Abstract
Differential cryptanalysis is one of the oldest attacks on block ciphers. Can anything new be discovered on this topic? A related question is that of backdoors and hidden properties. There is substantial amount of research on how Boolean functions affect the security of ciphers, and comparatively, little research, on how block cipher wiring can be very special or abnormal. In this article we show a strong type of anomaly: where the complexity of a differential attack does not grow exponentially as the number of rounds increases. It will grow initially, and later will be lower bounded by a constant. At the end of the day the vulnerability is an ordinary single differential attack on the full state. It occurs due to the existence of a hidden polynomial invariant. We conjecture that this type of anomaly is not easily detectable if the attacker has limited resources.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This happens with probability at least \(2^{-8}\) for any Boolean function, see Appendix A.
- 2.
This function is used twice as W and as Y for 2 disjoints sets of 6 inputs.
- 3.
For example if one input A is b the other must be e.
References
Courtois, N.T., Bard, G.V., Wagner, D.: Algebraic and slide attacks on KeeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_6
Courtois, N.T., Bard, G.V.: Random permutation statistics and an improved slide-determine attack on KeeLoq. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 35–54. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28368-0_6
Bard, G.V., Courtois, N.T., Nakahara, J., Sepehrdad, P., Zhang, B.: Algebraic, AIDA/Cube and side channel analysis of KATAN family of block ciphers. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 176–196. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17401-8_14
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4, 3–72 (1991). https://doi.org/10.1007/BF00630563
Brown, L., Seberry, J.: On the design of permutation P in des type cryptosystems. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 696–705. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_71
Çalık, Ç., Sönmez Turan, M., Peralta, R.: The multiplicative complexity of 6-variable Boolean functions. Cryptogr. Commun. 11(1), 93–107 (2018). https://doi.org/10.1007/s12095-018-0297-2. https://ia.cr/2018/002.pdf
Charpin, P.: Normal Boolean functions. J. Complex. 20(2–3), 245–265 (2004)
Courtois, N.T.: The dark side of security by obscurity and cloning MiFare classic rail and building passes anywhere, anytime. In: SECRYPT 2009, pp. 331–338. INSTICC Press (2009). ISBN 978-989-674-005-4
Courtois, N.T., Mourouzis, T.: Propagation of truncated differentials in GOST. In: SECURWARE (2013). http://www.thinkmind.org/download.php?articleid=securware_2013_7_20_30119
Courtois, N.T.: Algebraic complexity reduction and cryptanalysis of GOST. Monograph study on GOST cipher, 224 p. https://ia.cr/2011/626
Courtois, N., Gawinecki, J.A., Song, G.: Contradiction immunity and guess-then-determine attacks on GOST. In: CECC 2912, Tatra Mt. Math. Publ. vol. 53, no. 3, pp. 65–79 (2012). http://www.sav.sk/journals/uploads/0114113604CuGaSo.pdf
Courtois, N.T., Georgiou, M.: Variable elimination strategies and construction of nonlinear polynomial invariant attacks on T-310. Cryptologia 44(1), 20–38 (2020). https://doi.org/10.1080/01611194.2019.1650845
Courtois, N.T., Patrick, A., Abbondati, M.: Construction of a polynomial invariant annihilation attack of degree 7 for T-310. Cryptologia 44(4), 289–314 (2020)
Courtois, N.T.: On the existence of non-linear invariants and algebraic polynomial constructive approach to backdoors in block ciphers. https://ia.cr/2018/807. Accessed 27 Mar 2019
Courtois, N.T., Patrick, A.: Lack of unique factorization as a tool in block cipher cryptanalysis. https://arxiv.org/abs/1905.04684. Accessed 12 May 2019
Courtois, N.T.: Structural nonlinear invariant attacks on T-310: attacking arbitrary Boolean functions. https://ia.cr/2018/1242. Accessed 12 Sept 2019
Courtois, N.T.: A nonlinear invariant attack on T-310 with the original Boolean function. Cryptologia, 23 Apr 2020. https://www.tandfonline.com/doi/full/10.1080/01611194.2020.1736207. to appear also in paper version in 2020
Courtois, N.T.: Invariant hopping attacks on block ciphers. In: Presented at WCC 2019, Abbaye de Saint-Jacut de la Mer, France, 31 March–5 April 2019. https://arxiv.org/pdf/2002.03212.pdf. Accessed 8 Feb 2020
Courtois, N.T., Abbondati, M., Ratoanina, H., Grajek, M.: Systematic construction of nonlinear product attacks on block ciphers. In: Seo, J.H. (ed.) ICISC 2019. LNCS, vol. 11975, pp. 20–51. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40921-0_2
Courtois, N.T.: Feistel schemes and bi-linear cryptanalysis. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 23–40. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_2
Courtois, N.T., et al.: Cryptographic security analysis of T-310. Monography study on the T-310 block cipher, 132 p. 20 May 2017. https://ia.cr/2017/440.pdf. Accessed 29 June 2018
Courtois, N.T., Oprisanu, M.-B.: Ciphertext-only attacks and weak long-term keys in T-310. Cryptologia, 42(4), 316–336 (2018). http://www.tandfonline.com/doi/full/10.1080/01611194.2017.1362065
Courtois, N., Drobick, J., Schmeh, K.: Feistel ciphers in East Germany in the communist era. Cryptologia 42(6), 427–444 (2018)
Courtois, N.T.: Block ciphers: lessons from the cold war. In: Slides presented at 2019 biennial Symposium on Cryptologic History, Laurel, Maryland, US, October 2019. http://www.nicolascourtois.com/papers/Feistel_East_Cold_War_US_Oct2019.pdf
