Abstract
A major open problem in block cipher cryptanalysis is discovery of new invariant properties of complex type. Recent papers show that this can be achieved for SCREAM, Midori64, MANTIS-4, T-310 or for DES with modified S-boxes. Until now such attacks are hard to find and seem to happen by some sort of incredible coincidence. In this paper we abstract the attack from any particular block cipher. We study these attacks in terms of transformations on multivariate polynomials. We shall demonstrate how numerous variables including key variables may sometimes be eliminated and at the end two very complex Boolean polynomials will become equal. We present a general construction of an attack where multiply all the polynomials lying on one or several cycles. Then under suitable conditions the non-linear functions involved will be eliminated totally. We obtain a periodic invariant property holding for any number of rounds. A major difficulty with invariant attacks is that they typically work only for some keys. In T-310 our attack works for any key and also in spite of the presence of round constants.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Except maybe some combinatorial or probability questions for certain special events.
- 2.
Involving a handful of bits, and only some of the non-linear function(s), and only some key bits. Moreover inside the Boolean functions and S-boxes, we aim at constructing attacks which require only that a certain a small fraction of entries in the truth tables of these functions (at suitable positions) are at zero.
- 3.
For DES S-boxes, we require that some Boolean function are annihilated by products of simple linear polynomials. Such annihilation remain frequently true, when we transform an S-box by a secret key, added at the input, cf. Remark 2 in page 22.
- 4.
- 5.
For example, we have generated many concrete examples of S-boxes, for the attack of degree 8 on DES of Sect. 8. In some cases additional invariants of degree 2,4,6 or 7 are also found, cf. [11, 12] and our Sect. 8. Or we constructed an attack of degree 10 in Sect. 9 and for some S-boxes we will also have an attack of degree 5 in Theorem 10.1.
- 6.
Some of these attacks are obtained by the so called “decimated” attack cf. Sect. 4.3.
- 7.
The original one and the transformed one.
- 8.
This example occurs in our later attack on DES, and we can rewrite \(\mathcal{Q}_1=A + C + 1=R05+R28\), where R05 is the 5-th bit in the right branch of a DES plaintext, and A, C are defined in later Fig. 12 page 28.
- 9.
Informally it is a polynomial such that we actually have \(D\rightarrow A\) when \(\mathcal{Z}_i=0\). Moreover we mandate that this polynomial \(\mathcal{Z}_i\) uses the same set of input-side variables which are also the inputs of D. Then we always have \(D(\text {Inputs})=A(\text {Outputs})\) when \(\mathcal{Z}_i(\text {Inputs})=0\). This does not say what happens when \(\mathcal{Z}_i=1\), and in this paper the converse will also hold systematically. More precise statements which make sense in all cases will be provided later, cf. Theorem 7.1 page 16.
- 10.
In T-310 cipher F is derived from the public IV used in each encryption, cf. [23].
- 11.
This type of equation was previously studied under the name of a Transition Equation or (TE) in Section 5 of [17].
- 12.
Here transitions are no longer invariants but rather of type \(\mathcal{P}\rightarrow \mathcal{P}'\) with \(\mathcal{P}\ne \mathcal{P}'\).
- 13.
It is easy to see that there is no reason why transition should be deterministic. For example we could have \(\mathcal{Z}_1=Z(a,b,c)=abc+ac\) and \(\mathcal{Z}_3=Z(a,b,c)+b=abc+ac+b\) which inevitably lead to two different transitions if starting form the same polynomial assuming \(\mathcal{Q}_1=\mathcal{Q}_3\), and we have simultaneously \(Z(b+1)(a+1)=0\) and \((Z+b)(b+1)(a+1)=0\).
- 14.
- 15.
Examples of non-linear invariants with a period of 4 rounds can be found in Appendix B.2. in [17].
- 16.
In contrast, due to the lack on unique factorisation in product attacks, it is not clear if or how our attack of degree 5 in Sect. 10 can be obtained, with or without decimation, from cycles following our general framework.
- 17.
- 18.
Rather than when we simply multiply all the polynomials.
- 19.
The best example known to us so far requires \(\mathcal{P}\) of degree 20.
- 20.
However it is sufficient to modify just the last linear term in order to make the attack work in T-310, cf. Section 7.2. in [18].
- 21.
We have 0 in red which is XORed at three places in Fig. 7.
- 22.
This name means that our block cipher transforms it into another polynomial \(\mathcal{Q}_j\) included in our set.
- 23.
