¥ � Ã ä �N¨8 ¥ ¿ ¨�À�¯ ¥ ¥I¾ ¢ �N© ¿ ¥ «�Â �N� �N¡ Â�£N¡�° £NÀæ¿ ° ¯ ¨�¢ � ¨8£N ¢ ¬8�¯ ¨�¤N� ¯ ¡N¾�© ¥ ¥ £ ¬8©N¿ �NÂ ÃNç�¯ � °N� ¢ ¨�¿ °N© ¿N¾N� ¿ ©N¿ ¿ � ¡N¿ ¯ £N¡�© ¢ ��¦� ¬8°¦�£ ¢ ��¥ ¯ ®8� ¥ «�¿ £�¤N��¤N¢ £ ®8�N¡ Ã•

ß ¡N£ ¿ ° �N¢/¨8¬8©N¢ ¬8��¢ � ¨8£N ¢ ¬8�N§Nç�èLé5¿ ¯ ¦��© ¡NÂ�À�¯ ¥ ¥ ¯ ¡N¾�¿ £� Å8�N� ¢ ¯ ¦��N¡ ¿ ©�¥ £ ¿ … ê�©N«8¤ ��°N© ¢ ÂN¡ � ¨8¨�¯ ¨�¡N£ ¿NÀ�°N� ¢ ��«8£N¿ °N¯ ¡ ®8Ã



Weakness of Cryptographic Research CommunityF 25S8T*2*3*(*+-0*2/6I(9& G >/4`:�) ;L:�W/6I>*09=A0X(*=J0 G 0*7 G & 0568>*(/63*7568>*056I>*0*7*= 4�W*(*2*3-7/6I>*09= G 0*7 G & 0568>*(/6 3*0*:L) M*2(*293X>*(*2*39& 0-0/r G 0*=A) +-0*2/68: SI7*=V6I>*09) =V.1>*79& 0-& ) SI09C%'& (*) +-, .10-2*0*0*356I>*) :B) 2-:P4�+-+-0/6I=J) ;B;�= 4 G 6I7*Cë�6I>*09= .1) :�05.10-(*=A0-2*7/6 3*79) 2*M-(-& 7/6?7/S G =A7*M9=A0*:L:(*293X(*=A0-& 4`) 2*M56I7-0/<`0*= 4�O*7*3#4R(*O97*T/6?:�7*+-0

:N4�:N6I0*+-:BO*0*) 2*MX297/6?O*=A7*KL0*2*Ü



Research in Algebraic Cryptanalysisì�í îPï ð ñóò ô ïJí õóö÷í õ ø�ù ú ïJû ü�ý þÿNý ü��NûJõ�� ô ô ��höú ïóû ô ïóû ü�ý þ�í î��óò � üJîhô�õJû �Pûóý�� ü��Jò û ô û �� û � ø�� ô ïóû�� ü��Jò û �Pí ô þüJð��ü�ý�� óõ ��óõ þ��óò ø�û �Jý �Jí �� ô ô � �÷ö î��Jõ þ�� ô ô ��hö î�� Vÿ�� ! ú � "��$# �Vñ �÷ï�óû ô ô ûóý&%��Vñ��hï�'/ü�ý îPû ô ï �Jõ þhü�ñóývô ïóû ü�ý þ)(*�ú ïJû ü�ý þ�+�,óûJý í �VûJõ ô � ô í ü�õ

!�ò �óí �Vù ô ïóí î�í î�õ üóô�ûJõ ü�ñ ø�ï��



More Powerful Approach

ç�¥ ©N¯ ¦�§ ¦�©N¡ «�© ¿ ¿ ©N¬8®8¨�À�¯ ¥ ¥I¡ �Nª8� ¢/¤N��Â ¯ ¨8¬8£ ª8�N¢ � Â ¯ ÍN«8£N�Â £�¡N£ ¿� Å8�N� ¢ ¯ ¦��N¡ ¿ Ã- Å8� �N¢ ¯ ¦�� ¡N¿ ©N¿ ¯ £N¡

