Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Computing AES Related-Key Differential Characteristics with Constraint Programming D. G´erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3) (1)
- LIMOS, Universit´ e Clermont Auvergne (2) - LORIA, Universit´ e de Lorraine (3) - LIRIS, Universit´ e de Lyon
Code and Data Protection Day - December 2018
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
1 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Revisiting AES RKD Characteristics with CP Differential cryptanalysis of the AES First CP model for Step 1 Second CP model for Step 1 Third CP model for Step 1 CP model for Step 2 Results Conclusion
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
2 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
AES (Advanced Encryption Standard) Block cipher standard since 2001 I Input: A plaintext X = 128 bits = 4x4 bytes A key K = 128, 192, or 256 bits = 4x4, 4x6, or 4x8 bytes I Output: a ciphertext EK (X ) such that X = EK−1 (EK (X )) I Iterative process of r rounds: r = 10 (12, 14) when |K | = 128 (192, 256) Operations applied at each round i ∈ [0, r − 1] for AES-128: Key K = K0 (4×4 bytes)
Subkey Ki+1
KS
KS
SB
Plaintext X (4×4 bytes)
SR
MC
ARK
(i6=r −1)
ARK Xi
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
Ciphertext Xr = EK (X )
3 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Cryptanalysis of the AES Block Cipher (1/2) Differential Cryptanalysis [Biham and Shamir 1991]: Track XOR differences through the ciphering process to recover the key: I Let δX = X ⊕ X 0 be an input plaintext difference I Let δY = EK (X ) ⊕ EK (X 0 ) be the output difference I The cipher is weak if ∃ δX and δY such that Pr [δY |δX ] >> 2−|K | Key recovery in O(1/Pr [δY |δX ]) X
E
Y (1)
D. G´ erault
(1)
, P. Lafourcade
, M. Minier
(2)
X0 = X
K
δY
, C. Solnon
(3)
L
δX
L
δY
p = Pr (δY |δX )
K
δX
E
Y0 = Y
4 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Cryptanalysis of the AES Block Cipher (2/2) Related-Key Attack [Biham 1993]: Inject differences in texts and keys I Let δX = X ⊕ X 0 be an input plaintext difference I Let δK = K ⊕ K 0 be an input key difference I Let δY = EK (X ) ⊕ EK 0 (X 0 ) be the output difference I The cipher is weak if ∃ δX , δK , and δY such that Pr [δY |δX , δK ] >> 2−|K | Key recovery in O(1/Pr [δY |δX , δK ])
K
δX
0 KL = K δK
E
Y
X0 = X
δY
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
L
δX
L
δY
E
Y0 = Y
p = Pr (δY |δX , δK )
X
5 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Related-Key Differential of AES δK0 = K0 ⊕ K00
KS
0 δKi+1 = Ki+1 ⊕ Ki+1
KS
δXi = Xi ⊕ Xi0 SB
SR
MC
ARK
ARK δX = X ⊕ X 0
δXr = Xr ⊕ Xr0 δY = Y ⊕ Y 0
Goal: Find δX , δK0 , and δY that maximizes Pr [δY |δX , δK0 ]: I ARK, SR, and MC are linear: op(Bi ) ⊕ op(Bj ) = op(Bi ⊕ Bj ) Probabilities are equal to 1 (or 0) for these operators I SB is not linear: 2 ⊕B2 and δo =S(B1 )⊕S(B2 )} Let Pr [δo |δi ] = #{(B1 ,B2 )∈[0,256] | δi =B1256 Probability to have output difference δo given input difference δi 1 Perfect cipher: ∀δi , δo , Pr [δo |δi ] = 256 ... but this is impossible! 2 4 SB of AES: if δo = δi = 0 then Pr [δo |δi ] = 1 else Pr [δo |δi ] ∈ {0, 256 , 256 }
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
I
6 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Two step solving process [Biryukov et al. 2010, Fouque et al. 2013] Step 1: Asbtract differential bytes δB = B ⊕ B 0 to booleans ∆B I For each differential byte δB: ∆B = 0 if δB = 0; ∆B = 1 if δB ∈ [1, 255]
∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
∆Ri
∆Mi
∆Xr
