AlgebraicDierential Cryptanalysis of DES

Transcription

1 AlgebraicDierential Cryptanalysis of DES JeanCharles Faugère Ludovic Perret PierreJean Spaenlehauer UPMC LIP6 CNRS INRIA Paris - Rocquencourt SALSA team Journées C2 1/33 PJ Spaenlehauer

2 Plan Introduction 1 Introduction 2 Data Encryption Standard Modeling Experimental results 3 2/33 PJ Spaenlehauer

3 Plan Introduction 1 Introduction 2 Data Encryption Standard Modeling Experimental results 3 3/33 PJ Spaenlehauer

4 Algebraic Cryptanalysis 4/33 PJ Spaenlehauer

5 Algebraic Cryptanalysis Algebraic representation of a cryptographic primitive. Tools for ecient polynomial system solving. 1 Gröbner Bases algorithms (Buchberger, Faugère F4 and F5). 2 SAT Solvers. Remark There is a very strong link between the modeling and the tools used for the resolution. Challenge Can algebraic cryptanalysis be ecient against block ciphers? 5/33 PJ Spaenlehauer

6 Our work SAT Solvers attacks against DES using dierent modelings of the DES S-boxes. Incorporation of elements from dierential cryptanalysis new attacks against 6,7 and 8 rounds of DES using dedicated characteristics. Tradeo between time and data complexity. 6/33 PJ Spaenlehauer

7 Polynomial System Solving SAT Solvers? Very ecient and exible dedicated softwares. SAT-competition. Active research eld. Easy to use. Low memory comsumption. 7/33 PJ Spaenlehauer

8 Courtois N.T., Bard G.V. and Jeerson C. Ecient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF (2) via SAT-Solvers. Replace each monomial by a new variable. Cut linear equations into smaller equations (by adding new variables). + optimizations. MiniSat2 Een, N. and Sorensson, N. MiniSat: A SAT solver with conict-clause minimization 8/33 PJ Spaenlehauer

9 Sparse quadratic systems 9/33 PJ Spaenlehauer

10 Plan Introduction Data Encryption Standard Modeling Experimental results 1 Introduction 2 Data Encryption Standard Modeling Experimental results 3 10/33 PJ Spaenlehauer

11 Data Encryption Standard Data Encryption Standard Modeling Experimental results Iterative Block Cipher Bloc size : 64 bits Eective size of the key : 56 bits Encryption standard between 1976 and 2002 Why did we choose to study the DES? 11/33 PJ Spaenlehauer

12 Main attacks against DES Data Encryption Standard Modeling Experimental results Wiener, M.J. Ecient DES key search. Technical Report Biham, E. and Shamir, A. Dierential cryptanalysis of the full 16-round DES. Crypto'1992 Knudsen, L.R. Partial and higher order dierentials and applications to the DES. BRICS report Matsui, M. Linear cryptanalysis method for DES cipher. EUROCRYPT' /33 PJ Spaenlehauer

13 DES Structure Data Encryption Standard Modeling Experimental results Feistel network 3/33 PJ Spaenlehauer

14 DES Structure Data Encryption Standard Modeling Experimental results Feistel network S-boxes : non-linear part of the system 3/33 PJ Spaenlehauer

15 Data Encryption Standard Modeling Experimental results Starting point N.T. Courtois, G.V. Bard Algebraic Cryptanalysis of the Data Encryption Standard IMA Int. Conf General principle Remark 1 known plaintext. Model the cryptosystem by a set of clauses. Use Minisat to extract the key. We can combine this approach with an exhaustive search over some bits of the key. 14/33 PJ Spaenlehauer

16 S-boxes modeling (I) Data Encryption Standard Modeling Experimental results We have considered several modelings of the DES S-boxes. The choice of the modeling is very important. Our modeling We search (exhaustively) for the set of polynomials which verify : P(x1,..., x6, y1,..., y4) = (x i + α i ) (y i + β i ), α i, β i {0, 1} such that S(x1,..., x6) = (y1,..., y4) P(x1,..., x6, y1,..., y4) = 0 Complexity : /33 PJ Spaenlehauer

17 S-box modeling (II) Data Encryption Standard Modeling Experimental results S-box Nb of clauses S S S S S S S S For 6 rounds : 792 variables and clauses. + partial exhaustive search on 28 bits of the key. 16/33 PJ Spaenlehauer

18 Experimental results Data Encryption Standard Modeling Experimental results 17/33 PJ Spaenlehauer

19 Plan Introduction 1 Introduction 2 Data Encryption Standard Modeling Experimental results 3 18/33 PJ Spaenlehauer

20 Our approach Limit Algebraic cryptanalysis usually consider only one known plaintext. We combine algebraic cryptanalysis and statistical techniques to exploit eciently the knowledge of several plaintexts. Tradeo time/plaintexts. In particular, we consider dierential cryptanalysis. 19/33 PJ Spaenlehauer

21 Dierential cryptanalysis (I) The principle was known by the DES designers. Based on a statistical bias of the S-boxes. Key recovery attack. We try to predict how the dierence of a pair of plaintexts will diuse through the cipher. 20/33 PJ Spaenlehauer

22 Dierential cryptanalysis of the 3 round-reduced DES A0 L x x + F x x A0 L B + F 2 A0 L A0 L B out = A0 L A3 R in = B = A3 L + F 3 A3 L A3 R 21/33 PJ Spaenlehauer

