Systematic Construction of Nonlinear Product Attacks on Block Ciphers

Abstract

A major open problem in block cipher cryptanalysis is discovery of new invariant properties of complex type. Recent papers show that this can be achieved for SCREAM, Midori64, MANTIS-4, T-310 or for DES with modified S-boxes. Until now such attacks are hard to find and seem to happen by some sort of incredible coincidence. In this paper we abstract the attack from any particular block cipher. We study these attacks in terms of transformations on multivariate polynomials. We shall demonstrate how numerous variables including key variables may sometimes be eliminated and at the end two very complex Boolean polynomials will become equal. We present a general construction of an attack where multiply all the polynomials lying on one or several cycles. Then under suitable conditions the non-linear functions involved will be eliminated totally. We obtain a periodic invariant property holding for any number of rounds. A major difficulty with invariant attacks is that they typically work only for some keys. In T-310 our attack works for any key and also in spite of the presence of round constants.

Appendices

A Two Proofs of Theorem 9.1

We provide two proofs of Theorem 9.1. First proof just shows that the attack works directly step by step without revealing that it might be an application of Theorem 7.1. Second proof follows our framework based on three cycles, cf. Figs. 12, 13 and 14. Both proofs are about rewriting everything with input variables only.

First Proof of Theorem 9.1: We rewrite our annihilation conditions using \(A,B,\ldots \) at input side, for every input:

$$ {\left\{ \begin{array}{ll} \mathrm {W8}*C*E=\mathrm {X8}*C*E=0\\ \mathrm {Z7}*C*D=\mathrm {W7}*C*D=0\\ \mathrm {X2}*A*B=0 \end{array}\right. } $$

Using Fig. 11 we see that on the output side after one round \(\phi \) of encryption:

   \(\square \)

Second Proof of Theorem 9.1: We show how our attack follows from Theorem 7.1 and 3 cycles in Figs. 12, 13 and 14. Each output-side polynomial \(\mathcal{Q}_{j'}\) is equal to the sum of the input-side polynomial \(\mathcal{Q}_j\) and the \(\mathcal{Z}_j\) polynomial e.g. \((Z7+d)\) or 0, added at this step. First we check the cycle on Fig. 12. First transition from R07 to L07 is trivial. In second transition we check that d for S7 is the same as \(R27^i\) and:

$$ (B')^i= (\mathrm {L07})^i= (\mathrm {R07})^o+(Z7+d)+(\mathrm {R27})^i= (\mathrm {R07+L27})^o+(Z7+d)= (B+D'+1)^o $$

In the same way we carefully check all 24 transitions on all 3 cycles. Each time an input of a Boolean function \(a,\ldots , f\) is used we check which input number R01 \(\ldots \) R32 it is, cf. Fig. 11. For example \(d^7\) denotes 4-th input of S7 which is R28\(^i\). We show how round outputs 5, 7, 27, 28, 32 are transformed in DES:

\( {\left\{ \begin{array}{ll} \mathrm {L05}^i=\mathrm {R05}^o+W8(.) &{} \text {due to~} P(5)=\mathrm {W8}\\ \mathrm {L07}^i=\mathrm {R05}^o+Z7(.) &{} \text {due to~} P(7)=\mathrm {Z7}\\ \mathrm {L28}^i=\mathrm {R28}^o+X2(.) &{} \text {due to~} P(28)=\mathrm {X2}\\ \mathrm {L27}^i=\mathrm {R27}^o+X8(.) &{} \text {due to~} P(27)=\mathrm {X8}\\ \mathrm {L32}^i=\mathrm {R32}^o+W7(.) &{} \text {due to~} P(32)=\mathrm {W7}. \end{array}\right. } \)

Fig. 11.

Full round function of DES showing the DES P-box.

We recall that “transformable” polynomials are all \(\mathcal{Q}_j\) which are transformed into another polynomial \(\mathcal{Q}_j'\) included, i.e. all those with 0 added, and exactly those made from \(A,B,C,\ldots \) only and not any of \(A',B',C',\ldots \), and also those using R01-R32 and without any of L01-L32, which are:

\( {\left\{ \begin{array}{ll} B=\mathrm {R07}\in \{\text {Fig.\,12}\} &{} B+C+1=\mathrm {R07+R28}\in \{\text {Fig.\,12}\}\\ A+D+1=\mathrm {R05+R27}\in \{\text {Fig.\,13}\} &{} B+D+1=\mathrm {R07+R27}\in \{\text {Fig.\,13}\}\\ E=\mathrm {R32}\in \{\text {Fig.\,14}\} &{} C+E+1=\mathrm {R28+R32}\in \{\text {Fig.\,14}\} \end{array}\right. } \)

Fig. 12.