7 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Two step solving process [Biryukov et al. 2010, Fouque et al. 2013] Step 1: Asbtract differential bytes δB = B ⊕ B 0 to booleans ∆B I For each differential byte δB: ∆B = 0 if δB = 0; ∆B = 1 if δB ∈ [1, 255] I Minimize the nb of boolean variables ∆Xi [j][k] and ∆Ki [j][3] set to 1: If δXi [j][k] = δSXi [j][k] = 0 then Pr [δSXi [j][k]|δXi [j][k]] = 1 2 4 Otherwise Pr [δSXi [j][k]|δXi [j][k]] ∈ {0, 256 , 256 }
∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
∆Ri
∆Mi
∆Xr
7 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Two step solving process [Biryukov et al. 2010, Fouque et al. 2013] Step 2: Concretize booleans to differential bytes I If ∆B = 0 then set δB to 0; otherwise search for δB ∈ [1, 255] If not possible: Solution byte-inconsistent If possible: Solution byte-consistent Maximize the probability Pr [δXr |δX , δK0 ]
∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
∆Ri
∆Mi
∆Xr
8 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Existing approaches Biryukov et al. 2010: Branch & Bound for Step 1 I |K | = 128: Several days of CPU time I |K | = 192: Several weeks of CPU time
Fouque et al. 2013: Graph traversal for Step 1 I |K | = 128: 30mn of CPU time (on 12 cores) but 60 GB of memory I Not extended to |K | = 192 or 256
In both cases: Difficult and time-consuming programming work Checking the correctness of the program is not straightforward... D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
9 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
What about Constraint Programming (CP)? Solving a problem with CP: I Define the problem with a declarative language: Variables (unknowns) and their domains Constraints (relations between variables) Optionally: Objective function to optimize I Use generic engines to search for solutions
Using CP to compute related-key differentials: I Less than 5 hours for most of instances I Less than 15 hours for the hardest instance I Prove inconsistency of a solution proposed by Biryukov et al. 2010 I New related-key differentials: |K | = 128: p = 2−79 (instead of 2−81 ) for 4 rounds |K | = 192: p = 2−188 for 10 rounds |K | = 256: p = 2−146 (instead of 2−154 ) for 14 rounds D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
10 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Revisiting AES RKD Characteristics with CP Differential cryptanalysis of the AES First CP model for Step 1 Second CP model for Step 1 Third CP model for Step 1 CP model for Step 2 Results Conclusion
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
11 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : First CP model for Step 1 ∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
∆Ri
∆Mi
∆Xr
I For each round i, for each row j and each column k: ∆X [j][k], ∆Xi [j][k], ∆SXi [j][k], ∆Ri [j][k], ∆Mi [j][k], ∆Ki [j][k], ∆SKi [j][3] I Boolean variables
Domains = {0, 1}
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
12 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : First CP model for Step 1 ∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
∆Ri
∆Mi
∆Xr
ARK performs XOR operations: I ∀j, k ∈ [0, 3] : XOR(∆X [j][k], ∆K0 [j][k], ∆X0 [j][k]) I ∀i ∈ [0, r − 1], ∀j, k ∈ [0, 3] : XOR(∆Mi [j][k], ∆Ki+1 [j][k], ∆Xi+1 [j][k]) D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
13 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : First CP model for Step 1 XOR at the byte level: δB1 ⊕ δB2 ⊕ δB3 = 0 (δB1 , δB2 , δB3 ) ∈ ∪ ∪ ∪ ∪
{(0, 0, 0)} {(0, x, x) {(x, 0, x) {(x, x, 0) {(x, y , z)
| | | |
x ∈ [1, 255]} x ∈ [1, 255]} x ∈ [1, 255]} x, y , z ∈ [1, 255], x 6= y 6= z}
XOR at the boolean level: (∆B1 , ∆B2 , ∆B3 ) ∈ { (0, (0, (1, (1, (1,
0, 0), 1, 1), 0, 1), 1, 0), 1, 1)}
Definition of the XOR(∆B1 , ∆B2 , ∆B3 ) constraint: ∆B1 + ∆B2 + ∆B3 6= 1 D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
