Cryptanalysis of Symmetric-Key Primitives: Automated Techniques

Transcription

1 1 / 39 Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos Tuesday, May 29, 2012

2 2 / 39 Outline

3 Symmetric-key Ciphers: Types of attacks 3 / 39 Statistical attacks Linear and differential cryptanalysis, slide attacks,... Detect statistical non-randomness

4 Symmetric-key Ciphers: Types of attacks 3 / 39 Statistical attacks Linear and differential cryptanalysis, slide attacks,... Detect statistical non-randomness Meet-in-the-middle attacks Many techniques (splice-and cut, partial matching, partial fixing,...), guess-and-determine attacks, attack on 2DES,... Separate equations into two or more groups to solve them more efficiently

5 Symmetric-key Ciphers: Types of attacks 3 / 39 Statistical attacks Linear and differential cryptanalysis, slide attacks,... Detect statistical non-randomness Meet-in-the-middle attacks Many techniques (splice-and cut, partial matching, partial fixing,...), guess-and-determine attacks, attack on 2DES,... Separate equations into two or more groups to solve them more efficiently Algebraic attacks See next slide

6 Algebraic Attacks: Definition 4 / 39 Represent cryptographic primitive as system of equations Use equation solver to retrieve key

7 Algebraic Attacks: Definition 4 / 39 Represent cryptographic primitive as system of equations Use equation solver to retrieve key SAT solvers MiniSat2, CryptoMiniSat,... Gröbner basis method Buchberger s algorithm, F 4, F 5,... Mixed Integer Linear Programming (MILP) CPLEX, SYMPHONY,...

8 Algebraic Attacks: Definition 4 / 39 Represent cryptographic primitive as system of equations Use equation solver to retrieve key SAT solvers MiniSat2, CryptoMiniSat,... Gröbner basis method Buchberger s algorithm, F 4, F 5,... Mixed Integer Linear Programming (MILP) CPLEX, SYMPHONY,... Hopefully detects inherent structure, and solves equations faster than brute force!

9 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks

10 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable

11 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable Not a single proper block cipher has been broken using pure algebraic techniques faster than with other techniques. (Albrecht)

12 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable Not a single proper block cipher has been broken using pure algebraic techniques faster than with other techniques. (Albrecht) Biggest advantages: Black box technique, no crypto knowledge required

13 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable Not a single proper block cipher has been broken using pure algebraic techniques faster than with other techniques. (Albrecht) Biggest advantages: Black box technique, no crypto knowledge required Can work with very few plaintext-ciphertext pairs

14 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable Not a single proper block cipher has been broken using pure algebraic techniques faster than with other techniques. (Albrecht) Biggest advantages: Black box technique, no crypto knowledge required Can work with very few plaintext-ciphertext pairs Useful to break extremely weak ciphers: Crypto-1 in 40s, HiTag2 in 6.5h on one Xeon 2.33GHz (Soos)

15 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important

16 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important Program: executed only once

17 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important Program: executed only once More time spent on: coding, debugging, optimizing, parallel implementation, verifying,... Verifying correctness: very difficult

18 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important Program: executed only once More time spent on: coding, debugging, optimizing, parallel implementation, verifying,... Verifying correctness: very difficult Programmer s time: costs more than CPU time!

19 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important Program: executed only once More time spent on: coding, debugging, optimizing, parallel implementation, verifying,... Verifying correctness: very difficult Programmer s time: costs more than CPU time! More important: Easy to program Easy to verify Easy to parallelize

20 Goal of this lecture 7 / 39 Use three easy, automated techniques MILP programming SAT solvers Regular expressions as tools to construct attacks... and start breaking ciphers today!

21 8 / 39 Outline

22 9 / 39 Differential Cryptanalysis Differential characteristic a 1 a a 2 b 1 c 1 b c b 2 c 2 d 1 d d 2

23 10 / 39 Differential Cryptanalysis: S-box a α a α Differential Probability DP( α β): #{0 a < 2 8 : S(a) S(a α) = β} 2 8 S S S(a) S(a α) = β? Max. diff. prob. (MDP): 4/256 = 2 6 AES: only component that is non-linear in GF(2 8 ) Non-active S-box: DP(0 0) = 1 Count active S-boxes!