Courtois, N.T.: The inverse S-Box, non-linear polynomial relations and cryptanalysis of block ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 170–188. Springer, Heidelberg (2005). https://doi.org/10.1007/11506447_15. https://www.researchgate.net/publication/221005723_The_Inverse_S-Box_Non-linear_Polynomial_Relations_and_Cryptanalysis_of_Block_Ciphers
Courtois, N.: The inverse S-box and two paradoxes of whitening. Long extended version of the Crypto 2004 rump session presentation, Whitening the AES S-box. http://www.nicolascourtois.com/papers/invglc_rump_c04.pdf
Courtois, N., Oprisanu, M.-B., Schmeh, K.: Linear cryptanalysis and block cipher design in East Germany in the 1970s. Cryptologia (2018). https://www.tandfonline.com/doi/abs/10.1080/01611194.2018.1483981
Courtois, N.: The best differential characteristics and subtleties of the Biham-Shamir attacks on DES. https://ia.cr/2005/202
Courtois, N.T.: An improved differential attack on full GOST. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 282–303. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4_18
Courtois, N.: An improved differential attack on full GOST. Cryptology ePrint Archive, Report 2012/138, 15 March 2012. https://ia.cr/2012/138. Accessed Dec 2015
Courtois, N., Misztal, M.: Aggregated differentials and cryptanalysis of PP-1 and GOST. Periodica Mathematica Hungarica 65(2), 11–26 (2012). https://doi.org/10.1007/s10998-012-2983-8. In CECC 2011, 11th Central European Conference on Cryptology
Courtois, N.T., Mourouzis, T., Misztal, M., Quisquater, J.J., Song, G.: Can GOST be made secure against differential cryptanalysis? Cryptologia 39(2), 145–156 (2015)
Courtois, N.: On multiple symmetric fixed points in GOST. Cryptologia 39(4), 322–334 (2015)
Dobbertin, H.: Construction of bent functions and balanced Boolean functions with high nonlinearity. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 61–74. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_5
Dubuc, S.: Etude des propriétés de dégénérescence et de normalité des fonctions booléennes et construction de fonctions q-aires parfaitement non-linéaires, Ph.D. thesis, Université de Caen (2001)
Feistel, H., Notz, W.A., Smith, J.L.: Cryptographic techniques for machine to machine data communications, 27 Dec 1971, Report RC-3663, IBM T. J. Watson Research (1971)
Golić, J.D.: Cryptanalytic attacks on MIFARE classic protocol. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 239–258. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4_16
Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s Piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_3
Harpes, C., Massey, J.L.: Partitioning cryptanalysis. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 13–27. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052331
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Kovalchuk, L.V.: Generalized Markov ciphers: evaluation of practical security against differential cryptanalysis. In: Proceedings of 5th All-Russian Scientific Conference MaBIT-06, 25–27 Oct 2006, MGU, Moscow, pp. 595–599 (2006). (in Russian)
Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_2
Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_12
Knudsen, L.R., Robshaw, M.J.B.: Non-Linear Characteristics in Linear Cryptoanalysis. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 224–236. Springer, Heidelberg (1996)
Maiorana, J.A.: A classification of the cosets of the Reed-Muller code R(1,6). Math. Comput. 57(195), 403–414 (1991)
John Nash, handwritten letters and documents relating to their evaluation, available at NSA crypto museum, January-March 1955. cryptologicfoundation.org. https://www.nsa.gov/news-features/declassified-documents/nash-letters/assets/files/nash_letters1.pdf. declassified in 2012
Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_41
Peyrin, T., Wang, H.: The MALICIOUS framework: embedding backdoors into tweakable block ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 249–278. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_9
Referat 11: Kryptologische Analyse des Chiffriergerätes T-310/50. Central Cipher Organ, Ministry of State Security of the GDR, document referenced as ‘ZCO 402/80’, a.k.a. MfS-Abt-XI-594, Berlin, 123 p. (1980)
Schmeh, K.: The East German encryption machine T-310 and the algorithm it used. Cryptologia 30(3), 251–257 (2006)
Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack: practical attack on full SCREAM, iSCREAM and Midori 64. J. Cryptol. 32, 1–40 (2018)
Vielhaber, M.: AIDA Breaks BIVIUM (A&B) in 1 Minute Dual Core CPU Time. https://ia.cr/2009/402
Winter, R., Salagean, A., Phan, R.C.-W.: Comparison of cube attacks over different vector spaces. In: Groth, J. (ed.) IMACC 2015. LNCS, vol. 9496, pp. 225–238. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27239-9_14
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A On Boolean Function Vulnerability
It is possible to see that a Boolean function chosen at random will satisfy our exact property \(Z({a+d})({b+e})({c+f})=0\) with probability \(2^{-8}\), cf. Section 5 in [13] and/or Appendix C in [16]. The result is the same as long as we have three linear factors which are linearly independent. In general, Boolean functions which are constant over large affine spaces are not an exception, it is systematic. 100% of Boolean functions in 6 variables are 3-normal and can be annihilated by a product of 3 affine polynomials. cf. Section 5 in [19] and [35]. We use another method to obtain the same result. It is sufficient to check all the 150357 classes of Boolean functions based on a database of Boolean functions of [6] based on earlier work by Maiorana [45].