For example \(\mathcal{Z}_1 = Y+f\) is XORed at one place in Fig. 7 where Y is a polynomial with 6 inputs.
- 24.
These polynomials appear in red on our pictures for example \((Y+e)\) where Y is an arbitrary polynomial and e is an additional variable.
- 25.
Typically about half of all polynomials are “transformable” in all known applications of this theorem.
- 26.
- 27.
- 28.
These 8 conditions are simply 8 additional conditions on P() e.g. \(P(22)=14\) etc.
- 29.
By convention we work backwards from output to input side, cf. Fig. 11, and \(P(5)=29\) means that the output 29 of 8 S-boxes connected to round output 5, where numbering goes from 1 to 32. These connections are true for DES, and our attack works also for DES with any modified P-box for as long as it satisfies these conditions.
- 30.
This is closely related to the question of reflection attacks in GOST, cf. [27].
- 31.
References
Bannier, A., Bodin, N., Filiol, E.: Partition-Based Trapdoor Ciphers. https://ia.cr/2016/493
Boyar, J., Find, M., Peralta, R.: Four measures of nonlinearity. In: Spirakis, P.G., Serna, M. (eds.) CIAC 2013. LNCS, vol. 7878, pp. 61–72. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38233-8_6
Beierle, C., Canteaut, A., Leander, G., Rotella, Y.: Proving resistance against invariant attacks: how to choose the round constants. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 647–678. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_22
Beyne, T.: Block cipher invariants as eigenvectors of correlation matrices. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 3–31. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_1
Coppersmith, D.: The development of DES, Invited Talk, Crypto 2000, August 2000
Calderini, M.: A note on some algebraic trapdoors for block ciphers. https://arxiv.org/abs/1705.08151. Accessed 17 May 2018
Calik, C., Sonmez Turan, M., Peralta, R.: The multiplicative complexity of 6-variable Boolean functions. Cryptogr. Commun. 11, 93–107 (2019). https://ia.cr/2018/002.pdf
Charpin, P.: Normal Boolean functions. J. Complex. 20(2–3), 245–265 (2004)
Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_27
Courtois, N., Mourouzis, T., Grocholewska-Czurylo, A., Quisquater, J.-J.: On optimal size in truncated differential attacks. In: CECC 2014, Post-Proceedings in Studia Scientiarum Mathematicarum Hungarica, vol. 52, no. 2, pp. 246–254 (2015)
Courtois, N.T., Patrick, A.: Lack of unique factorization as a tool in block cipher cryptanalysis, Preprint, 12 May 2019. https://arxiv.org/abs/1905.04684
Courtois, N.T.: Invariant Hopping Attacks on Block Ciphers, accepted at WCC 2019, Abbaye de Saint-Jacut de la Mer, France, 31 March–5 April 2019
Courtois, N.T., Georgiou, M.: Variable elimination strategies and construction of nonlinear polynomial invariant attacks on T-310. Cryptologia (2019). https://doi.org/10.1080/01611194.2019.1650845
Courtois, N.T., Georgiou, M.: Constructive non-linear polynomial cryptanalysis of a historical block cipher. http://arxiv.org/abs/1902.02748
Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_21
Courtois, N.T.: Algebraic attacks on combiners with memory and several outputs. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 3–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11496618_3. Extended version available on https://ia.cr/2003/125/
Courtois, N.T.: On the existence of non-linear invariants and algebraic polynomial constructive approach to backdoors in block ciphers. https://ia.cr/2018/807. Accessed 27 Mar 2019
Courtois, N.T.: Structural nonlinear invariant attacks on T-310: attacking arbitrary boolean functions, https://ia.cr/2018/1242. Accessed 12 Sept 2019
Courtois, N.T.: Feistel schemes and bi-linear cryptanalysis. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 23–40. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_2
Courtois, N.T., Castagnos, G., Goubin, L.: What do DES S-boxes say to each other? (2003). https://ia.cr/2003/184/
Courtois, N.T.: An improved differential attack on full GOST. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 282–303. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4_18
Courtois, N.: An improved differential attack on full GOST. Cryptology ePrint Archive, Report 2012/138, 15 March 2012, December 2015. https://ia.cr/2012/138
