NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a...
Transcript of NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a...
![Page 1: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/1.jpg)
NonLinear Polynomial Invariant Attacksor How to Backdoor a Block Cipher
Nicolas T. CourtoisUniversity College London, UK
blog.bettercrypto.com
eprint = 2018/1242
![Page 2: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/2.jpg)
Block Cipher Invariants
2
Roadmap
• Non-Linear Cryptanalysis
– Polynomial Invariants
– Backdoors
• What makes ciphers insecure? Nothing!
– Boolean functions
– Annihilators [very hard to avoid]
– Strong structural attack = “product attack”
– Lack of Unique Factorization inside the ring of Boolean functions Bn.
eprint/2018/1242
![Page 3: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/3.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
3
Question 1:Why 0% of symmetric encryption
used in practice areprovably secure?
![Page 4: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/4.jpg)
A New Frontier in Symmetric Cryptanalysis
4
Provably Secure Encryption!
Based on MQ Problem. Dense MQ is VERY hard. Best attack ≈ 20.8765n
• top of the top hard problem.• for both standard and PQ crypto
=> Allows to build a provably secure stream cipher based on MQ directly!
C. Berbain, H. Gilbert, and J. Patarin:
QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005
mqchallenge.org FXL/Joux 2017/372
![Page 5: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/5.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
5
Question 2:Why researchers have found
so few attacks on block ciphers?
![Page 6: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/6.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
6
Question 2:Why researchers have found
so few attacks on block ciphers?
because there are so many!(many attacks)
![Page 7: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/7.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
7
Question 2:Why researchers have found
so few attacks on block ciphers?
“mystified by complexity” lack of working examples: how a NL attack actually looks like??
-for a long time I thought it would about some irreducible polynomials-
![Page 8: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/8.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
8
?
![Page 9: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/9.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
9
Claim:Finding new attacks
on block ciphers isEASY and FUN
![Page 10: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/10.jpg)
Block Cipher Invariants
10
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptanalysis
![Page 11: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/11.jpg)
Block Cipher Invariants
11
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptanalysis
2. industrial crypto
![Page 12: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/12.jpg)
Block Cipher Invariants
12
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptanalysis
![Page 13: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/13.jpg)
Block Cipher Invariants
13
Code Breakers - LinkedIn
![Page 14: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/14.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
14
Cryptanalysis=def=Making the impossible possible.
How? two very large polynomials with 16+ vars are simply equal
![Page 15: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/15.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
15
Big Winner
“product attack”
a product of Boolean polynomials.
Claimed extremely powerful.Why?
@eprint/2018/1242
![Page 16: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/16.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
16
Definition
We say that P => Q for 1R
if
P(inputs) = Q(outputs)with proba =1, i.e. for every input
![Page 17: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/17.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
17
Another notation:P = Q
<=> P => Q for 1R
<=>
P(inputs) = Q(outputs)for any input with P=1
is 1 round of encryption
![Page 18: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/18.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
18
alsoP = Q
<=> P => Q for 1R
<=>
P(inputs) Q(output ANFs)formal equality of polynomials
is 1 round of encryption
must perform a substitution with
coded as ANFs
![Page 19: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/19.jpg)
Block Cipher Invariants
Main Problem:Two polynomials P => Q.
P(x1,…)
Q(y1,…)
is P=Q possible??
“Invariant Theory” [Hilbert]: set of all invariants for any block cipher forms a [graded] finitely generated [polynomial] ring. A+B; A*B
![Page 20: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/20.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
20
Key Remark:
To insure that P * R => P * R
we only need to make sure that P=>P but ONLY for a subspace
where R(inp)=1 and R(out)=1
![Page 21: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/21.jpg)
Code Breakers
Nicolas T. Courtois21
3. Crypto History
![Page 22: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/22.jpg)
Block Cipher Invariants
22
1970sModern block ciphers are born.
In which country??
![Page 23: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/23.jpg)
Block Cipher Invariants
23
1970sModern block ciphers are born.
In which country??
Who knows…
Eastern Bloc also worked on these questions… and for a long time.