24 11 / 39 Representation of variables Every pair of bytes is shrunk to one bit x i : x i = 0 if the bytes are the same x i = 1 if the bytes are different

25 11 / 39 Representation of variables Every pair of bytes is shrunk to one bit x i : x i = 0 if the bytes are the same x i = 1 if the bytes are different Note: simplifies the analysis! Our results prove lower bounds, but characteristics may contain a contradiction

26 11 / 39 Representation of variables Every pair of bytes is shrunk to one bit x i : x i = 0 if the bytes are the same x i = 1 if the bytes are different Note: simplifies the analysis! Our results prove lower bounds, but characteristics may contain a contradiction Next slides: focus on AES but technique can analyze any cipher based on XORs, three-forked branches, MDS operations,... Details: see Mouha et al., Inscrypt 2011

27 12 / 39 One Round of AES x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 0 x 4 x 8 x 12 x 5 x 9 x 13 x 1 x 10 x 14 x 2 x 6 x 15 x 3 x 7 x 11 AR+SB MC x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 16 x 20 x 24 x 28 x 17 x 21 x 25 x 29 x 18 x 22 x 26 x 30 x 19 x 23 x 27 x 31 SR

28 13 / 39 MixColumns MDS Property: x 0 x 5 x 10 MDS x 16 x 17 x 18 x 0 + x 5 + x 10 + x 15 + x 16 + x 17 + x 18 + x 19 5 or x 15 x 19 x 0 = x 5 = x 10 = x 15 = x 16 = x 17 = x 18 = x 19 = 0

29 14 / 39 MixColumns MDS Property: x 0 x 5 x 10 MDS x 16 x 17 x 18 x 0 + x 5 + x 10 + x 15 + x 16 + x 17 + x 18 + x 19 5d and x 15 x 19 d = max( x 0, x 5, x 10, x 15, x 16, x 17, x 18, x 19 )

30 15 / 39 MixColumns MDS Property: x 0 x 5 x 10 MDS x 16 x 17 x 18 x 0 + x 5 + x 10 + x 15 + x 16 + x 17 + x 18 + x 19 5d and x 15 x 19 d x 0, d x 5, d x 10, d x 15, d x 16, d x 17, d x 18, d x 19

31 16 / 39 Mixed-Integer Linear Programming Mimimize Sum of S-box variables Subject To 9 equations for every MixColumns step (+1 dummy variable) (SubBytes, ShiftRows, add key: no equations/variables) Sum of plaintext variables 1 Binary All variables / All input variables End

32 17 / 39 Single-key AES: Bounds # Rounds Min. # active S-boxes # Rounds Min. # active S-boxes Using the IBM ILOG CPLEX optimizer Free for academic use Execution time no problem takes longer than 0.40 s (Intel Xeon 2.93GHz)

33 18 / 39 Related-key AES: Strategy Also one x i -variable per key byte, (x i = 1 iff. bytes different)

34 18 / 39 Related-key AES: Strategy Also one x i -variable per key byte, (x i = 1 iff. bytes different) Equations for every XOR operation: x in1 x in2 x in1 + x in2 + x out 2d d x in1 d x in2 x out d x out

35 19 / 39 Related-key AES: Bounds Minimum number of active S-boxes: # Rounds AES AES AES # Rounds AES AES AES

36 20 / 39 Related-key AES: Execution Time 24-core Intel Xeon 2.93GHz System used concurrently by at least 5 other people... execution times are upper bounds

37 20 / 39 Related-key AES: Execution Time 24-core Intel Xeon 2.93GHz System used concurrently by at least 5 other people... execution times are upper bounds Bounds for full AES: all less than one minute except 14-round AES-256: bound in s

38 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference

39 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks

40 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks Our result: 19 active S-boxes, found in s

41 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks Our result: 19 active S-boxes, found in s xaes-128, 10 rounds: Nikolić: more than 22 active S-boxes ( a few hours on a single core ) using split method

42 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks Our result: 19 active S-boxes, found in s xaes-128, 10 rounds: Nikolić: more than 22 active S-boxes ( a few hours on a single core ) using split method Our result: 22 active S-boxes (2.68 s, single core) using split method

43 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks Our result: 19 active S-boxes, found in s xaes-128, 10 rounds: Nikolić: more than 22 active S-boxes ( a few hours on a single core ) using split method Our result: 22 active S-boxes (2.68 s, single core) using split method Not using split method: 25 active S-boxes (4 minutes on a single core, or s using 24 cores)

44 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code

45 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j

46 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants

47 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants intercept XOR, MixColumns: generate equations, increase next and dummy

48 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants intercept XOR, MixColumns: generate equations, increase next and dummy intercept S-box: keep track of indices for objective function