â ° �N£ ¢ «



Factâ °N� ¢ ��©N¢ �� £NÀ�� ¢ Í N¥8¿ £ £N¥ ¨�¿ ° ©N¿N¤ ¢ � ©N®�¬8�N¢ ¿ ©N¯ ¡�¬8¯ � °N� ¢ ¨�À*¯ ¿ °N£ N¿© ¡N«8¤ £NÂ «�®8¡ £NÀ�¯ ¡ ¾��NÅ8© ¬8¿ ¥ «�À�°N«�©N¡ Â�À�°N� ¡�¿ ° �N«�À�£N¢ ®8Ã. ç� ¦�N¥ © ¿ ¯ ª8��NÍ Í � ¬8¿N£NÍNÂ ¯ Í Í � ¢ �N¡ ¿N�N° �N¡ £ ¦��N¡ ©�¿ ° ©N¿NÀ��¬8© ¡¨8¿ NÂ «�¨8� �N© ¢ ©N¿ �N¥ «�/ Ãâ °N��¨8£ N¢ ¬8��¬8£ ÂN��¯ ¨�N¨8 ©N¥ ¥ «�¡N£ ¿N�N ¤N¥ ¯ ¬8Ã á £N¡�¿ ¢ ¯ ª8¯ © ¥¯ ¦�� ¥ �N¦�� ¡N¿ ©N¿ ¯ £ ¡��N¢ £N¤ ¥ �N¦�¨8Ã - Ã ¾ Ã

¿ ¯ ¡ «�¨8 ¤N¨8� ¿ . 021 /33 £N¡ ��ª8�N¢ ¨8¯ £ ¡�£NÍ 0213�3 ©N¡ £N¿ °N� ¢ 024 Ãâ £N£ ¥ ¨ – ¤N¥ © ¬8®�5 ¤N£ Å . ¬8¢ «8�N¿ ©N¡ ©N¥ «8¿ ¯ ¬�£ ¢ © ¬8¥ �N¨�/ Ã



Reformulate the Goal Then (C2)Q & (9;�KLzAO*7/r�%'7*29:P68=AT*;N6I) <�0-µA%'c9¶A,.X>*(/6?;L) G >*09=A:B;�(*2-O*0-O*=A7*KL0*2-) S F’+Î(9& & 7#.10*3

68756I= 4R+54�0*w*T*(#6I) 7*2*:�.X) 6I>•

m-(*M*+-( U768 U (*T*M:99=A0 U k8 ab& ) + ² ) 2 x 6I7*3*(/4Ly8 _ e U z 6I7*zA%�e U (*2*3-m-) 29) Z[(/6 x 687*3*(/4Ly8 687*7*& :BK�2*7#.1256I756I>*0-e'Z _ ±*±*±

13



Symmetric CryptoStatistical Cryptanalysis: Successful => More rounds are considered = >

Scarcity of attacks as only few combinations of biases give sufficiently strong overall bias.

Algebraic Cryptanalysis: At present time: a handful of rounds, yet over-abundance of attacks to try. MANY degrees of freedom.





Paradigm Shiftx Zb>*(*2*2*792*W*¹�(*KL7*O*:�0*29z+;[29T*3*:�0*29W \ (#6I(*=A) 29W\ ) 0 G = <�4`K�zA%'7*T*= 6I7*) :B0#6�(9& y P�� J� �� ~�� @� �� A� ��P Ô�� Ö��A� ��P�Õ�

%'& (*) +-, Y >*) :B) :b68>*0-+X79:P6?M*0*2*0*=A(9&PSI7*=J+XT9& (/68) 7*2X7#S(9& M*0*O9=A(*) ;B(/6v6I(*;�KL: x %�(*=A& 0/6

’: _ & M*0*O*=A(9) ;