Courtois, N.T., et al.: Cryptographic security analysis of T-310, monography study on the T-310 block cipher, 132 p., 20 May 2017. https://ia.cr/2017/440.pdf. Accessed 29 June 2018
Courtois, N.T., Oprisanu, M.-B.: Ciphertext-only attacks and weak long-term keys in T-310. Cryptologia 42(4), 316–336 (2018). http://www.tandfonline.com/doi/full/10.1080/01611194.2017.1362065
Courtois, N.T., Oprisanu, M.-B., Schmeh, K.: Linear cryptanalysis and block cipher design in East Germany in the 1970s. Cryptologia (2018). https://www.tandfonline.com/doi/abs/10.1080/01611194.2018.1483981
Courtois, N., Drobick, J., Schmeh, K.: Feistel ciphers in East Germany in the communist era. Cryptologia 42(6), 427–444 (2018)
Courtois, N.: Algebraic complexity reduction and cryptanalysis of GOST. Monograph study on GOST cipher, 2010–2014, 224 p. https://ia.cr/2011/626
Dobbertin, H.: Construction of bent functions and balanced Boolean functions with high nonlinearity. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 61–74. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_5
Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_3
Knudsen, L.R., Robshaw, M.J.B.: Non-linear approximations in linear cryptanalysis. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 224–236. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_20
Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_12
Lipton, R.J., Regan, K.W.: Nicolas Courtois: the linearization method. In: People, Problems, and Proofs, pp. 259–262. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41422-0_50
De Meyer, L., Vaudenay, S.: DES S-box generator. Cryptologia 41(2), 153–171 (2017). https://www.tandfonline.com/doi/full/10.1080/01611194.2016.1169456
Kim, K., Lee, S., Park, S., Lee, D.: Securing DES S-boxes against three robust cryptanalysis. In: SAC 1995, vol. 2595, pp. 145–157 (1995)
Schmeh, K.: The East German encryption machine T-310 and the algorithm it used. Cryptologia 30(3), 251–257 (2006)
Shamir, A.: On the security of DES. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 280–281. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_22
Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack: practical attack on full SCREAM, iSCREAM and Midori 64. J. Cryptol. 32, 1–40 (2018)
Wei, Y., Ye, T., Wenling, W., Pasalic, E.: Generalized nonlinear invariant attack and a new design criterion for round constants. IACR Trans. Symmetric Cryptol. 4, 62–79 (2018). https://tosc.iacr.org/index.php/ToSC/article/view/7361/6531
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Two Proofs of Theorem 9.1
We provide two proofs of Theorem 9.1. First proof just shows that the attack works directly step by step without revealing that it might be an application of Theorem 7.1. Second proof follows our framework based on three cycles, cf. Figs. 12, 13 and 14. Both proofs are about rewriting everything with input variables only.
First Proof of Theorem 9.1: We rewrite our annihilation conditions using \(A,B,\ldots \) at input side, for every input:
Using Fig. 11 we see that on the output side after one round \(\phi \) of encryption:
\(\square \)
Second Proof of Theorem 9.1: We show how our attack follows from Theorem 7.1 and 3 cycles in Figs. 12, 13 and 14. Each output-side polynomial \(\mathcal{Q}_{j'}\) is equal to the sum of the input-side polynomial \(\mathcal{Q}_j\) and the \(\mathcal{Z}_j\) polynomial e.g. \((Z7+d)\) or 0, added at this step. First we check the cycle on Fig. 12. First transition from R07 to L07 is trivial. In second transition we check that d for S7 is the same as \(R27^i\) and:
In the same way we carefully check all 24 transitions on all 3 cycles. Each time an input of a Boolean function \(a,\ldots , f\) is used we check which input number R01 \(\ldots \) R32 it is, cf. Fig. 11. For example \(d^7\) denotes 4-th input of S7 which is R28\(^i\). We show how round outputs 5, 7, 27, 28, 32 are transformed in DES:
\( {\left\{ \begin{array}{ll} \mathrm {L05}^i=\mathrm {R05}^o+W8(.) &{} \text {due to~} P(5)=\mathrm {W8}\\ \mathrm {L07}^i=\mathrm {R05}^o+Z7(.) &{} \text {due to~} P(7)=\mathrm {Z7}\\ \mathrm {L28}^i=\mathrm {R28}^o+X2(.) &{} \text {due to~} P(28)=\mathrm {X2}\\ \mathrm {L27}^i=\mathrm {R27}^o+X8(.) &{} \text {due to~} P(27)=\mathrm {X8}\\ \mathrm {L32}^i=\mathrm {R32}^o+W7(.) &{} \text {due to~} P(32)=\mathrm {W7}. \end{array}\right. } \)