![Page 24: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/24.jpg)
Block Cipher Invariants
24
1927The real inventor of the
ANF = Algebraic Normal Form, see
en.wikipedia.org/wiki/Zhegalkin_polynomial
Russian mathematician and logician
Ива́н Ива́нович Жега́лкин [Moscow State University]
“best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2”
Bn,+,*
![Page 25: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/25.jpg)
T-310
Nicolas T. Courtois25
East German T-310 Block Cipher
240 bits
long-term secret 90 bits only!
“quasi-absolute security” [1973-1990]
has a physical
RNG=>IV
![Page 26: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/26.jpg)
Block Cipher Invariants
Technical ReferencesNicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf , 132 pages, 2017.
Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh:
Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018.
Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.
![Page 27: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/27.jpg)
Block Cipher Invariants
27
Cipher Class Alpha –1970s
Who invented Alpha? [full document not avail.]
![Page 28: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/28.jpg)
Block Cipher Invariants
28
T-310 [1973-1990] – Feistel with 4 branches
![Page 29: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/29.jpg)
Block Cipher Invariants
29
blog.bettercrypto.com
![Page 30: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/30.jpg)
Roadmap
30
Backdoors vs.
“Normal” Cryptanalysis
All our attacks work with relatively large probability.
– so if you are not lucky a cipher which was NOT backdoored will also be broken!
![Page 31: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/31.jpg)
Block Cipher Invariants
34
LC in 1976 [Eastern Germany]
![Page 32: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/32.jpg)
Block Cipher Invariants
35
Generalised Linear Cryptanalysis= GLC =
[Harpes, Kramer and Massey, Eurocrypt’95]
![Page 33: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/33.jpg)
Block Cipher Invariants
36
Generalised Linear Cryptanalysis= GLC =
[Harpes, Kramer and Massey, Eurocrypt’95]
Concept of [invariant] non-linear I/O sums.
P(inputs) = P(outputs) with some probability…
![Page 34: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/34.jpg)
Block Cipher Invariants
37
Connecting Non-Linear Approxs.Black-Box Approach
Non-linear functions F G H I.
F(x1,…)
G(y1,…) H(y1,…)
I(z1,…)
![Page 35: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/35.jpg)
Block Cipher Invariants
38
GLC and Feistel Ciphers?
[Knudsen and Robshaw, EuroCrypt’96
“one-round approximations that are non-linear […] cannot be joined together”…
At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes!
![Page 36: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/36.jpg)
Block Cipher Invariants
39
BLC better than LC for DES
Better than the best existing linear attack of Matsui
for 3, 7, 11, 15, … rounds.
Ex: LC 11 rounds:
BLC 11 rounds:
![Page 37: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/37.jpg)
Block Cipher Invariants
40
Better Is Enemy of Good!DES = Courtois @ Crypto 2004 :
proba=1.0
deg 1
deg 2
deg 10
![Page 38: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/38.jpg)
Block Cipher Invariants
41
Wrong Approach [!!!!]Black-Box Combination Approach
constructive BUT limited possibilities…
F(x1,…)
G(y1,…) H(y1,…)
I(z1,…)
![Page 39: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/39.jpg)
Block Cipher Invariants
42
White Box Approach
New! [Courtois 2018]
Study of non-linear I/O sums.
P(inputs) = P(outputs)
notion of “primitive” or “sporadic” attacks not decomposed into simpler attacks
Example: 127 R periodic property, 127 being prime.
![Page 40: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/40.jpg)
Block Cipher Invariants
43
New White Box Approach
Study of non-linear I/O sums.
.
P(inputs) = P(outputs) with probability 1.
Formal equality of 2 polynomials.
BIG PROBLEM: 22^n possible attacks
![Page 41: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/41.jpg)
Block Cipher Invariants
44
Variable Boolean Function
We denote by Z our Boolean function
We consider a space of ciphers where Z is variable.
Question: given a fixed polynomial Pwhat is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds).
![Page 42: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/42.jpg)
Block Cipher Invariants
45
How Do You Find An Attack?
