Outline Introduction Feistel Structures and Two Basic Attacks Mathematical Foundations Improved Interpolation Attack New Integral Cryptanalysis Results of Attack on PURE Conclusion 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Introduction For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2. Such ciphers are breakable by using interpolation attack, which is first introduced by Jakobsen and Knudsen at FSE 1997. Interpolation attack can be applied to some ciphers which have provable securities against differential and linear cryptanalysis (PURE). 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Introduction Integral cryptanalysis considers the propagation of sums of (many) values. They are especially well-suited to ciphers with bijective components (Rijndael). 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Introduction In this paper, by using an algebraic method, an improved interpolation attack and a new integral attack are proposed: 1) Instead of guessing the keys one by one, we find the round keys by solving some algebraic equations; 2) Instead of using the Lagrange Interpolations formula, we compute the coefficients of polynomials by Galois Field Fourier Transformation, which can be seen as an extension of SQUARE attack. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Feistel Structures and Basic Attacks Round function of a Feistel cipher ai=bi-1 bi=f(bi-1,ki)ai-1 ai=bi-1 bi=f(bi-1ki)ai-1 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Feistel Structures and Basic Attacks Complexity of the attack: Degree of the polynomial(N)  Number of keys to be guessed(2n). Interpolation Attack for a r-round cipher: Step 1: compute the degree of (r-1)-round cipher, say N; Step 2: choose N+2 plaintexts P at random and compute the corresponding ciphertexts C; Step 3: guess the r-th round key K, and partially decrypt the ciphertexts, the results are denoted by D; Step 4: apply the Lagrange Interpolation formula to N+1 pairs of (P,D), to get the polynomial; Step 5: Use the (N+2)th pair (P,D) to check whether the polynomial is correct, if not, K is a wrong key. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Feistel Structures and Basic Attacks Integral in previous papers: (S,c)=SxS c(x); Integral in this paper: (S,c,i)=SxS xic(x); 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Mathematical Foundations Proposition 1. Let P=(C,x) be the input to an r-round Feistel cipher, where CF2n is a constant. Let m be the degree of the round function. Let (at(x),bt(x)) be the output of the t-th round, if 0<t<r and mt-1<2n, then deg at=mt-1 deg bt=mt Furthermore, the leading coefficients of both at(x) and bt(x) are 1. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Mathematical Foundations Proposition 2. For a Feistel cipher, assuming the degree of the round function is an odd integer m, and the coefficient of the second highest term of round function is am-1. Considering right half of t-th round, say bt , then the coefficient of the second highest term of bt is k1am-1 ( note this value is the same for many t ), given that t < r0 -1, where r0 = logm(2n-1) +1, 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Improved Interpolation Attack - Algorithm 1 Theorem 1. For an r-round 2n-bit Feistel cipher, let the algebraic degree of the round function be an odd integer m, r0= logm(2n-1) +1 and r<r0. Choosing plaintexts as P=(C,x) where CF2n is a constant, then the right half of the ciphertext is of the form his the yes CR(x)=xmr-1(k1am-1)xmr-1-1q(x) his where q(x)F2n[x] is a polynomial with degree < mr-1-1. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Improved Interpolation Attack - Algorithm 1 In this paper, coefficient of the second highest term is computed, which is only related with k1 and am-1. In original interpolation attack, CR=xmr-1  g(x), there is no information about the second highest term. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Improved Interpolation Attack - Algorithm 1 Algorithm 1: Attack on Block Ciphers with rr0 (I) : Step 1: Encrypt P=(C,x) for mr-1+1different xF2n where CF2n is a constant. The corresponding ciphertexts are (CL(x),CR(x)); Step 2: Compute g(x) = xmr-1sxmr-1-1…F2n[x] by interpolation such that g(x)=CR(x); Step 3: k1=sam-1 is the right key. Complexity of this attack: mr-1+1 (N) encryptions, and the plaintext/ciphertext should be stored in order to apply the Lagrange Interpolation formula. Complexity of the original attack: Degree of the polynomial(N)  Number of keys to be guessed(2n). 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Improved Interpolation Attack Theorem 2. Let r0=logm(2n-1)+1 and r=r0+1, then for an r-round 2n-bit Feistel cipher with the algebraic degree of the round function being an odd integer m, if the input to the cipher is of the form P=(x,C) where CF2n is a constant, then the right half of the ciphertext is of the form yes CR(x) = xmr-2(f(k1C)k2am-1)xmr-2-1p(x)yeye where p(x)F2n[x] is a polynomial with degree less than mr-2-1. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Improved Interpolation Attack Algorithm 2: Attack on Block Ciphers with rr0+1 (I) : Step 1: Encrypt P=(x,C1) for mr-2+1 different xF2n where C1F2n is a constant. The corresponding ciphertexts are (C(1)L(x),C(1)R(x)); Step 2: Compute g(x)=xmr-2s1xmr-2-1…F2n[x] by interpolation such that g(x)=C(1)R(x), thus congratulations s1=f(k1C1)k2  am-1; Step 3: Choose another two constants C2 and C3, repeat step 1 and step 2, and get s2=f(k1C2)k2  am-1 , s3=f(k1C3)k2  am-1; Continue… 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Improved Interpolation Attack Algorithm 2: Attack on Block Ciphers with rr0+1 (I) : Step 4: Find the common roots of the following equations: s1=f(k1C1)k2 am-1, s2=f(k1C2)k2 am-1, s3=f(k1C3)k2 am-1. Complexity of this attack: 3mr-1+3 encryptions, and the plaintext/ciphertext should be stored in order to apply the Lagrange Interpolation formula. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