First of three cycles leading to our invariant attack on DES in Theorem 9.1.

Then we show that the product of 24=8+8+8 polynomials is the same as our intended invariant \(\mathcal{P}\) of degree 5 + 5. We multiply all 6 transformable polynomials:

$$\begin{aligned} B(B+C+1)(A+D+1)(B+D+1)E(C+E+1)=\\ BC(A+D+1)DE(C+E+1)= ABCDE(C+E+1)= ABCDE \end{aligned}$$

Accordingly the identity above proves that the product of exactly all “transformable” polynomials on both cycles is simply equal to ABCDE which fact we will use below. This product is of degree 5 in cipher state variables. Similarly we have: \( B'(B'+C'+1)(A'+D'+1)(B'+D'+1)E'(C'+E'+1)= A'B'C'D'E' \). We have now multiplied 12 polynomials out of 24 on our 3 cycles and the result is our exact polynomial invariant as expected \( \mathcal{P}=ABCDEA'B'C'D'E' \).

Fig. 13.

Second cycle leading to invariant of degree 10 on DES in Theorem 9.1.

It remains to show that all the remaining 24-12=12 polynomials on the 3 cycles which were not multiplied yet, will be absorbed by \(\mathcal{P}\). In other words the result \(\mathcal{P}\) does not change if we multiply by these extra 12 factors. This is shown in 3 stages for each cycles in order, and the key observation is that \(AB(B+A+1)=AB\) and \(ABC(B+A+C)=ABC\). Thus we have

$$\begin{aligned} ABCDEA'B'C'D'E'(B+D'+1)(B'+C'+D)= ABCDEA'B'C'D'E' \end{aligned}$$

We observe that all the 24 points at our cycles are such that the parity is odd, i.e. all 24 terms on 3 cycles will become zero if we assign all the 20 variables to 1. Therefore we can apply the rules \(AB(B+A+1)=AB\) and \(ABC(B+A+C)=ABC\) for each new term.

Now we need to check that all the \(\mathcal{Z}_j\) vanish when multiplied by exactly \(ABCDE=\) product of all “transformable” polynomials. All the \(\mathcal{Z}_j\) will be annihilated if we annihilate the 5 components \((W7+e),(X2+b+d),(X8),(W8),(Z7+d)\). We will need to check that each is annihilated by the product of all “transformable” polynomials \(=ABCDE\).

Fig. 14.

Third cycle which is combined with other inside our proof of Theorem 9.1.

For this we rewrite our assumptions with additional derived facts using rules \(L_1 L_2 W=L_1 L_2 (W+L_1+1)\) and \(L_1 L_2 W=L_1 L_2 (W+L_1+L_2)\). For example \((a+e)e\) is the same as \(CE=(R28+1)R32=(R28+R32)R32\). Likewise \((d+1)(e+1)=(R27+1)(R28+1)=CD\) for W7 and X7, and \(bd=A*B\) for X2. We annihilated all 5 terms \((W7+e),(X2+b+d),(X8),(W8),(Z7+d)\):

$$ \left\{ \begin{aligned} C*E*\mathrm {W8}=0&~~~~~~ C*E*\mathrm {(W8+a)}=0\\ C*E*\mathrm {X8}=0&~~~~~~ C*E*\mathrm {(X8+a)}=0\\ C*D*(\mathrm {Z7}+d)=0&~~~~~~ C*D*(\mathrm {Z7}+e)=0\\ C*D*(\mathrm {W7}+d)=0&~~~~~~ C*D*(\mathrm {W7}+e)=0\\ A*B*(\mathrm {X2}+b+d)=0&~~~~~~ A*B*(\mathrm {X2})=0 ~~~~ \end{aligned} \right. $$

   \(\square \)

B Original DES Boxes: Shamir 1985 Paper Revisited

In 1985 Shamir observed that for every DES S-box, if we fix the second input variable to 1, the sum of all outputs is very strongly biased [36]. This has important consequences for our attacks. For every strongly biased Boolean function either Z or \(Z+1\) has unusually many annihilators, cf. Thm. B.2. in [18]. In particular we have some unusually simple annihilators with only 2 linear factors, e.g. the following property holds with probability 1 for the DES S-box S5:

$$ R17(R16+R20)*(W5+X5+Y5+Z5) = 0. $$

We are not or not yet using the full power of Theorem 7.1 which allows the additions of affine terms. By doing we have a simpler linear annihilator:

$$ (1+R16+R17+R20)*(W5+X5+Y5+Z5+1+R17) = 0. $$

Here we can annihilate a non-linear function with just one transformable polynomial \((1+R16+R17+R20)\) which corresponds to 1-weak-normality in [8]. It is an open problem to discover a full optimised attack using such annihilations.