SOME OBSERVATIONS ON AES AND MINI AES. Hüseyin Demirci TÜBİTAK UEKAE

Transcription

1 SOME OBSERVTIONS ON ES ND MINI ES Hüseyin Demirci TÜBİTK UEKE

2 OVERVIEW OF THE PRESENTTION Overview of Rijndael and the Square ttack Half Square Property of Rijndael dvanced Square Properties of mini ES n Elimination ttack on Rijndael

3 The Rijndael Block Cipher The new standard algorithm selected by NIST 3 conferences were built to select the algorithm Design simplicity, speed and security were the parameters for the selection t the end Rjndael was selected which was designed by Vincent Rijmen and John Daemen from COSIC group, Leuven, Belgium. Based on a previous algorithm Square.

4 The Operations of Rijndael ll the operations are at byte level The operations are defined by using finite field operations in GF(2 8 ). 4 basic operations: S box Shift Row Mix Column dd Key

5 The Operations of Rijndael S BOX TRNSFORMTION a0 a1 a2 a3 S(a0) S(a1) S(a2) S(a3) b0 b1 b2 b3 S(b0) S(b1) S(b2) S(b3) c0 c1 c2 c3 S(c0) S(c1) S(c2) S(c3) d0 d1 d2 d3 S(d0) S(d1) S(d2) S(d3) The only nonlinear structure in the algorithm. Based on x 1 plus an affine function invertible Excellent differential and linear properties

6 The Operations of Rijndael SHIFT ROW TRNSFORMTION a0 a1 a2 a3 a0 a1 a2 a3 b0 b1 b2 b3 b1 b2 b3 b0 c0 c1 c2 c3 c2 c3 c0 c1 d0 d1 d2 d3 d3 d0 d1 d2

7 The Operations of Rijndael MIX COLUMN TRNSFORMTION a0 m0 b0 m1 c0 m2 d0 m The multiplications are done in GF(2 8 ). 2 represents x, 3 represents x+1 polynomials Invertible linear transformation

8 The Operations of Rijndael KEY DDITION a00 a01 a02 a03 k00 k01 k02 k03 a10 b11 a12 a13 k10 k11 k12 k13 a20 a21 a22 a23 k20 k21 k22 k23 a30 a31 a32 a33 k30 k31 k32 k33 aij kij

9 Round Function of Rijndael dd the Round Key K 0 For i =1 to 9 pply - S Box Trasformation - Shift Row Transformation - Mix Column Transformation - dd the Round Key K i For i = 10 pply - S Box Trasformation - Shift Row Transformation - dd the Round Key K 10 (No Mix Column Layer)

10 nalysis of Rijndael We present the half square property of Rijndael square property is observed in the mini versions of the cipher, but not valid for bigger versions n elimination attack is applied on 6 rounds of Rijndael

11 Square ttack c00 c01 c02 c03 3 ROUNDS c10 c11 c12 c13 c20 c21 c22 c23 c30 c31 c32 c33 : CTIVE. TKES EVERY VLUE FROM 0 TO 255 ONLY ONCE. LL OTHER ENTRIES RE CONSTNT. 255 i = 0 Cij = 0 for all ij

12 Square ttack c00 c01 c02 c03 4 ROUNDS c10 c11 c12 c13 c20 c21 c22 c23 c30 c31 c32 c : CTIVE. TKES EVERY COMBINTION OF 2 32 VLUES. i = 0 Cij = 0 for all ij

13 Square ttack on 4 Rounds of Rijndael Plaintext Output of Round 3 B Output of Round 4 C 3 rounds 1 round Take 256 plaintexts with entry active, all the other entries are passive. fter 3 rounds, the sum of each entry, i.e. B becomes 0. dd key to C and use S inverse to come to B. If the guessed key is correct, it must give 0 sum, if not it behaves randomly.

14 natural question arises then... re there more square properties? For instance what happens if we take more active entries? Is it possible to have 0 sum after say 5 rounds? nalytic way, or heuristic methods... Consider mini versions of the algorithm. If a property is found, does it work for bigger versions? Can we generalize this information?

15 Half Square Property of ES H c00 c01 c02 c03 H 3 ROUNDS c10 c11 c12 c13 H c20 c21 c22 c23 H c30 c31 c32 c33 H: Half ctive, i.e. The same bit position is fixed, the other bits takes every 2 28 combinations Cij = 0 for every ij i = 0

16 Square Property Of Rijndael4 c00 c01 c02 c03 4 ROUNDS c10 c11 c12 c13 c20 c21 c22 c23 c30 c31 c32 c ny 6 ctive Entries Give Cij = 0 for every ij Sum 0 after 4 rounds i = 0

17 Corollary: n dvenced Square Property for Rijndael4. c00 c01 c02 c03 5 ROUNDS c10 c11 c12 c13 c20 c21 c22 c23 c30 c31 c32 c Cij = 0 for every ij i = 0

18 Corollary: Two active parallel diagonal entries gives 0 sum 5 rounds, which means a 1 more round increase in square attack! But this property is not valid for bigger versions of Rijndael: 5,6,7 bit and orijinal Rijndael. What is the reason for that? Normally we would expect 4 bits could give enough information...

19 n Elimination ttack on Rijndael a11 c00 c01 c02 c03 c10 c11 c12 c13 3 ROUNDS c20 c21 c22 c23 c30 c31 c32 c33 Gilbert H. nd Minier M. Has shown the following: ny entry cij can be expressed with 10 constants Let a11, variable all other entries are constant c00 = f (a11, 10 constants)

20 TTCK ON 6 ROUNDS OF RIJNDEL Input of round 1 Input of round 2 Output of round 4 Output of round 6 a b c x a y a z a t 1 round 3 rounds 2 rounds c = f ( b, 10 constants)

21 TTCK ON 6 ROUNDS OF RIJNDEL Precalculate a table which stores all the possible values of the first entry in the third round as a function of the first entry of the plaintext and 10 constants when all the other entries are passive Take 2 32 plaintexts which are active in the diagonal. Encrypt these plaintexts with 6 rounds of Rijndael. Search the k ini to choose 256 plaintexts so that only the first entry becomes active and all other entries are passive in the second round Using the k and K final 511 round subkeys partially decrypt 256 ciphertexts to find out the first entry in the 4th round If the decrypted values present in the precalculated table, k ini, k final and K 5 11 maybe true. Otherwise eliminate this combination Continue the elimination until only one combination stays

22 Summary of ttacks On Rijndael uthor Rounds ttack Type # Ch. Plaintexts Memory Total Complexity This work 6 elimination Daemen, Knudsen, Rijmen 6 square Ferguson, Kelsey, Lucks, Schneier,... 6 square 6 * Biryukov 6 boomerang Cheon, Kim, Kim, Lee, Kang 6 impossible differential Ferguson, Kelsey, Lucks, Schneier,... 7 square Gilbert, Minier 7 Collision < 2 128