New Integral Cryptanalysis For 2n pairs (xi,yi) F where xis are distinct, to find the polynomial f(x) of degree 2n-1 such that yi=f(xi), we can use the Lagrange interpolation formula. However, there is another way to compute f(x). 2 2n Theorem 3. Let f(x)=SaixiF2n[x] be a polynomial with degree at most 2n-1, then ai = Sxx2n-1-if(x) if i0 mod 2n-1, f(0) if i=0, Sxf(x) if i= 2n-1. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

New Integral Cryptanalysis Algorithm 3: Attack on Block Ciphers with rr0 (II) : Step 1: Encrypt P=(C,x) for all xF2n where CF2n is a constant. The corresponding ciphertexts are (CL(x),CR(x)); Step 2: Compute s=Sxx2n-mr-1CR(x); Step 3: k1=sam-1 is the right key. Complexity of this attack: 2n encryptions, but there is no need to store plaintext/ciphertext, thus the memories this attack needs is almost 0. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

New Integral Cryptanalysis Algorithm 4: Attack on Block Ciphers with rr0+1 (II) : Step 1: Encrypt P(1) =(x,C1) for all xF2n where C1F2n is a constant. The corresponding ciphertexts are (C (x),C (x)); Step 2: Compute s1=Sxx2n-mr-2C (x); Step 3: Choose another two constants C2 and C3, repeat step 1 and step 2, and get s2=Sxx2n-mr-2C (x), s3=Sxx2n-mr-2C (x); (1) L (1) R (1) R (2) R (3) R Continue… 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

New Integral Cryptanalysis Algorithm 4: Attack on Block Ciphers with rr0+1 (II) : Step 4: Find the common roots of the following equations: s1=f(k1C1)k2  am-1, s2=f(k1C2)k2  am-1, s3=f(k1C3)k2  am-1. Complexity of this attack: 32n encryptions, but there is no need to store plaintext/ciphertext, thus the memories this attack needs is almost 0. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

New Integral Cryptanalysis Comparing Algorithm 3 with 1, also Algorithm 4 with 2, there are some merits of the new integral attacks: (1) There is no need to store plaintexts and corresponding ciphertexts while these data should be stored in the original interpolation attack as well as Algorithms 1 and 2; (2) There is no need to guess the key candidates. Thus the complexity of these attacks are 2n and 32n respectively, number of plaintexts to be encrypted. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Results of Attack on PURE As an example, we implemented the above attacks on PURE. PURE is a Feistel cipher with 2n=64 and f(x)=x3F232[x]. New attacks show that PURE with round 22 is breakable on a personal computer. The following results are computed by using the algebraic software Magma. Experimental Results of Attacks on Reduced-round PURE Round Algorithm Data Memory Time 8 10 15 22 1 2 3 4 37+1 36+1 38+1 39+1 232 3232 neglectable 3.5 seconds 1 seconds 4.5 minutes 1.5minites 31 hours 148 hours 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Conclusion Both interpolation and integral attacks are improved in this paper. As an application, 22-round PURE can be breakable on a personal computer, while not breakable on a personal computer if using the original method introduced at FSE 1997. 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Conclusion Two interesting problems: SQUARE attack can be seen as a special case of this attack, since Sxy is a special case of Sxxiy. So can we use similar method to analyze AES? How to extend this attack to the case of rational polynomials, that is, if the cipher can be described as g1(x)/g2(x)(SNAKE cipher), how to apply this attack? 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)

Thank You ! Q & A ? 2018/12/9 FSE09----New Cryptanalysis of Block Ciphers with Low Algebraic Degree (B. Sun et al.)