49 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants intercept XOR, MixColumns: generate equations, increase next and dummy intercept S-box: keep track of indices for objective function More details: see source code

50 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants intercept XOR, MixColumns: generate equations, increase next and dummy intercept S-box: keep track of indices for objective function More details: see source code To debug/visualize: print indices i of internal states x i and fill in solution

51 23 / 39 Related-key AES: How to program (2) Reference implementation (rijndael-alg-ref.c) assume 256-bit key, 10 rounds Implementation needs = 1408 key bits but rounds up: = 1536 key bits calculated Result: unnecessary S-box lookups, and wrong bounds! solution: reorder loops and terminate sooner

52 24 / 39 Outline

53 25 / 39 SAT solvers: SAT solvers: input in Conjunctive Normal Form (CNF) CNF = the AND of a set of OR -clauses Every variable = 1 bit CryptoMiniSAT: also understands XOR clauses Example of CNF: (x 1 x 5 x 4 ) ( x 1 x 5 x 3 x 4 ) ( x 3 x 4 ) Conversion from C code to CNF needed + convert back to interpret solution

54 26 / 39 SAT solvers: to CNF and back Custom approach: specific to certain (families of) ciphers e.g. Grain of Salt (Soos): stream ciphers based on NLFSRs

55 26 / 39 SAT solvers: to CNF and back Custom approach: specific to certain (families of) ciphers e.g. Grain of Salt (Soos): stream ciphers based on NLFSRs Using software to synthesize hardware circuits e.g. CryptLogVer (Morawiecki et al.): Altera Quartus II + simple postprocessing

56 26 / 39 SAT solvers: to CNF and back Custom approach: specific to certain (families of) ciphers e.g. Grain of Salt (Soos): stream ciphers based on NLFSRs Using software to synthesize hardware circuits e.g. CryptLogVer (Morawiecki et al.): Altera Quartus II + simple postprocessing Tool to convert C code to CNF and back e.g. C32SAT (Brummayer)

57 27 / 39 HAS-V Step Function A i B i C i D i E i <<< S f W i K i <<< 2 A i+1 B i+1 C i+1 D i+1 E i+1

58 28 / 39 HAS-V Step Function: Local Collisions W t [0] W t+1 [S] W t+2 [0] W t+3 [30] W t+4 [30] W t+5 [30] A t [0] A t+1 [S] A t+2 [0] A t+3 [30] A t+4 [30] A t+5 [30] B t+1 [0] 50% C t+2 [30] 50% 50% (f 1,f 3 ) 100% (f 2 ) 50% D t+3 [30] E t+4 [30]

59 29 / 39 HAS-V: Using C32SAT Chabaud and Joux: local collision = perturbation + correction(s) Message words are reused: one message difference W i introduces many perturbations!

60 29 / 39 HAS-V: Using C32SAT Chabaud and Joux: local collision = perturbation + correction(s) Message words are reused: one message difference W i introduces many perturbations! For HAS-V: Step 0: Msg. diff. W 0 = Perturb. P 0 (32-bit word) Step 1: Msg. diff. W 1 = Perturb. P 1 Corr. (P 0 11)

61 29 / 39 HAS-V: Using C32SAT Chabaud and Joux: local collision = perturbation + correction(s) Message words are reused: one message difference W i introduces many perturbations! For HAS-V: Step 0: Msg. diff. W 0 = Perturb. P 0 (32-bit word) Step 1: Msg. diff. W 1 = Perturb. P 1 Corr. (P 0 11) Step 2: Msg. diff. W 2 = Perturb. P 2 Corr. (P 1 7) Corr. (P 0 D 0 )... (W 0, W 1,... are reused in later steps) Dummy variable D 0 : indicates if Boolean function f absorbs or propagates difference

62 30 / 39 HAS-V: C32SAT results Processor: Intel Core 2 Duo 3GHz If P i { , } Best solution: 192 local collisions for 60 steps (41s) No solution with fewer than 192 local collisions (42s)

63 30 / 39 HAS-V: C32SAT results Processor: Intel Core 2 Duo 3GHz If P i { , } Best solution: 192 local collisions for 60 steps (41s) No solution with fewer than 192 local collisions (42s) If P i { , , , } Best solution: 144 local collisions for 60 steps (3m 14s) No solution with fewer than 144 local collisions (11m 10s)

64 30 / 39 HAS-V: C32SAT results Processor: Intel Core 2 Duo 3GHz If P i { , } Best solution: 192 local collisions for 60 steps (41s) No solution with fewer than 192 local collisions (42s) If P i { , , , } Best solution: 144 local collisions for 60 steps (3m 14s) No solution with fewer than 144 local collisions (11m 10s) More details: my Master s thesis (only in Dutch)

65 31 / 39 Outline

66 32 / 39 : : to match patterns in strings Text editor s Find or Find/Replace, but on steroids Included in several programming languages Java, C++11, Apple s Objective-C, C#, PHP, VB.NET, Python, Perl, JavaScript,...