Moreover, our experience shows that typically (when the Boolean function is balanced) both Z or \(Z+1\) will admit numerous solutions of this type, some of which could work with an attack such as described in this paper.
No Boolean function whatsoever should be assumed to be secure against the attacks such as described in this paper. For example with the original Boolean function used in T-310 we have \(Zc(b+d)f=0\) and \(Z(a+b)c(1+e)=0\) and many other relations of this type. From here it is possible to construct a product invariant attack on demand, using exactly one single relation like this, see [17]. In other words, just one such annihilation equation, which was not chosen by the attacker, can lead to an attack on T-310 working for any number of rounds. This is already for an invariant attack at order 1. Properties which involve two encryptions like in our Theorem 5.1.1 and the existence of multiple ways to annihilate polynomials further increase the freedom for the attacker.
Appendix B The Key Recovery Question
There exists multiple ways in which non-linear invariant attacks can be exploited in cryptanalysis in order to decrypt actual encrypted communications. This question was already studied in Section 9 in [16] and Section 6 in [12] and Section 6 in [13] and there are several distinct ways to approach this problem. Some invariants (not all) introduce pervasive biases made of higher order correlation properties which do not degrade as the number of rounds increases. Other invariants do directly involve some key bits. In some sense we expect that most invariants are NOT suitable for actual attacks, in the sense that other invariants are more suitable for various technical reasons.
1.1 Appendix B.1 New Ways to Exploit Polynomial Invariants
In this paper we discover a possibility to convert a non-linear invariant attack into a differential attack. This opens new possibilities for key recovery in 3 steps as follows. First, we guess some key bits, then, determine some internal values, finally, confirm through a statistical distinguisher. It is important to note that the question of which key bits should be guessed and which ones are determined, is a major practical combinatorial optimization problem in cryptanalysis. It leads to interesting security “metric” notions such as SAT immunity and UNSAT immunity, cf. [11].
1.2 Appendix B.2 Multiple Simultaneous Differentials and Cube Attacks
A more advanced method to enable key recovery would be to explore the rich world of cube attacks which is a form of a higher order differential attack. This type of discrete differential properties is much older than it is usually assumed, it was studied since at least 1976, cf. [24], and there are many flavours of cube attacks [52, 53]. It is quite rare that several differential properties can work simultaneously and that the overall combined probability remains very high. One example of this is with MiFare classic in [8, 37], and it happens again here. Our attack has 8 differences which form a linear space and could be used simultaneously in a variety of combined differential, invariant or/and cube attacks. An interesting question is then how quickly the complexity of such attacks increases as the number of rounds grows. Here we need to look at a new type of conditional cube attack: when a certain product of polynomials is at 1. We need to focus on cube properties which involve key bits, which cannot be taken for granted in general, cf. Section 4.1. in [3]. The space of possible attacks is enormous and we leave this for future research.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Courtois, N.T., Quisquater, JJ. (2021). Can a Differential Attack Work for an Arbitrarily Large Number of Rounds?. In: Hong, D. (eds) Information Security and Cryptology – ICISC 2020. ICISC 2020. Lecture Notes in Computer Science(), vol 12593. Springer, Cham. https://doi.org/10.1007/978-3-030-68890-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-68890-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-68889-9
Online ISBN: 978-3-030-68890-5
eBook Packages: Computer ScienceComputer Science (R0)