14 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : First CP model for Step 1 ∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
∆Ri
∆Mi
∆Xr
SubBytes does not introduce nor remove differences (because Bi ⊕ Bj = 0 ⇔ S(Bi ) ⊕ S(Bj ) = 0) I ∀i ∈ [0, r ], ∀j, k ∈ [0, 3]: ∆Xi [j][k] = ∆SXi [j][k] I ∀i ∈ [0, r ], ∀j ∈ [0, 3]: ∆Ki [j][3] = ∆SKi [j][3] D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
15 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : First CP model for Step 1 ∆K0
∆Ki+1
∆SKi [j][3]
KS
KS
SR
SB
ARK
MC
ARK ∆X
∆Xi
∆SXi
∆Ri
∆Mi
∆Xr
SR shifts bytes: ∀i ∈ [0, r − 1], ∀j, k ∈ [0, 3]: ∆Ri [j][k] = ∆SXi [j][k + j%4]
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
16 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : First CP model for Step 1 ∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
ARK
MC
SR
ARK ∆X
∆Xi
∆SXi
∆Ri
∆Mi
∆Xr
I MC multiplies each column by a fixed matrix I Ensures the MDS property: ∀i ∈ [0, r − 1], ∀k ∈ [0, 3] 3 X
∆Ri [j][k] + ∆Mi [j][k] ∈ {0, 5, 6, 7, 8}
j=0 D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
17 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : First CP model for Step 1 ∆K0
∆Ki+1
∆SKi [j][3]
KS
KS
SB
SR
ARK
MC
ARK ∆X
∆SXi
∆Xi
∆Ri
∆Mi
∆Xr
0
k 0,0
0
k 0,1
0
k 0,2
0
k 0,3
k 1,0
0
k 1,1
0
k 1,2
0
k 1,3
k 2,0
0
k 2,1
0
k 2,2
0
k 2,3
0
k 3,0
0
k 3,1
0
k 3,2
k 3,3
k 0,0
1
k 0,1
1
k 0,2
1
k 0,3
k 1,0
1
k 1,1
1
k 1,2
1
k 1,3
k 2,0
1
k 2,1
1
k 2,2
1
k 2,3
k 3,0
1
k 3,1
1
k 3,2
1
k 3,3
. . .
. . .
. . .
. . .
0 0 0
KS performs XOR, byte shifts, and SB operations For AES-128: ∀i ∈ [0, r − 1], ∀j ∈ [0, 3] :
RotWord
SubWord
Rcon
1 1 1 1
RotWord
SubWord
Rcon
I Column 0: XOR(∆Ki−1 [j][0], ∆SKi−1 [(j + 1)%4][3], ∆Ki [j][0]) I Columns k ∈ [1, 3]: XOR(∆Ki−1 [j][k], ∆Ki [j][k − 1], ∆Ki [j][k])
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
18 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : First CP model for Step 1 ∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆SXi
∆Xi
∆Ri
∆Mi
∆Xr
Goal: Minimize the number of differences that pass through SubBytes: objStep1 =
r −1 X 3 X i=0 j=0
(∆Ki [j][3] +
3 X
∆Xi [j][k])
k=0
Ordering heuristics: I First choose variables that occur in the objective function (1) (1) D. G´ erault , P. Lafourcade , M. Minier I First assign them to 0(2) , C. Solnon(3)
19 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPBasic : Limitations
I BUT too many binary solutions that are NOT byte-consistent I Example: r = 4, objStep1 = 11 byte-consistent
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
90 millions of Boolean solutions, none
20 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Revisiting AES RKD Characteristics with CP Differential cryptanalysis of the AES First CP model for Step 1 Second CP model for Step 1 Third CP model for Step 1 CP model for Step 2 Results Conclusion
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
21 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPEQ : Second CP model for Step 1 What’s wrong with CPBasic ? XOR constraints do not propagate equality relationships at the byte level I For example, if δa ⊕ δb ⊕ δc = 0 and δa ⊕ δb ⊕ δd = 0 then δc = δd I However, at the boolean level, we only propagate: ∆A + ∆B + ∆C 6= 1 and ∆A + ∆B + ∆D 6= 1
New variables and constraints to model byte equalities: I For each couple of differential bytes (δA, δB): EQδA,δB = 1 if δA = δB EQδA,δB = 0 if δA 6= δB I Symmetry: EQδA,δB = EQδB,δA I Transitivity: EQδA,δB = EQδB,δC = 1 ⇒ EQδA,δC = 1 I Relation with ∆ variables: EQδA,δB = 1 ⇒ ∆A = ∆B EQδA,δB = 0 ⇒ ∆A + ∆B 6= 0 D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