23 Dierential cryptanalysis (II) more than 3 rounds Statistical method. dierential characteristics. A lot of plaintexts needed. 22/33 PJ Spaenlehauer

24 Motivations Compromise between algebraic cryptanalysis and dierential cryptanalysis. We can use the strong correlation between the subkeys. The notion of dierence is easy to represent with clauses. We only need one pair following the characteristic to retrieve the key. 23/33 PJ Spaenlehauer

25 General algorithm Repeat until the key is found : Choose a dierential characteristic. Choose two plaintexts with dierence xed by the characteristic. Construct the system of clauses for DES, and add the clauses corresponding to the characteristic. Solve with MiniSat. If the result is UNSATISFIABLE, restart (it means that the pair didn't follow the characteristic). If the result is SATISFIABLE, then MiniSat returns the key. 24/33 PJ Spaenlehauer

26 Six rounds Approach Classical dierential characteristics. Combination of dierent characteristics to reduce the data complexity. 25/33 PJ Spaenlehauer

27 Six rounds Approach Classical dierential characteristics. Combination of dierent characteristics to reduce the data complexity. How to combine We can run MiniSat 6 times with 7 plaintexts. Six 3-rounds characteristics 1,..., 6. 7 plaintexts m 0,..., m 6 such that m i = m 0 δ i. 25/33 PJ Spaenlehauer

28 Experimental results Cryptanalysis Plaintexts Time Dierential (Biham, Shamir) 240 0,3 seconds Dierential (Knudsen) 46 a few seconds Algebraic with SAT Solver seconds (Courtois, Bard) Algebraic-dierential seconds Algebraic-dierential 22 <10 hours (combination of characteristics) 26/33 PJ Spaenlehauer

29 Seven rounds For seven rounds and more, the classical dierential characteristics don't seem to be adapted. We have used a dedicated dierential characteristic. Truncated characteristic with probability 1/ /33 PJ Spaenlehauer

30 S-Box δ in δ out Proba S1 4 x 6 x 10/64 8 x 3 x 12/64 S2 4 x 10 x 10/64 4 x 12 x 10/64 8 x 9 x 10/64 8 x 10 x 16/64 12 x 5 x 14/64 S3 4 x 9 x 12/64 8 x 3 x 10/64 12 x 5 x 12/64 12 x 6 x 12/64 S4 4 x 6 x 12/64 4 x 9 x 12/64 Boîte-S δ in δ out Proba S5 4 x 6 x 10/64 8 x 6 x 10/64 8 x 10 x 10/64 12 x 3 x 10/64 12 x 6 x 10/64 12 x 10 x 10/64 S6 8 x 6 x 16/64 12 x 3 x 12/64 12 x 5 x 10/64 S7 8 x 10 x 12/64 12 x 12 x 14/64 S8 4 x 12 x 10/64 12 x 5 x 10/64 12 x 6 x 10/64 28/33 PJ Spaenlehauer

31 0L = R = F k with probability L = R = F k with probability 1 2L = R = F k with probability L = R = F k with probability 100/64 2 4L = R = F k with probability 1 5L = R = %%0%00%00%%%%0000%%%0%000%0%%00% 29/33 PJ Spaenlehauer

32 Experimental results 7 rounds cryptanalysis 2000 chosen plaintexts 3 hours Not so much results on 7 rounds in the literature. 30/33 PJ Spaenlehauer

33 Eight rounds We have found a 5-round truncated dierential characteristic with probability 1/ partial exhaustive search over 8 bits of the key. 8 rounds cryptanalysis chosen plaintexts and 2 25 seconds. 31/33 PJ Spaenlehauer

34 Summary Rounds Cryptanalysis Nb of plaintexts Time 6 di (Biham,Shamir) 240 (chosen) 0,3 s di (Knudsen) 46 (chosen) <10 s alg (Courtois,Bard) 1 (known) 2 25 s di + alg 32 (chosen) 3000 s di + alg 22 (chosen) <10 h 7 di + alg 2000 (chosen) s 8 di (Biham,Shamir) (chosen) 100 s lin (Matsui) 2 20 (known) 40 s di + alg (chosen) 2 25 s di+lin (Hellman,Langford) 512 (chosen) few seconds 32/33 PJ Spaenlehauer

35 Conclusion Use of statistical methods in algebraic cryptanalysis. New attacks on 6, 7 and 8 rounds of DES using dedicated characteristics. Tradeo plaintexts/time.

36 Conclusion Use of statistical methods in algebraic cryptanalysis. New attacks on 6, 7 and 8 rounds of DES using dedicated characteristics. Tradeo plaintexts/time. Related work (Cryptanalysis of Present) M. Albrecht and C. Cid Algebraic Techniques in Dierential Cryptanalysis FSE2009

37 Conclusion Use of statistical methods in algebraic cryptanalysis. New attacks on 6, 7 and 8 rounds of DES using dedicated characteristics. Tradeo plaintexts/time. Related work (Cryptanalysis of Present) M. Albrecht and C. Cid Algebraic Techniques in Dierential Cryptanalysis FSE2009 Future work Extension of this attack for more rounds? Algebraic-dierential cryptanalysis of DES with Gröbner Bases? Other cryptosystems? Other statistical tools (dierential-linear cryptanalysis,... )?