F +-+XT*29) 6 4�µ _@F ¶^) :B(5<�0*= 4`W/<�0*= 4�=J0*:P68=A) ;N6I0*3X7*2*0#yIC



Unified view of Algebraic Attacks=Iü�õ >�û �Pí îhô ûóõ��hû üJðJî?��óò ò��VñJò ô í �,�óý í � ô ûVý ûJò � ô í ü�õ î��Jû ô '*ûJûóõVí õ�óñ ô î@% ü�ñ ô Jñ ô î?�–�7 Jò í û îô ü��Vñóò ô í �?�Jý í � ô û�óñ��óò í �ö÷û þ��÷ý þ, ô üóî÷þhîhô û � îPù�AAð ò � îPï ��Bñ �Jý ô C

–�7 Jò í û îô üVô ïJûVõ ü�õ >�ò í õóû �Jý� �Jý ôJüJð��î÷ô ý û ��D�hí JïóûJý �Jû �NûJõVí ðJîhô � ô û ð ñJò �

–�7 Jò í û îô üVô ïJû�A+>*� ü��Nû îüJð��óò ü��hö��÷í óïJûóý

�� Ë E��P�� |�� ~� �� J��P!1��ÇÉ�� P��P�� A�� "� ��b� �GF ��P� �� " �� IH��" � �� P��



Def: “I / O Degree” = “Graph AI”



Design of CiphersWhen people design block cipher they usually

study “ALL KNOWN ATTACKS” on it, then claim that the system is resistant to them.

My conjecture: it has become HARD to know and maybe THERE IS NO WAY to know, if a given system is resistant to all known attacks [particularly difficult for algebraic attacks].

14



*From S-F to RealityLaws of Prediction [Arthur C. Clarke]:When a distinguished elder scientist tells you

something is not possible => he is wrong…

Algebraic Attacks on AES/Serpent/Etc:“Provably” Secure [2000]

=> Speculative Fiction [2001] => Science Fiction [2002]

=> Science [2004-7] => Reality ???



Break AES ?

…

•

Ù��…��J� ��'� B� �Ö�� !�

•AAüVð �óývô ïóûJý ûVí î�õ ü�îPñ �hï ô ïóí õ ø^ò í öhû

“�Jò ø�û��óý �óí �í ��VñJõóí ô þ

”� J ñ î÷ô�óò ø�û �Jý �Jí ��NñJò õóûJý ��óí ò í ô í û î,�

“í õ î÷ô ��óí ò í ô þô ïJû ü�ý þ

”�

•

ú üJü��óõ þ�õóû 'K� ô ô ��hö î��Jý û î÷ô í ò ò ':�Jí ô í õ øVô ü��óû��í î?� ü �Pûóý û ��J ñ îhô�� þô ý þNí õ øVô ïJû �…



***My Program:• Forget AES. It doesn’t make a lot of sense to work on AES

or on reduced versions of it. You do not progress by approaching problems from the hard side…Approach the problem from the easy side.

• DO attack stream ciphers such as Snow, toy block ciphers, etc.

• DO NOT LOOK if they are secure against other attacks. Comparison with LC/DC makes no sense.

• DO experiment a lot. DO develop tools.– Mistake I made: Do NOT think that very sophisticated tools

developed by other people [e.g. F5] are very useful…



Sources of Algebraic Vulnerability

There are two!



Two Sources of Algebraic Vulnerability

2 “crazy” conjectures [Courtois]:– I/O Degree Hypothesis (IOH): all ciphers with

low I/O degree and lots of I/O relations are broken when the number of rounds is not too large.

– The Very Sparse Hypothesis (VSH): ciphers with very low gate count are broken when the number of rounds is not large.

very small S-boxes



What Can be Done ?Algebraic Cryptanalysis: • Very special ciphers: 1 M rounds [Courtois’AES4].• General ciphers, key size=block size: SMALL

number of rounds, 4,5,6 rounds.• Nobody can break CTC2(255,255,7). • But no fundamental limitation of combinatorial nature [like in e.g. multiset attacks], more like:

– 128-bit simple cipher – broken for 5-6 rounds.– 256-bit simple cipher – broken for 6-7 rounds.– 512-bit simple cipher – broken for 7-8 rounds. Etc.