22^n possible attacks
![Page 43: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/43.jpg)
Block Cipher Invariants
46
Invariant Hopping
attack 12x linear
attack 21x linear
attack 3
attack 4strong Bool + high degree invariant +
high success proba
![Page 44: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/44.jpg)
Block Cipher Invariants
Nicolas T. Courtois, January 200947
Group Theory – Is DES A Group?
Study of group generated by φK for any key K.
Typically AGL not GL. Any smaller sub-groups?
![Page 45: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/45.jpg)
Block Cipher Invariants
48
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
AGL
![Page 46: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/46.jpg)
Block Cipher Invariants
49
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
AGL
![Page 47: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/47.jpg)
Block Cipher Invariants
50
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
attack 36one high degree invariantstrong Boolean function
AGL
![Page 48: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/48.jpg)
Block Cipher Invariants
Nicolas T. Courtois, January 200951
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
attack 36one complex high degree invariant
strong Boolean function
AGL
![Page 49: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/49.jpg)
Block Cipher Invariants
52
“Hopping” Discovery
• Learn from examples.
• Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher.
![Page 50: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/50.jpg)
Backdoors
Nicolas T. Courtois53
T-310 [Contracting Feistel, 1970s, Eastern Germany!]
1 round of T-310
φ
![Page 51: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/51.jpg)
Block Cipher Invariants
54
Linear Attack – Example
![Page 52: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/52.jpg)
Block Cipher Invariants
55
Our Thm. [eprint/2017/440]
![Page 53: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/53.jpg)
Block Cipher Invariants
56
Impossible => Possible?
• We literally use “impossible” linear properties, which cannot happen and do not happen,
and construct a non-linear attack which works.
Key insight:
• P => Q 1R might be impossible to achieve.
• P*R =>Q*R may be possible to achieve.we only need to take care of a restricted subspace where either R(inputs)=1 or R(outputs)=1. Also typically strongly correlated.
![Page 54: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/54.jpg)
Block Cipher Invariants
57
Hopping Step 1 [WCC’19]First we look at an attack where the Boolean
function is linear and we have trivial LINEAR invariants (same as Matsui’s LC)
Example:
?
impossibletransition
![Page 55: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/55.jpg)
Block Cipher Invariants
58
Impossible?
“Only those who attempt the absurd will achieve the impossible.”
-- M. C. Escher
?
![Page 56: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/56.jpg)
Backdoors
Nicolas T. Courtois59
A Vulnerable Setup
1 round of T-310
φ
![Page 57: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/57.jpg)
Block Cipher Invariants
60
Hopping Step2 [WCC’19]Now could you please tell us if
is an invariant?
![Page 58: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/58.jpg)
Block Cipher Invariants
61
Hopping Step2 Now could you please tell us if
is an invariant?
The answer is remarkably simple.
![Page 59: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/59.jpg)
Block Cipher Invariants
62
Hopping Step2Theorem:
is an invariant IF AND ONLY IF
a certain polynomial = FE =
is zero (as a polynomial, multiple cancellations)
![Page 60: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/60.jpg)
Block Cipher Invariants
63
Hopping Step2 Theorem:
is an invariant IF AND ONLY IF
a certain polynomial = FE =
is zero (as a polynomial, multiple cancellations)
FundamentalEquation
![Page 61: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/61.jpg)
Block Cipher Invariants
64
Compute FE?Theorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
= FE
![Page 62: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/62.jpg)
Block Cipher Invariants
65
NotationTheorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
= FE
P = P(inputs) P(output ANF) = P
![Page 63: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/63.jpg)
Block Cipher Invariants
66
NotationWe have
is an invariant IF AND ONLY IF
IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)= FE
P = P(inputs) = P(output ANF) = P ?
P+P
![Page 64: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/64.jpg)
Block Cipher Invariants
67
Compact Notation
is an invariant IF AND ONLY IF
IF AND ONLY IF
(as a polynomial, multiple cancellations)= FE is zero
P = P ?
P+P
![Page 65: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/65.jpg)
Block Cipher Invariants
68
*Action of on polynomials.With P = P(inputs) there is no ambiguity.
With P(output ANF) = P we mean F,K,L
where F,K,L is the secret key+IV on 3 bits.
Trick: the result does NOT depend on F,K,L.
