1 / 43

Some integral properties of Rijndael

Some integral properties of Rijndael. Marine Minier CITI Laboratory INSA de Lyon. Guideline. Description of the AES and of its little brothers Integral properties of the AES Integral properties of the different Rijndael versions Deduced distinguishers With unknown keys With known keys

nam
Download Presentation

Some integral properties of Rijndael

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Some integral properties of Rijndael Marine Minier CITI Laboratory INSA de Lyon Workshop MITACS - June 2009

  2. Guideline • Description of the AES and of its little brothers • Integral properties of the AES • Integral properties of the different Rijndael versions • Deduced distinguishers • With unknown keys • With known keys • LANE • Conclusion Workshop MITACS - June 2009

  3. The AES and its brothers Workshop MITACS - June 2009

  4. AES and Rijndael (1/3) Plaintexts (128, 160 192,224, 256 bits) Bytes matrix 4x, 5x, 6x, 7x, 8x4 K0 • Rijndael, created by J. Daemen and V. Rijmen, AES new standard • Iterative block ciphers with a parallel structure. • blockssizes: 128, 160, 192, 224 or 256 bits. • Key sizes: 128, 192 or 256bits. • The number of rounds vary between 10 and 14 according to the blocks sizes and the key sizes. initial Key addition Byte Sub Shift Row round 1 Mix Column K1 Key Addition Byte Sub Shift Row round 9, 11 ou 13 Mix Column K9 Key Addition Byte Sub Last Round Shift Row K10 Key Addition Ciphertexts (128, 160 192,224, 256 bits) Bytes matrix 4x, 5x, 6x, 7x, 8x4 Workshop MITACS - June 2009

  5. 3 a00 a01 a02 a03 a00 a01 a02 a03 a10 a11 a12 a13 a10 a11 a12 a13 a20 a21 a22 a23 1 a20 a21 a22 a23 a30 a31 a32 a33 a30 a31 a32 a33 S(a00) S(a01) S(a01) S(a00) S(a13) S(a12) S(a11) S(a10) S(a23) S(a22) S(a21) S(a20) S(a33) S(a32) S(a31) S(a30) The AES (2/3): Round function (1/2) • Byte Substitution • Shift Row 2 (8x8 S-box S) a00 a01 a02 a03 a11 a12 a13 a10 a22 a23 a20 a21 a32 a30 a33 a31 Workshop MITACS - June 2009

  6. a00 a01 a02 a00 a01 a02 a03 a10 a11 a12 a10 a11 a12 a13 a20 a21 a22 a30 a31 a32 a20 a21 a22 a23 a30 a31 a32 a33 b00 b01 b02 b03 b00 b01 b02 b03 b10 b11 b12 b13 b10 b11 b12 b13 b20 b21 b22 b23 b20 b21 b22 b23 b30 b31 b32 b33 b30 b31 b32 b33 The AES (3/3): Round function (2/2) • Key Addition • Mix Column a03 a13 a23 a33  Ki(128 bits)  Workshop MITACS - June 2009

  7. Rijndael: main differences • Change: • nb of rounds • ShiftRows AES (4 col.) Rijndael-160 (5 col.) Rijndael-192 (6 col.) Rijndael-224 (7 col.) Rijndael-256 (8 col.) Workshop MITACS - June 2009

  8. . . . . . . . . . General principle of cryptanalysis X [n bits] f KX • Distinguisher A: To find a relation R(x’,y’) on intermediate states which has a probability p of happening as far as possible from the uniform probability p*: Pr[A]=Adv(A)=|p-p*| • Test over the keys sur (KX, KY) Initial rounds x’ = (X,KX) f x’ [ n bits] f Intermediate rounds R(x’,y’) f y’ [ n bits] f KY Kr Final rounds y’ = (Y,KY) Y Workshop MITACS - June 2009

  9. Integral properties Workshop MITACS - June 2009

  10. SubBytes ShiftRows SubBytes ShiftRows SubBytes ShiftRows MixColumns AddRoundKey MixColumns AddRoundKey MixColumns AddRoundKey Integral property of the AES (1/2) y Y S(y) • byte y = 0…255 • other bytes = constants z0 z1 Z z2 S(z0) z3 S(z1) S(z2) S(z3) R s S Workshop MITACS - June 2009