• If key size > block size – more rounds. • CTC2(96,256,10) can be broken.

• If many solutions (Hash functions, MACs) => expected to be still easier.

15



What is Hard ?The complexity of current attacks does grow

VERY QUICKLY with the number of rounds. • Like 100x for each additional round…

So • no hope for breaking full Serpent = 32 rounds• Fact: 5 rounds Serpent is quite weak w.r.t.

algebraic attacks, unlike 4-bit Rijndael S-box.



Algebraic Attacks on Block CiphersEB� L�~��Ù��"�M� ËN ��Ç�� !X� �!��A� �� Ç'�� X� �P�� A�P�!�� P�� N ��J� �B� �� ~�� X� �� A� ��Ø�� Ë �� Ç�� !�� J� �� X��B��~P�� J��!�� X~� �� P�� X�POb�� !��!�¼A�� A� �� !� �OB��A�P��A� �� "��A�P�� X��P��



Fast Algebraic Attacks on Block Ciphers

Ä��NÍ ¯ ¡N¯ ¿ ¯ £ ¡ Q ¯ ¡NÍ £N¢ ¦�©N¥8£N¡�� N¢ � £N¨8��RNê�� ¿ ° £NÂ ¨�¿ £�¥ £NÀ�� ¢�¿ °N��ÂN� ¾N¢ � �£ ÍN�?S N© ¿ ¯ £ ¡N¨�¿ ° ©N¿ ©N� �N� ©N¢/¿ ° ¢ £N ¾N° £N ¿N¿ °N��¬8£ ¦��N ¿ © ¿ ¯ £ ¡ ¨ …Q �NÃ ¾NÃN¦�© Å�Â �N¾�¯ ¡ 0T1 RU £NÀæ¿ £�¥ £ À�� ¢�¿ °N��ÂN� ¾N¢ � �WV•

ñ îPû îNû �NûJý �Jòhÿ)% !W��óí ý î$# �óí øJø�ûJývþNû ô��Vñ �÷ï�û�� îNí ûJý�X (•

� þ��÷ò û �Pûóý��÷ï ü�í �hû üJð�ý û Jý û îNûJõ ô � ô í ü�õ•

� þ�!�ÿ+�•

� þ�� í õ ø�'�ûóò ò >*�hï üóîPûóõ�� ü�õ îhô ý �Jí õ ô î•

û ô �…

cumulative effect

!!!



ElimLin and CTC

Later today.



One Example

The biggest discoveries in Science are the simplest.



ElimLin%'7*+ G & 0/680X3*0*:L;�=J) G 6I) 7*2*,•U ) 2*3-& ) 290*(*=`0*w*T9(/6I) 7*29:B) 256I>*0-& ) 2*0*(*=^: G (*29C

•ZbT*O9:P68) 6IT/6I09W�(*2*3-=A0 G 09(/68C

_ +-(T<�) 2*M*& 4 G 7/.10*= SIT*& W*>*T*M*0-:P4`:P680*+-:B;�7*& & ( G :�0.X) 6I>-2*7X0#S S87*= 68Ca[CvM*C*O*=J0*(*KL:@k-=A7*T*2*39:@7#S?·'a[ZpM9) <�0*2ZYZ; \ CZb0*0

eprint.iacr.org/2006/402/

16



ElimLin – Something Wrong ?nBo*C ³´>#4R3*75.10->*(/<�0-& ) 2*0*(*=^0*w*T*(/68) 792*:B) 2568>*0S8) =A:N6 G & (9;�0-±

•Z�6IT G ) 3-) 2-+X(#6I>*0*+-(/68) ;�:

…•F m \ ëBZbZ F Q ² a Y ë _\[ ë F ·H) 2-;�= 4 G 68(*2*(*& 4�:L) :�C–�� ó�� $�|�

–��!�!�Ç�� º��P��A� �� P�

–��



ElimLin – Still A Bit Weird FeelingnBc*C ³´>#4R3*7*2

’6*.X0-0*& ) +X) 2*(#6I056I>*0*+Î±

•U ) =J:P6?(*2*:N.10*=AW*) S*.10-3*7*W/.10-& 7*7*:�0-: G (*=A:L) 6 4�(*2*368>*0-;�( G (9;�) 6v4B6I7-;�7*+ G T/6I0-(*2/4L6I>*) 2*M-(/6?(*& & C

•Zb0*;L7*2*3X(*29:P.109=A,/.10-3*7*W*O*T/6*68>*0*2-e�a9³²9F e�a _ fHa[n t�_[YàF ëBe'Zp( G*G 09(*=AC

“_ <`(*& (*2*;�>*00#S S80*;P6

”C

–�B��

–��Ö��

–��!�!�� A� ��P��J�J�� J��P�� X� �º�� A�P�“��

”�� J�� b��A�P��

…



CTC = “Courtois Toy Cipher” [eprint]

• ]] ]]55 55 ¤ ¯ ¿?^¤ ¯ ¿?^¤ ¯ ¿?^¤ ¯ ¿?^_55 55 ¤N£ Å8�N¨8Ã¤N£ Å8�N¨8Ã¤N£ Å8�N¨8Ã¤N£ Å8�N¨8Ã• Ä*¯ Í Í N¨8¯ £ ¡�Ä�§N� �N¢ ¦� ¿ ¯ ¡N¾�À�¯ ¢ �N¨ . ©N¨�Ä - ^àèÄ*¯ Í Í N¨8¯ £ ¡�Ä�§N� �N¢ ¦� ¿ ¯ ¡N¾�À�¯ ¢ �N¨ . ©N¨�Ä - ^àèÄ*¯ Í Í N¨8¯ £ ¡�Ä�§N� �N¢ ¦� ¿ ¯ ¡N¾�À�¯ ¢ �N¨ . ©N¨�Ä - ^àèÄ*¯ Í Í N¨8¯ £ ¡�Ä�§N� �N¢ ¦� ¿ ¯ ¡N¾�À�¯ ¢ �N¨ . ©N¨�Ä - ^àè_55 55 ¤N£ Å�` / Ã¤N£ Å�` / Ã¤N£ Å�` / Ã¤N£ Å�` / Ã• aAÁ b Á 1 Á c ÁaAÁ b Á 1 Á c ÁaAÁ b Á 1 Á c ÁaAÁ b Á 1 Á c Á … ^^ ^^�55 55 ¤ £NÅ8� ¨�� N¢/¢ £ N¡ ÂNÃ¤ £NÅ8� ¨�� N¢/¢ £ N¡ ÂNÃ¤ £NÅ8� ¨�� N¢/¢ £ N¡ ÂNÃ¤ £NÅ8� ¨�� N¢/¢ £ N¡ ÂNÃ• aAÁ b Á ] ÁaAÁ b Á ] ÁaAÁ b Á ] ÁaAÁ b Á ] Á … Á@a)d ÁÁ@a)d ÁÁ@a)d ÁÁ@a)d Á … Á ]�dNÁÁ ]�dNÁÁ ]�dNÁÁ ]�dNÁ … ¢ £ N¡ ÂN¨8Ã¢ £ N¡ ÂN¨8Ã¢ £ N¡ ÂN¨8Ã¢ £ N¡ ÂN¨8Ã• eL�N«�¨8¯ f8�Wg�gihL¥ £ ¬8®�¨8¯ f8�NÃeL�N«�¨8¯ f8�Wg�gihL¥ £ ¬8®�¨8¯ f8�NÃeL�N«�¨8¯ f8�Wg�gihL¥ £ ¬8®�¨8¯ f8�NÃeL�N«�¨8¯ f8�Wg�gihL¥ £ ¬8®�¨8¯ f8�NÃ• ^L¯ ¦�� ¥ ��®8�N«�¨8¬8°N� ÂNN¥ � §N¤ ¯ ¿N� �N¢ ¦� ¿ © ¿ ¯ £N¡ . ©N¨�¯ ¡�Ä - ^j` /^L¯ ¦�� ¥ ��®8�N«�¨8¬8°N� ÂNN¥ � §N¤ ¯ ¿N� �N¢ ¦� ¿ © ¿ ¯ £N¡ . ©N¨�¯ ¡�Ä - ^j` /^L¯ ¦�� ¥ ��®8�N«�¨8¬8°N� ÂNN¥ � §N¤ ¯ ¿N� �N¢ ¦� ¿ © ¿ ¯ £N¡ . ©N¨�¯ ¡�Ä - ^j` /^L¯ ¦�� ¥ ��®8�N«�¨8¬8°N� ÂNN¥ � §N¤ ¯ ¿N� �N¢ ¦� ¿ © ¿ ¯ £N¡ . ©N¨�¯ ¡�Ä - ^j` /



