Francisco Blas Izquierdo Riera AKA klondike Contributor Analysis Francisco Blas Izquierdo Riera AKA klondike

About me Security interested since 17 Computer Engineer & MSc Gentoo Hardened developer Cryptography fan: Implemented AES-SIV in an Atmega (Arduino) bootloader Implemented CTR, CMAC and SIV modes in the Haskell crypto-api library Wrote own efficient TTH implementations Pushed for adding stronger cryptography to the ADC protocol Currently working as pentester and providing cryptographic support at SecureLink

Introduction

Confusion and Diffusion Defined by Claude Shannon in 1945 Confusion: ability of a cipher to hide the relation between plain and cipher text Diffusion: ability of a cipher to apply a bit change to all its outputs

The idea Reproduce the cryptographic algorithm But instead of running operations see how these mix in contributors Focus on diffusion

Mapping operations

Black S-Box N bits input, M bits output They propagate all inputs to all outputs For all output bits, output list = UNION(list for all input lists)

Bitwise NOT No interaction across bits Output list = input list

Bitwise AND, OR, XOR Only interaction between pairs of input bits Output list = Union(Input list1, Input List2)

Shifts The second parameter can have any value Spread all the dependencies of the first input to all the outputs all output lists = UNION(list for all input 1 lists)

Additions Contributions are spread from LSBs to MSBs Think of the usual schoolbook addition For each bit: UNION(Lists for each list of a bit of equal or less significance)

Substractions Subtractions are the addition of a complement of 2 of the second operand Not of the operand (no changes) Add one (propagate as with addition on second operand) Add both operands (propagate as with addition) Equal to addition in all regards

Multiplications Similar to additions, LSBS spread toward MSBs Think of schoolbook, addition of constant shifted products

Modulos Hard to map Use black S-BOX approach instead

Divisions Rarely used (division by 0 risk) Also hard to map Use black S-BOX approach

White S-BOX Like Black S-BOX Bit’s input contributors can be removed if shown to be independent (same value for all inputs)

Optimizing operations

Bitwise AND by constant Empty input list if bit is 0, maintain if 1

Bitwise OR by constant Empty input list if bit is 1, maintain if 0

Bitwise XOR by constant Output lists = input lists

Bitwise Shifts and Rotates by constant Shift or rotate the input lists in the output lists

Arithmetic right shift by constant Shift the input copying the MSB list to all the empty bits introduced on the right

Shifts and Rotates of constant Rarely seen Use union of lists of second parameter for output Can be further optimized but understanding becomes harder

Multiplications by constant Can be replaced by shifts and additions

Still lots left to do

Attacking the ciphers Given one or more known plaintexts, test all values of contributors on the bit with less contributors Filter those which gave the correct result Repeat on next bit with least contributors Independent contributor lists can be ran in parallel

Demo time

Simple demos 8-bit xor 8-bit Caesar Simple ARX cipher

Anything better?

Hard Demos Petya (first version) Salsa 2 Salsa 20

Comparing approaches

The algebraic approach Results on procedure to break cipher for all keys Models cipher as set of equations Adds → groups of xors, ands and ors Rotates → remap bits Xors → xor of each bit

The algebraic approach (buts) Equational reasoning is hard Simplification is painful and takes lots of time (usually NP problem with number of variables).

Contributor Analysis Evolution from pen and paper techniques I use Simpler to reason with Successful attack also leads to technique to break cipher Analyzes input bit contributions to outputs, not how they are made Fast to run on ciphers O(n*m)

Contributor Analysis (buts) Less precise than algebra Only finds blatantly broken ciphers More false negatives Also less precise than rotational cryptanalysis

Thanks! To my mother and father for supporting my curiosity since I was a kid To the Recon organizers for making this talk and conference possible To those who supported me during the research SecureLink for being flexible with my odd “personal research projects” But especially, to you for your attention

Questions?

Material at http://klondike.es/charlas/contributor/ And this is it Material at http://klondike.es/charlas/contributor/