P = P(output ANF) =
P(a , b, c, d, … … … ) =
![Page 66: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/66.jpg)
Block Cipher Invariants
69
*Action of on polynomials.With P = P(inputs) there is no ambiguity.
With P(output ANF) = P we mean F,K,L
where F,K,L is the secret key+IV on 3 bits.
Trick: the result does NOT depend on F,K,L.
P = P(output ANF) =
P(a , b, c, d, … … … ) =
subs by ANF
![Page 67: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/67.jpg)
Block Cipher Invariants
70
White Box Cryptanalysis = New
[Courtois 2018]
Same concept of a non-linear I/O sums.Focus on perfect invariants mostly.
P(inputs) = P(outputs) with probability 1.
Formal equality of 2 polynomials.Exploits the structure of the ring Bn.
• annihilation events absorption events, nb. of vars collapses
• would be unthinkable if we had unique factorisation
ABCD=A’B’C’D’
![Page 68: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/68.jpg)
Block Cipher Invariants
71
Reynolds/Noether Maps in Invariant Theory
Goal: transform bc into an invariant. In maths:
���(bc ����) =1
|�|� bc�
�∈�
G=full group of transformations acting on polynomials
generated by the full cipher for any key and any Nr
huge non-commutative grouptoo large to work with?
thanks to Felix Ulmer
duplication/left cosetsG <=bijection=> {h+g}, where h has no effect,g belongs in a smaller subgroup
not commutative
![Page 69: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/69.jpg)
Block Cipher Invariants
72
*Reynolds Revisited
Goal: transform bc into an invariant. In maths:
��� bc ���� =1
�� bc�
�∈�
G=smaller group of transformations acting on degree 2 monomials which is dictated by the structure of the cipher • blue terms cancel in , • steps with ? are not guaranteed to work unless FE==0
![Page 70: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/70.jpg)
Block Cipher Invariants
73
**Reynolds Revisited
Goal: transform bc into an invariant. In maths:
��� bc ���� =1
�� bc�
�∈�G=smaller cyclic group => simply a cycle starting from bc.Example for DES cipher (for a specific choice of S-boxes): • start with a degree 4 monomial, e.g.
L02*L05*R02*R05 => period = 8 mindeg=4 maxdeg=14
• summing over this cycle gives the following invariant:sum is of size=3 deg=14
L01*L02*L08*L29*L30*L31*L32*R01*R29*R30*R31*R32+L01*L05*L08*L29*L30*L31*L32*R01*R05*R08*R29*R30*R31*R32+L01*L29*L30*L31*L32*R01*R02*R08*R29*R30*R31*R32can be factored as === L01*L29*L30*L31*L32*R01*R29*R30*R31*R32* (L02*L08+L05*L08*R05*R08+R08*R02)
• with another set of S-boxes we get a period = 24 mindeg=4 maxdeg=20 and sum is of size=184 deg=20• L08*R08*(very complex polynomial)
![Page 71: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/71.jpg)
Block Cipher Invariants
74
Conclusion Step2Theorem:
is an invariant IF AND ONLY IF
is zero (as a polynomial, multiple cancellations)
![Page 72: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/72.jpg)
Block Cipher Invariants
75
What is Special About P2-factoring decomposition
= AC+BD.
is invariant IF AND ONLY IF
some solutions are:
![Page 73: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/73.jpg)
Block Cipher Invariants
76
Invariant P of Degree 4?
= ABCD.
is a 1-round invariant IF AND ONLY IF
= FE
![Page 74: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/74.jpg)
Block Cipher Invariants
77
Invariant P of Degree 4?
= ABCD.
is a 1-round invariant IF AND ONLY IF
a multiple of the previous polynomial!
![Page 75: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/75.jpg)
Block Cipher Invariants
78
Corollary:Easy Thm. [not included in the paper].
For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2)then also ABCD is an invariant (degree 4).
Note: there is no invariant of degree 3 etc
![Page 76: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/76.jpg)
Block Cipher Invariants
79
[Graded] Ring Of InvariantsAny more invariants?