CTC2

•[ ) = 68T*(9& & 4�2*7-3*) S S80*=J0*29;�0[ ) = 68T*(9& & 4�2*7-3*) S S80*=J0*29;�0[ ) = 68T*(9& & 4�2*7-3*) S S80*=J0*29;�0[ ) = 68T*(9& & 4�2*7-3*) S S80*=J0*29;�0

• ê�N¬8°�¨8¿ ¢ £N¡ ¾N� ¢/©N¾N© ¯ ¡N¨8¿N½ çê�N¬8°�¨8¿ ¢ £N¡ ¾N� ¢/©N¾N© ¯ ¡N¨8¿N½ çê�N¬8°�¨8¿ ¢ £N¡ ¾N� ¢/©N¾N© ¯ ¡N¨8¿N½ çê�N¬8°�¨8¿ ¢ £N¡ ¾N� ¢/©N¾N© ¯ ¡N¨8¿N½ ç. ¬8Í Ã Ä�N¡ ®8�N¥ ¦�© ¡. ¬8Í Ã Ä�N¡ ®8�N¥ ¦�© ¡. ¬8Í Ã Ä�N¡ ®8�N¥ ¦�© ¡. ¬8Í Ã Ä�N¡ ®8�N¥ ¦�© ¡�55 55 eL�N¥ ¥ �N¢/© ¿ ¿ ©N¬8®�/ ÃeL�N¥ ¥ �N¢/© ¿ ¿ ©N¬8®�/ ÃeL�N¥ ¥ �N¢/© ¿ ¿ ©N¬8®�/ ÃeL�N¥ ¥ �N¢/© ¿ ¿ ©N¬8®�/ Ã



CTC2 Cipher

a[w9T*(#6I) 792*:BM90*2*09=A(#6I) 2*M G =A7*M*=J(*+Î297/.i(#<�(*) & (*O9& 0a[w9T*(#6I) 792*:BM90*2*09=A(#6I) 2*M G =A7*M*=J(*+Î297/.i(#<�(*) & (*O9& 0a[w9T*(#6I) 792*:BM90*2*09=A(#6I) 2*M G =A7*M*=J(*+Î297/.i(#<�(*) & (*O9& 0a[w9T*(#6I) 792*:BM90*2*09=A(#6I) 2*M G =A7*M*=J(*+Î297/.i(#<�(*) & (*O9& 0.'.�.1Cv;�= 4 G 687*:P4`:P680*+-Cv2*0#6 u8(*0*:Nu.'.�.1Cv;�= 4 G 687*:P4`:P680*+-Cv2*0#6 u8(*0*:Nu.'.�.1Cv;�= 4 G 687*:P4`:P680*+-Cv2*0#6 u8(*0*:Nu.'.�.1Cv;�= 4 G 687*:P4`:P680*+-Cv2*0#6 u8(*0*:Nu6I7#4�;L) G >90*=A:LC >#6I+-&6I7#4�;L) G >90*=A:LC >#6I+-&6I7#4�;L) G >90*=A:LC >#6I+-&6I7#4�;L) G >90*=A:LC >#6I+-&



Attacks on CTC2• key size == block size:

I can break up to 6 rounds.• Current frontier: nobody can break

CTC2(255,255,7). Can anybody ? Please try !