We recall that “transformable” polynomials are all \(\mathcal{Q}_j\) which are transformed into another polynomial \(\mathcal{Q}_j'\) included, i.e. all those with 0 added, and exactly those made from \(A,B,C,\ldots \) only and not any of \(A',B',C',\ldots \), and also those using R01-R32 and without any of L01-L32, which are:
\( {\left\{ \begin{array}{ll} B=\mathrm {R07}\in \{\text {Fig.\,12}\} &{} B+C+1=\mathrm {R07+R28}\in \{\text {Fig.\,12}\}\\ A+D+1=\mathrm {R05+R27}\in \{\text {Fig.\,13}\} &{} B+D+1=\mathrm {R07+R27}\in \{\text {Fig.\,13}\}\\ E=\mathrm {R32}\in \{\text {Fig.\,14}\} &{} C+E+1=\mathrm {R28+R32}\in \{\text {Fig.\,14}\} \end{array}\right. } \)
Then we show that the product of 24=8+8+8 polynomials is the same as our intended invariant \(\mathcal{P}\) of degree 5 + 5. We multiply all 6 transformable polynomials:
Accordingly the identity above proves that the product of exactly all “transformable” polynomials on both cycles is simply equal to ABCDE which fact we will use below. This product is of degree 5 in cipher state variables. Similarly we have: \( B'(B'+C'+1)(A'+D'+1)(B'+D'+1)E'(C'+E'+1)= A'B'C'D'E' \). We have now multiplied 12 polynomials out of 24 on our 3 cycles and the result is our exact polynomial invariant as expected \( \mathcal{P}=ABCDEA'B'C'D'E' \).
It remains to show that all the remaining 24-12=12 polynomials on the 3 cycles which were not multiplied yet, will be absorbed by \(\mathcal{P}\). In other words the result \(\mathcal{P}\) does not change if we multiply by these extra 12 factors. This is shown in 3 stages for each cycles in order, and the key observation is that \(AB(B+A+1)=AB\) and \(ABC(B+A+C)=ABC\). Thus we have
We observe that all the 24 points at our cycles are such that the parity is odd, i.e. all 24 terms on 3 cycles will become zero if we assign all the 20 variables to 1. Therefore we can apply the rules \(AB(B+A+1)=AB\) and \(ABC(B+A+C)=ABC\) for each new term.
Now we need to check that all the \(\mathcal{Z}_j\) vanish when multiplied by exactly \(ABCDE=\) product of all “transformable” polynomials. All the \(\mathcal{Z}_j\) will be annihilated if we annihilate the 5 components \((W7+e),(X2+b+d),(X8),(W8),(Z7+d)\). We will need to check that each is annihilated by the product of all “transformable” polynomials \(=ABCDE\).
For this we rewrite our assumptions with additional derived facts using rules \(L_1 L_2 W=L_1 L_2 (W+L_1+1)\) and \(L_1 L_2 W=L_1 L_2 (W+L_1+L_2)\). For example \((a+e)e\) is the same as \(CE=(R28+1)R32=(R28+R32)R32\). Likewise \((d+1)(e+1)=(R27+1)(R28+1)=CD\) for W7 and X7, and \(bd=A*B\) for X2. We annihilated all 5 terms \((W7+e),(X2+b+d),(X8),(W8),(Z7+d)\):
\(\square \)
B Original DES Boxes: Shamir 1985 Paper Revisited
In 1985 Shamir observed that for every DES S-box, if we fix the second input variable to 1, the sum of all outputs is very strongly biased [36]. This has important consequences for our attacks. For every strongly biased Boolean function either Z or \(Z+1\) has unusually many annihilators, cf. Thm. B.2. in [18]. In particular we have some unusually simple annihilators with only 2 linear factors, e.g. the following property holds with probability 1 for the DES S-box S5:
We are not or not yet using the full power of Theorem 7.1 which allows the additions of affine terms. By doing we have a simpler linear annihilator:
Here we can annihilate a non-linear function with just one transformable polynomial \((1+R16+R17+R20)\) which corresponds to 1-weak-normality in [8]. It is an open problem to discover a full optimised attack using such annihilations.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Courtois, N.T., Abbondati, M., Ratoanina, H., Grajek, M. (2020). Systematic Construction of Nonlinear Product Attacks on Block Ciphers. In: Seo, J. (eds) Information Security and Cryptology – ICISC 2019. ICISC 2019. Lecture Notes in Computer Science(), vol 11975. Springer, Cham. https://doi.org/10.1007/978-3-030-40921-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-40921-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-40920-3
Online ISBN: 978-3-030-40921-0
eBook Packages: Computer ScienceComputer Science (R0)