As always in Maths we have a Ring* of Invariants denoted by
B[a,b..]G where B[a,b..]==IF2[a,b..]/(a2=a..)
and G=huge group generated by our block cipher. Here this ring has only 5 elements:
B[a,b..]G ={0, 1, AC+BD, ABCD, ABCD+AC+BD}
Not more! Well actually there could be more @higher degrees.
*Classical tool: Molien formal power series = 1 + z2 + z4 and no more terms.
*finitely generatedcf. Hilbert
absorber
![Page 77: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/77.jpg)
Block Cipher Invariants
80
Hilbert Basis (always Finite)We say that
{AC+BD, ABCD}
For a Hilbert basis of our Ring of Invariants
B[a,b..]G =
{0, 1, AC+BD, ABCD, ABCD+AC+BD}
we also have a POSET
and a lattice (w.r.t division | ).absorber
or maximal
*def. every invariant is
a polynomial function of basis elements
0
1
ABCD
![Page 78: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/78.jpg)
Block Cipher Invariants
81
Selective RemovalQ : Can we now have ABCD
to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????
![Page 79: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/79.jpg)
Block Cipher Invariants
82
Selective RemovalQ : Can we now have ABCD
to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3????
Answer: easy: a root of second polynomial and NOT a root of the first [almost always].
mC=YCmBCD=YBCD
= FE
![Page 80: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/80.jpg)
Block Cipher Invariants
83
Summary [WCC’19]1. We start with a trivial attack on a weak cipher.
Benefit: FE has a solution.
2. Then some non-linear invariants P also exist.
3. Another Boolean function Z works because FE has more roots.
4. In several steps we modify the cipher wiring, Z[manipulation of roots of our FE] so that simple invariants P are removed.
5. What you get is like a backdoor! – Potentially hard to detect. High degree P.
![Page 81: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/81.jpg)
Block Cipher Invariants
84
A Better Attack?
problem: “strong” Boolean functions
![Page 82: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/82.jpg)
Block Cipher Invariants
85
Conclusion@WCCWe modify the cipher and the invariant
so that simple invariants disappear.
Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242]
The degree of P must increase to 8.
![Page 83: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/83.jpg)
Block Cipher Invariants
86
Irreducible PolynomialsRemark:
For a long time we searched for invariant attacks where P
is an irreducible polynomial.
We were wrong!
![Page 84: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/84.jpg)
Block Cipher Invariants
87
New Paradigm [1905.04684]
![Page 85: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/85.jpg)
Block Cipher Invariants
88
Product Attack
Trivial NL invariants based on cycles in LC.
A B C D A
Then ABCD is a round invariant of degree 4. Invariants form a ring B[a,b..]G
Stupid??
*finitely generated
![Page 86: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/86.jpg)
Block Cipher Invariants
89
Product Question
Trivial NL invariants based on cycles in LC.
A B C D E A
Then ABCDE is a round invariant of degree 5.
Stupid?? Not at all! Some of the strongest attacks ever found are like this.
![Page 87: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/87.jpg)
Block Cipher Invariants
90
Product Attack
Trivial NL invariants based on cycles in LC.
A B C D E A
Then ABCDE is a round invariant of degree 5.
Stupid?? Not at all! Some of the strongest attacks ever found are like this.
Simpler invariants can be REMOVED!!!!
![Page 88: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/88.jpg)
Block Cipher Invariants
Nicolas T. Courtois, January 200991
Hopping in Group Lattices
attack 1three invariants
linear Boolean function
attack 2two invariants
bad Boolean function
attack 36one complex high degree invariant
strong Boolean function
AGL
![Page 89: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/89.jpg)
Block Cipher Invariants
92
Phase TransitionWhen P is of degree 4, the Boolean function is
still “inevitably” degenerated [this paper].
Q: Can we backdoor or break a cipher with a random Boolean function?
![Page 90: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/90.jpg)
Block Cipher Invariants
93
Strong Structural AttackNot as strong as a “generic attack” but close.
Can work for a LOT MORE rounds!
![Page 91: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/91.jpg)
Block Cipher Invariants
94
Phase TransitionWhen P is of degree 4, the Boolean function is
still “inevitably” degenerated [this paper].