• If key size > block size =>more rounds.

• CTC2(96,256,10) can be broken.

17



Gr k bner Bases Soon to be Forgotten ?e'ë Y _[Y _æ²*² W�O*T#6?(/6v6I0*2/68) 792X+-T*:N6?O*0-:�>*) Sv6I0*3S8=A7*+Î>9) M*>-3*0*M9=A0*0 x (*& &N.17*=AKB7*2 U k#y*6I7>*(92*3*& ) 29MXm t %ml Q F ¸B¸ a[fH:N4�:N6I0*+-:BO*T#6(/6?( [ a[fin ² ë�³ ·�a ¸ f�abaµA) 2-(-:�0*2*:�0-& 0*:�:�68>*(*2-c*¶AC



Claim��P�B�� !X�� ~� ��BÔ�~�� Õ�� b�� B��A�P��A� �� ~�� BÔ �� X� � �� ~�� Õ�~�P�� !�� X��PE@�� Ö��P��J� �� B� ��Ö�� B�P�Ç�� Ö��A� ��B�P�� X~�� !��!�� !��!�� "~��J��J��B�� X~P�1�� !X� ��iOB��|� �� Ú ÚX�� A�P��J��P� ��A� �� !��A�� b� �J�� J�� J��mo��p�� ~� ��B�� X~P�� !��"�� ~�� B�� P�� A� �� mo�� v� ��Ip�J�� !�� J� ��Ø



An Open Problem in Boolean Functionsa[(9:P4B68(*:�KL:B(*=A0-e'ë Y 0*(9:P4�7*2 [ abfWn ²#_ f ¸ a:N4�:N6I0*+-:B7/S?0*w*T9(/6I) 7*29:�CExample: given a very large set of sparse

Boolean equations with 150 000 variables with a unique solution, that takes 500 Mbytes of memory AFTER being compressed with ZIP.

Problem: find many linear combinations with low algebraic immunity on a PC with 2 Gbytes of memory.



Algebraic Attacks

Or maybe other attacks?• Attacks on DES with SAT solvers [6 rounds].

• Raddum-Semaev attacks.–Claimed best, only 4 rounds.



About DES + SAT Solvers

Later today:• Gregory Bard’s talk.• Our talk on DES.



Gr k bner Bases Soon to be Forgotten ?\ 7#.10*= SIT*&L;�7*+ G 0/6I) 687*=A, Z _[Y Z[79& <�0*=A:rq;L7*2/<�09=A:�) 7*29C

Before we did try, we actually never believed it could work…

18



3.4. ANF-to-CNF - The OutsiderConvert MQ to a SAT problem.(both are NP-hard problems)

� � �



Fact:Z G (*=A:�0-=A(*2*3*7*+ m-n ;�(*2-O*0XO9=A7*K�0*2-) 2 G =A(*;N6I) ;�09W:L7*+X0-) 2-:�09;�7*2*3*:LC³´7*=JK�:�SI79= (*2/4 :N4�:N6I0*+Î7#S?0*w*T*(#6I) 7*2*:Bz^) S?: G (*=J:�00*297*T*M*>X(*293/uI79=`7#<�0*=AzA3*0#SI) 2*0*3-0*2*7*T*M*>

…

Y >*) :B>*(*:B2*0/<�09=`O*0*0*2-:�>97/.12XO90/SI7*=A09C



Algebraic Attacks on DES_ 6?(5S8) =A:N6�M9& (*2*;L0*WZ[090*+-: G 79) 2#6I& 0*:L:�,6I>*09=A0-) :@2*7-:N6I=A7*2*M-(*& M*0*O*=A(9) ;B:N6I=AT9;P68T*=A0