67 32 / 39 : : to match patterns in strings Text editor s Find or Find/Replace, but on steroids Included in several programming languages Java, C++11, Apple s Objective-C, C#, PHP, VB.NET, Python, Perl, JavaScript,...

68 33 / 39 : Notation x character x. any character [ac] character a or c [^a-c] any character except a, b or c e.g. d, A, 9,... ([a-c]) save match for later use x* zero or more x s x+ one or more x s x? zero or one x s x{m} exactly m x s x{m,} at least m x s x{m,n} at least m, but at most n x s

69 34 / 39 Meet-in-the-Middle Attack on XTEA XTEA: 64 rounds, 4 subkeys One subkey used in every round Round key order as a string: Meet-in-the-middle attack on 23 rounds First and last rounds: one subkey is not used Middle rounds: all keys can be used, max. 15 rounds Details: Sekar, Mouha, Velichkov, Preneel, CT-RSA 2010 Regular expression?

70 35 / 39 Meet-in-the-Middle Attack on XTEA XTEA: 64 rounds, 4 subkeys One subkey used in every round Round key order as a string: Meet-in-the-middle attack on 23 rounds First and last rounds: one subkey is not used Middle rounds: all keys can be used, max. 15 rounds Details: Sekar, Mouha, Velichkov, Preneel, CT-RSA 2010 [^0]*.{1,15}[^0]*,

71 36 / 39 Meet-in-the-Middle Attack on XTEA XTEA: 64 rounds, 4 subkeys One subkey used in every round Round key order as a string: Meet-in-the-middle attack on 23 rounds First and last rounds: one subkey is not used Middle rounds: all keys can be used, max. 15 rounds Details: Sekar, Mouha, Velichkov, Preneel, CT-RSA 2010 [^0]*.{1,15}[^0]*, [^2]*.{1,15}[^2]*, [^1]*.{1,15}[^1]*, [^3]*.{1,15}[^3]*

72 37 / 39 1 #! / usr / bin / p e r l 2 3 # XTEA key schedule 4 $x = " ". 5 " " ; 6 7 # subkey $ i i s excluded i n the outer rounds 8 f o r ( $ i =0; $i <4; $ i ++) { 9 while ( $x =~ / ( [ ^ $ i ].{1, 1 5 } [ ^ $ i ] ) / g ) { 10 i f ( l e n g t h ( $1 ) >= 23) { # show only 23 round a t t a c k s 11 p r i n t l e n g t h ( $1 ), " round a t t a c k : ", $1, 12 " ( rounds : ", $ [1]+1, " ", $ + [ 1 ], " ) \ n " ; 13 } 14 pos ( $x ) = $ [1]+1; # matches may overlap 15 } 16 }

73 ECRYPT II 38 / 39 Research papers should be verifiable... releasing source code is therefore crucial! ECRYPT II Currently 16 tools listed Tools used in this lecture will be added today Other new submissions are very welcome!

74 39 / 39 If we use an automated technique, The execution time is unpredictable, and the inner workings are not well understood.

75 39 / 39 If we use an automated technique, The execution time is unpredictable, and the inner workings are not well understood. Yet, such techniques can be extremely useful: typically not to break a cipher (requires too much time/memory) but to use as a tool to construct an attack.

76 39 / 39 If we use an automated technique, The execution time is unpredictable, and the inner workings are not well understood. Yet, such techniques can be extremely useful: typically not to break a cipher (requires too much time/memory) but to use as a tool to construct an attack. How to do this? We gave examples for three approaches: MILP programming, SAT solvers, regular expressions.

77 39 / 39 If we use an automated technique, The execution time is unpredictable, and the inner workings are not well understood. Yet, such techniques can be extremely useful: typically not to break a cipher (requires too much time/memory) but to use as a tool to construct an attack. How to do this? We gave examples for three approaches: MILP programming, SAT solvers, regular expressions. Questions?