22 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPEQ : Second CP model for Step 1 Definition of XOR in CPBasic : ∆B1 + ∆B2 + ∆B3 6= 1 Can we strengthen it by exploiting byte equalities? Yes, because: I ∆B1 = 0 ⇔ δB2 = δB3 I ∆B2 = 0 ⇔ δB1 = δB3 I ∆B3 = 0 ⇔ δB1 = δB2
New definition of XOR: XOR(∆B1 , ∆B2 , ∆B3 ) ⇔ ∧ ∧ ∧
((∆B1 + ∆B2 + ∆B3 6= 1) (EQδB1 ,δB2 = 1 − ∆B3 ) (EQδB1 ,δB3 = 1 − ∆B2 ) (EQδB2 ,δB3 = 1 − ∆B1 ))
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
23 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPEQ : Second CP model for Step 1 ∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
ARK
MC
SR
ARK ∆X
∆Xi
∆SXi
∆Ri
∆Mi
∆Xr
MDS also holds when XORing different columns of δR and δM: ∀i1 , i2 ∈ [0, r − 1], ∀k1 , k2 ∈ [0, 3], the number of bytes equal to 0 in δRi1 [j][k1 ] ⊕ δRi2 [j][k2 ] and δMi1 [j][k1 ] ⊕ δMi2 [j][k2 ] ∈ {0, 1, 2, 3, 8}
New constraints to ensure MDS: ∀i1 , i2 ∈ [0, r − 1], ∀k1 , k2 ∈ [0, 3] P3
j=0
EQδRi1 [j][k1 ],δRi2 [j][k2 ] + EQδMi1 [j][k1 ],δMi2 [j][k2 ] ∈ {0, 1, 2, 3, 8}
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
24 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPEQ : Second CP model for Step 1 KS (mainly) performs XOR operations:
0
k 0,0
0
k 0,1
0
k 0,2
0
k 0,3
k 1,0
0
k 1,1
0
k 1,2
0
k 1,3
k 2,0
0
k 2,1
0
k 2,2
0
k 2,3
k 3,0
0
k 3,1
0
k 3,2
0
k 3,3
k 0,0
1
k 0,1
1
k 0,2
1
k 0,3
k 1,0
1
k 1,1
1
k 1,2
1
k 1,3
k 2,0
1
k 2,1
1
k 2,2
1
k 2,3
1
k 3,0
1
k 3,1
1
k 3,2
k 3,3
. . .
. . .
. . .
. . .
0 0 0
RotWord
I Column 0: Ki [j][0] = Ki−1 [j][0] ⊕ SKi−1 [(j + 1)%4][3] I Columns k ∈ [1, 3]: Ki [j][k] = Ki [j][k − 1] ⊕ Ki−1 [j][k]
SubWord
Rcon
1 1 1 1
RotWord
Each byte of Ki is eq. to a XOR of bytes of K0 and SKi−1
SubWord
Rcon
Ex: K2 [1][1] = K2 [1][0] ⊕ K1 [1][1] = K1 [1][0] ⊕ SK1 [2][3] ⊕ K1 [1][0] ⊕ K0 [1][1] = SK1 [2][3] ⊕ K0 [1][1]
New constraints: L I Pre-compute sets Vi,j,k such that δKi [j][k] = δB∈V δB i,j,k I Introduce set variables Si,j,k and post the following constraints: Si,j,k = {δB ∈ Vi,j,k |∆B = 1} If Si,j,k = ∅ then ∆Ki [j][k] = 0 If Si,j,k = {δB} then EQδKi [j][k],δB = 1 If Si,j,k = {δB1 , δB2 } then XOR(∆B1 , ∆B2 , ∆Ki [j][k]) If ∃i 0 , j 0 , k 0 s.t. Si,j,k = Si 0 ,j 0 ,k 0 then EQδKi [j][k],δKi 0 [j 0 ][k 0 ] = 1 D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
25 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Revisiting AES RKD Characteristics with CP Differential cryptanalysis of the AES First CP model for Step 1 Second CP model for Step 1 Third CP model for Step 1 CP model for Step 2 Results Conclusion
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
26 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CPXOR : Third CP model for Step 1 Key Schedule Modeling I Generate all possible equations from the key schedule with 2 or 3 XORs: sets called XOReq I All those equations could be generated from the original equations with 2 or 3 XORs I for AES-128, 1104 equations; for AES-192, 1696 equations; for AES-256, 1256 equations; I Keep all the constraints of CPEQ and add the following constraints: ∀(δB1 ⊕ δB2 ⊕ δB3 = 0) ∈ XOReq: EQδB1 ,δB2 = 1−∆B3 )∧(EQδB1 ,δB3 = 1−∆B2 )∧(EQδB2 ,δB3 = 1−∆B1 ) ∀(δB1 ⊕ δB2 ⊕ δB3 ⊕ δB4 = 0) ∈ XOReq: EQδB1 ,δB2 = EQδB3 ,δB4 ∧EQδB1 ,δB3 = EQδB2 ,δB4 ∧EQδB1 ,δB4 = EQδB2 ,δB3
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
27 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Revisiting AES RKD Characteristics with CP Differential cryptanalysis of the AES First CP model for Step 1 Second CP model for Step 1 Third CP model for Step 1 CP model for Step 2 Results Conclusion
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
28 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CP model for Step 2 1