  11. Integral property of the AES (2/2) 232 textes clairs • On 6 rounds: • For each 9 bytes of keys: • Test if: • Good keys pass the test. • Take care of false alarms. 4 key bytes Y 3 rounds As before Trois rounds S( y ) Lasr round without MixColumn 4 key bytes 232 textes chiffrés Workshop MITACS - June 2009

  12. Complexity of integral attacks • Improvement by Ferguson: • Sum over the 232values • => Complexity for 6 rounds • Nb plaintexts = 6*232 • Complexity = 246 using partial sum techniques • For 7 rounds: • Nb plaintexts = 2128 – 2119 (with herd technique) • Complexity = 2120 cipher operations Workshop MITACS - June 2009

  13. For Rijndael • The same kind of properties • But, due to the slower diffusion, => more rounds and better extensions Workshop MITACS - June 2009

  14. Rijndael-256: first remark y Note: SR: 1, 2, 4 Nb rounds: 14 (min) z0 z1 z2 z3 z0 z3 z2 z1 SubBytes ShiftRows z2 z1 a0 b0 a1 b1 MixColumns AddKey a2 b2 b3 a3 Workshop MITACS - June 2009

  15. Rijndael 256Integral property y n p First round z0 z1 z2 z3 Second round • Distinguisher on 4 rounds: • Saturation on 3 bytes • => Complexity: 224 ciphers Third round Fourth round 0 0 0 0 0 0 0 0 Workshop MITACS - June 2009

  16. Rijndael 224Integral property y p First round z0 z1 z2 z3 Second round • Distinguisher on 4 rounds: • Saturation on 2 bytes • => Complexity: 216 ciphers Third round Fourth round 0 0 0 0 Workshop MITACS - June 2009

  17. Rijndael 192 Integral property (1) y p z0 z1 z2 z3 • Distinguisher on 4 rounds: • Saturation of 2 bytes • => Complexity: 216 ciphers =1 =2 =1 =2 Workshop MITACS - June 2009

  18. Rijndael 192Integral property y p n z0 z1 z2 z3 • Distinguisher on 4 rounds: • Saturation on 3 bytes • => Complexity: 224 ciphers =1 0 0 =2 =1 0 0 =2 0 0 0 0 Workshop MITACS - June 2009

  19. Rijndael 160Integral property y p n z0 z1 z2 z3 • Distinguisher on 4 rounds: • Saturation de 3 bytes • => Complexity: 224 ciphers =1 0 =2 =1 0 =2 0 0 Workshop MITACS - June 2009

  20. Unknown keys Distinguishers Workshop MITACS - June 2009

  21. Extension of 2 rounds at the end • [Ferguson and al. -00]: partial sums • s directly deduced from ci,j • For each ciphertext c, we associate the partial sum: • Use to sequentially determine kk => Share in 4 steps the key serach Workshop MITACS - June 2009

  22. Extension at the beginning: 2 methods • [Ferguson and al. - 00]: one initial round • => attack on 5 rounds with 232 plaintexts Workshop MITACS - June 2009

  23. The herd technique • One more round at the beginning: • Naively 2128 plaintexts (work, cf Nakhara and al.) • Fix a particular byte x => a herd: set of 2120 ciphertexts of 288 structures • Test on a single herd. • X depends on (p4,…,p7) and on 4 bytes of K0 • Using 264 counters my • 232 counters nz • Filter information on the key guess Workshop MITACS - June 2009

  24. Combine those extensions • attack over 2+4+2=8 rounds (for Rijndael-256) • Increment the 64 bits (c0,…,c3,p4,…, p7) • Guess the 4 bytes of K0, compute x, separate counters into herds. • Choose a single herd, nz en ajoutant (c0,…,c3) pour chaque y correct • Guess the 5 bytes of K7 and of K6 of the two last rounds to decipher each z on one byte. Sum this value over the 232 values of z and look at the 0s. • Repeat this point for each value of theK0 bytes. • => The 4 bytes (p4,…, p7) and the 4 bytes of K0 give 4 bytes • => 224 smaller herds => reduce the exhaustive search to 2128-2119 plaintexts. Workshop MITACS - June 2009