7/S?(*2#4�K�) 2*3-) 2-·'abZ



DES – One Problem·'0#<�0*& 7 G (“M*7*7*3

”=A0 G =A0*:L0*2/6I(#6I) 7*2-7/S?·�a[Z[C

ëBT*=^0*w*T*(/68) 792*:B;�(*2-O*0-3*7/.129& 7*(*390*35SI=A7*+.'.�.1Cv;�= 4 G 687*:P4`:P680*+-Cv2*0#6 u8(*0*:Nu 687/4`;�) G >*0*=J:�C >#6I+-&.'.�.1Cv;�= 4 G 687*:P4`:P680*+-Cv2*0#6 u8(*0*:Nu 687/4`;�) G >*0*=J:�C >#6I+-&.'.�.1Cv;�= 4 G 687*:P4`:P680*+-Cv2*0#6 u8(*0*:Nu 687/4`;�) G >*0*=J:�C >#6I+-&.'.�.1Cv;�= 4 G 687*:P4`:P680*+-Cv2*0#6 u8(*0*:Nu 687/4`;�) G >*0*=J:�C >#6I+-&\ & 09(*:�056I= 4B6I7X:L7*& <�056I>*09+ÎO/4B4�7*T9=VSI(/<�7*T9=A) 680

+-0/68>*7*3Zs



Results on DES

Nicolas T. Courtois and Gregory V. Bard: “Algebraic Cryptanalysis of the D.E.S.”.

In IMA Cryptography and Coding 2007

eprint.iacr.org/2006/402/



What Can Be Done ?

Attack 1: Cubic Representation + ElimLin: Attack 1: Cubic Representation + ElimLin: Attack 1: Cubic Representation + ElimLin: We recover the key of We recover the key of We recover the key of 555---round DES with round DES with round DES with

3 KP3 KP3 KP faster than brute force. faster than brute force. faster than brute force. ••• When When When 232323 variables fixed, takes variables fixed, takes variables fixed, takes 173 s173 s173 s...••• Magma crashes > 2 Magma crashes > 2 Magma crashes > 2 GbGbGb of RAM.of RAM.of RAM.Attack 2: Optimised Gate-level representation + our

ANF-to-CNF conversion+ MiniSat 2.0.: Key recovery for 6-round DES. Only 1 KP (!).••• Fix Fix Fix 202020 variables takes variables takes variables takes 68 s68 s68 s. . . ••• Magma crashes with > 2 Magma crashes with > 2 Magma crashes with > 2 GbGbGb...

19





DES – New Frontier:

Break 8 rounds given 1 KP and in less than 255.

We encourage researchers to try.We cannot do it so far.



What Are the Limitations of Algebraic Attacks ?

• When the number of rounds grows: complexity jumps from 0 to ∞.

• With new attacks and new “tricks” being proposed: some systems are suddenly broken with no effort.

=> jumps from ∞ to nearly 0 !



LimitationsZ[79+X0-& ) +-) 6I(/68) 7*29:@7#S?(*& M*0*O*=A(9) ;B;�= 4 G 6I(*2*(9& 4`:�) :B(*=A0<`0*= 4�>*(*=A39W/.10

“>*) 6*68>*05.1(*& &

”µA09C M*C/.1>*0*256I>*0

2*T9+XO*0*=^7#S�=A7*T*293*:B) 29;�=A0*(9:�0*:�¶JCZ[79+X0-(*=A0-: G 09;P6I(9;�T*& (*=J& 4�2*(

ï<�0-µA09C M*C*+-(/r�) +-T*+

3*09M*=A0*0-) 2 ¸ = ö O*2*0*=^O*(*:L) :B;�7*+ G T/6I(#6I) 7*2*¶^(*2*3(9=A0X0*(9:�) & 4�;�) =A;LT*+5<�0*2#6I0*3*C

New Frontiers Neal Koblitz - Nicolas Courtois · 2019-10-21 · 11 Applied Crypto-Frontierology...

Documents

Transcript of New Frontiers Neal Koblitz - Nicolas Courtois · 2019-10-21 · 11 Applied Crypto-Frontierology...