1 New Frontiers in Symmetric Cryptanalysis Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis N. Courtois, Rump session at Eurocrypt 2007 2 Motivation Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis N. Courtois, Rump session at Eurocrypt 2007 3 Algebraic Attacks vs. DC/LC/etc.. • Algebraic attack: 2 KP+ 2 70 operations => the only feasible in the real life ! • LC in 2 43 operations – infeasible. – Hard to get 2 43 KP !
10
Embed
New Frontiers in Symmetric Cryptanalysis · 2 Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis N. Courtois, Rump session at Eurocrypt 2007 4 Algebraic Attacks vs. DC/LC/etc..
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200715
Attacks on CTC2• key size > block size:
I can break up to 6 rounds.• Current frontier: nobody can break
CTC2(255,255,7). Can anybody ? Please try !
• If key size > block size =>more rounds.
• CTC2(96,256,10) can be broken.
6
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200716
Gr î bner Bases Soon to be Forgotten ?ÐlÆ Z » Z »�%'%>º�O'<#2F*92Q23)'(920& D>(CY.<':{2FO').:�A'& /Q23)'-/0+1D'YÏA>& B'A.-')'B>+1)').ï *'4 4{GHD'+1E=D'( ¸ ¾#ð'23DA'*>('-'4 & (>B Å ÒlX�ñ ǽÄQò=ò ]½ÑÊ:{7�:{23)'Y.:=O'<#2
*92F* É[]½Ñ�óô%'Æ N ^�] ò Ñ�]u]S1& (.*.:�)'(':�).4 )':�:�20A'*'( Î V1K
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200717
Gr î bner Bases Soon to be Forgotten ?Á½D#GH)'+ /3<'465�D'YC8>)923& 20D'+ M ¹ » Z ¹ D>4 T�)'+1:=õ56D'(9T�)>+1:�& D'(>K
Before we did try, we actually never believed it could work…
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200718
3.4. ANF-to-CNF - The OutsiderConvert MQ to a SAT problem.(both are NP-hard problems)
� � �
7
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200719
Fact:
¹ 8>*'+1:�).+1*'('-'D'Y Å L 5�*'(.O')CO>+1D'E�)'(.& (C8>+1*'5{23& 5�)>º:6D'YC).& (.:�)>5�D'('-':6K
N D'+?E�:�/3D>+ *'(97 :{7�:{23)'YÏD#/F)'@'<'*#23& D'(':=ö,& /F:�8'*'+?:�))'(>D'<'B'AC*'(>-9I3D>+;D#T�)'+1ö1-')#/3& (')'-.)'('D'<'B'A
…
Z A'& :=A'*':=(')9T�)>+;O')')'(.:�A>D9GH(CO>)9/3D'+1)>K
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200720
Algebraic Attacks on DES»½2F*P/0& +1:{2�B>4 *'('56)'º¹ )>)'Y.:[8'D>& (#234 )':6: M
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200722
Results on DES
Nicolas T. Courtois and Gregory V. Bard: “Algebraic Cryptanalysis of the D.E.S.”.
eprint.iacr.org/2006/402/
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200723
What Can Be Done ?
Attack 1: Cubic Representation + ElimLin: Attack 1: Cubic Representation + ElimLin: Attack 1: Cubic Representation + ElimLin: We recover the key of We recover the key of We recover the key of 555---round DES with round DES with round DES with
3 KP3 KP3 KP faster than brute force. faster than brute force. faster than brute force. ••• When When When 232323 variables fixed, takes variables fixed, takes variables fixed, takes 173 s173 s173 s...••• Magma crashes > 2 Magma crashes > 2 Magma crashes > 2 GbGbGb of RAM.of RAM.of RAM.Attack 2: Optimised Gate-level representation + our
ANF-to-CNF conversion+ MiniSat 2.0.: Key recovery for 6-round DES. Only 1 KP (!).••• Fix Fix Fix 202020 variables takes variables takes variables takes 68 s68 s68 s. . . ••• Magma crashes with > 2 Magma crashes with > 2 Magma crashes with > 2 GbGbGb...
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200724
DES – New Frontier:
Break 8 rounds given 1 KP and in less than 255.
We encourage researchers to try.We cannot do it so far.
9
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200725
What Are the Limitations of Algebraic Attacks ?
• When the number of rounds grows: complexity jumps from 0 to ∞.
• With new attacks and new “tricks” being proposed: some systems are suddenly broken with no effort.
=> jumps from ∞ to nearly 0 !
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis
N. Courtois, Rump session at Eurocrypt 200726
Finally
What About AES?
Laws of Prediction [Arthur C. Clarke]:When a distinguished elder scientist tells you
something is not possible => he is wrong…
Algebraic Attacks: A New Frontier in Symmetric Cryptanalysis