Q: Can we backdoor or break a cipher with a “strong” (e.g. random) Boolean function?
YES, see [eprint/2018/1242]
Degree 8 attack, P =ABCDEFGH.
![Page 92: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/92.jpg)
Block Cipher Invariants
95
Thm 5.5. In eprint/2018/1242 page 18.
P =ABCDEFGH
is invariant if and only if this polynomial vanishes:
Can a polynomial with 16 variables with 2 very complex Boolean functions just disappear?
![Page 93: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/93.jpg)
Block Cipher Invariants
96
Hard Becomes EasyPhase transition: eprint/2018/1242.
• When P degree grows, attacks become a
LOT easier.
• Degree 8: extremely strong:
15% success rate over the choice of a random Boolean function and with P =ABCDEFGH.
(3 variants)
WHAT??????????
![Page 94: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/94.jpg)
Block Cipher Invariants
97
Let Y = Random Bool.Can we HOPE that for
we have for example:
mBCD=YBCD i.e.
0=(Y+m)BCD
Thm 6.0.1: Courtois-Meier Eurocypt 2003.
For any Z with 6 variables, Z or Z+1 always has some cubic annihilators.
Thm 6.4: [eprint/2018/1242] For Z(a+b)(c+d)(e+f)=0, any Boolean function works with probability of 5%.
= FE
![Page 95: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/95.jpg)
Block Cipher Invariants
98
Bonus: New Non-Trivial Attacksan irregular sporadic attack with P of degree 7
![Page 96: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/96.jpg)
Block Cipher Invariants
99
Proof [Outline]sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)
sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D) =def= sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))
sage: 0
sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))
sage: 0
sage:
Proof involves absorptions of type W= and Y=.
polynomials W,Y operate on disjoint inputs
![Page 97: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/97.jpg)
Block Cipher Invariants
100
Interesting Events inside Our Proof
sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)
sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)
sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))
sage: 0
sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))
sage: 0
sage:
degree 2 out 56 out 16 variables each
100% disjoint sets
![Page 98: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/98.jpg)
Block Cipher Invariants
101
**another example
sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8)
sage: mu=(B+C)*(G+H)*(B+H)*(B+F)*(C+D)
sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1))
sage: 0
sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1))
sage: 0
sage:
90% disjoint
![Page 99: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/99.jpg)
Block Cipher Invariants
102
DES
problem:
a LOT more key bits
48 instead of 2 in each round
![Page 100: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/100.jpg)
Block Cipher Invariants
103
Simple BLC Backdoor on DES
![Page 101: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/101.jpg)
Block Cipher Invariants
104
Closed Loops
Key concept: “closed loop configurations”.
term used in paper which won the best paper award at Asiacrypt 2018
not new
![Page 102: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/102.jpg)
Block Cipher Invariants
105
Closed Loops–works for DES, GOST, etc
In GOST block cipher:
GOST cipher
![Page 103: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/103.jpg)
Block Cipher Invariants
106
Closed LoopsFor T-310 cipher
![Page 104: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/104.jpg)
Block Cipher Invariants
107
Closed Loops…For DES – with original P-box
DES loops
Z7
07
![Page 105: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/105.jpg)
Block Cipher Invariants
108
reality is more interesting than fiction!
![Page 106: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/106.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 2007109
DES P-box1
02244
32
321
1 2 3 4 5 6
1 2 3 4
A B C D E F
W X Y Z
P-box
![Page 107: NonLinearPolynomial Invariant Attacks · NonLinearPolynomial Invariant Attacks or How to Backdoor a Block Cipher Nicolas T. Courtois University College London, UK blog.bettercrypto.com](https://reader030.fdocuments.net/reader030/viewer/2022013022/5f9e9b08f57b8a7bb250a492/html5/thumbnails/107.jpg)
Block Cipher Invariants
110
Degree 5 Attack on DESTheorem: Let P =
(1+L06+L07)*L12 * R13*R24*R28
IF
(1+c+d)*W2==0 and (1+c+d)*X2==0
e*W3==0 and f*Z3==0
ae*X7==0 and ae*Z7==0
THEN P is an invariant for
1 round of DES.