  25. Complexity and attacks on 9 rounds • Total cost: • 2128-2119 plaintexts • 2120 cipher operations • => Add one round at the end using a complete exhaustive search on the subkey K9 Workshop MITACS - June 2009

  26. Summary of the attacks Workshop MITACS - June 2009

  27. Known Keys Distinguishers Workshop MITACS - June 2009

  28. [Knudsen – Rijmen 07] • Notion of Known Key Distinguisher • Principle: create a distinguisher beginning at the middle of the cipher • Then, determine a particular property linking plaintexts and ciphertexts • Comparison withe the complexity required to find such a structure for a random permutation • Interest: create distinguishers when block ciphers are used as hash functions Workshop MITACS - June 2009

  29. Theoritical model [Africacrypt 09] • Advantage of Distinguishers [Vaudenay 97]: AdvE(A) • Two more cases: non-adaptative, adaptative Workshop MITACS - June 2009

  30. Case of an adaptative SPRP Distinguisher Workshop MITACS - June 2009

  31. Case of a non-adaptative Known Key Distinguisher Workshop MITACS - June 2009

  32. =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 =0 Case of study: the AES [Knu-Rij 07] • Backward sense • Forward sense Workshop MITACS - June 2009

  33. KK distinguisher for the AES • KK distinguisher on 7 rounds • 3 in backward, 4 in forward • Requires 256 middletexts and 256 cipher operations • For a random permutation => k-sum problem, Complexity: 258 operations • => KK distinguisher for the AES 3 rounds 4 rounds Workshop MITACS - June 2009

  34. KK distinguisher for Rijndael • Same kind of properties in the backward sense • Summary of the KK distinguishers for Rijndael [Africacrypt 2009]: Workshop MITACS - June 2009

  35. A last idea… Workshop MITACS - June 2009

  36. LANE: SHA 3 hash function • Hi = h0 ||h1 = 256 bits • Mi = m0 ||m1 ||m2 ||m3 = 512 bits • Pi = 6 modified AES rounds • Qi = 3 modified AES rounds Workshop MITACS - June 2009

  37. the Pi inputs Workshop MITACS - June 2009

  38. Pis and Qis(LANE 256) • The same operations than the ones of the AES • SubBytes, ShiftRows, MixColumns, KeyAdd (with constants) • Two more: AddConstants and SwapColumns Workshop MITACS - June 2009

  39. Integral propertiesof LANE-256 y p • 4 rounds + extension at the beginning: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 y p Workshop MITACS - June 2009

  40. Integral property of LANE-256 backward sense 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 • Integral property on 3 rounds + extension at the beginning: 0 0 0 0 0 0 0 0 y p Workshop MITACS - June 2009

  41. Combine the two properties 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 rounds: seen as 2^16 sets of 2^96 values as we want • Distinguisher in 2112on the right part of LANE-256 0 0 0 0 0 0 0 0 3 rounds 5 rounds: seen as 2^48 sets of 2^64 as we want 5 rounds 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Workshop MITACS - June 2009

  42. Why only one half ? • If h0=h1=m2=m3 = cte: • W0 = m0 + m1 || m0 • W1 = m0 || m1 • W2 = m0 + m1 || m0 • W3 = 0 || 0 • W4 = m0 || m1 • W5 = 0 || 0 • Then: • over 2112 messages, a certain number of sums is equal to 0 sum = 0 sum = 0 sum = 0 sum = 0 sum = 0 sum = 0 sum = 0 sum = 0 Workshop MITACS - June 2009

  43. Conclusion • Integral properties of Rijndael were not well studied • Unknown Keys Distinguishers • Known Keys Distinguishers • The last model is really useful to create distinguishers for the SHA-3 competition (cf: LANE) Workshop MITACS - June 2009

More Related