Initialize ObjStep1 to 1
2
Step 1: Search for all boolean solutions
3
For each boolean solution of Step 1 for values of ∆Xi and of ∆Ki [j][3]: Step 2: Search for byte values that maximize Pr [δXr |δX , δK0 ] (or detect inconsistency and set Pr to 0) Let Prmax be the largest probability wrt all boolean solutions of Step 1
4
If Prmax < 2−6(ObjStep1 +1) then increment ObjStep1 and go to (2) Otherwise, return Prmax
∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
∆Ri
∆Mi
∆Xr
29 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CP model for Step 2 I For each boolean variable ∆B: Integer variable δB If ∆B = 0 in the Step 1 solution then: D(δB) = {0} Otherwise: D(δB) = [1, 255] I For each byte A on which SB is applied: Integer variable PA Base 2 logarithm of Pr(δSA|δA) If ∆A = ∆SA = 0 then: D(PA ) = {0} because Pr(0|0) = 1 4 2 , 256 } Otherwise: D(PA ) = {−7, −6} because Pr (δSA|δA) ∈ { 256 P I Objective function: Maximize objStep2 = A on which SB is applied PA ∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
∆Ri
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
∆Mi
∆Xr
30 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
CP model for Step 2 Table constraint related to SB: For each byte A on which SB is applied: (δA, δSA, PA ) ∈ {(X , Y , P)|
∃(B1 , B2 ) ∈ [0, 255] × [0, 255], X = B1 ⊕ B2 , Y = S(B1 ) ⊕ S(B2 ), P = log2 (Pr(Y |X ))}
Constraints related to KS, ARK, SR, and MC: Straightforward definition with table constraints ∆K0
KS
∆Ki+1
∆SKi [j][3]
KS
SB
SR
ARK
MC
ARK ∆X
∆Xi
∆SXi
∆Ri
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
∆Mi
∆Xr
31 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Extension to AES-192 and AES-256 Key K
KS
Subkey Ki+1
KS
SB
SR
MC
ARK
SB
ARK Plaintext X (4×4 bytes)
Xi
Xr
Ciphertext EK (X )
Update constraints related to KeySchedule: I Step 1: XOR constraints combined with byte shifts I Step 2: XOR constraints combined with byte shifts + SubBytes on some columns D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
32 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Extension to AES-192 and AES-256 Key K
KS
Subkey Ki+1
KS
SB
SR
MC
ARK
SB
ARK Plaintext X (4×4 bytes)
Xi
Xr
Ciphertext EK (X )
Update constraints related to KeySchedule: I Step 1: XOR constraints combined with byte shifts I Step 2: XOR constraints combined with byte shifts + SubBytes on some columns
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
32 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Revisiting AES RKD Characteristics with CP Differential cryptanalysis of the AES First CP model for Step 1 Second CP model for Step 1 Third CP model for Step 1 CP model for Step 2 Results Conclusion
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
33 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Experimental setup
Languages and Solvers I CP models for Step 1 implemented in MiniZinc Benchmark for the 2016 MiniZinc Challenge Best results are obtained with Picat-Sat I The CP model for Step 2 is defined in Choco 3 (Java CP library)
Time to solve the hardest instances I Less than 5 hours for all instances EXCEPT AES-128-5 I AES-128-5 solved in 15 hours
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
34 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Experimental Results: time (in seconds)
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
35 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Experimental Results: Nb of solutions
r Opt bound Nb sol bin Nb sol byte Best p
r Opt bound Nb sol bin Nb sol byte Best p
3 5 2 2 2−31
AES-128 4 5 12 17 1 103 1 27 2−75 2−105
3 1 14 14
4 4 2 2
5 5 1 1
2−6
2−24
2−30
3 1 33 33
4 3 10 10
5 3 4 4
6 5 3 3
7 5 1 1
2−6
2−18
2−18
2−30
2−30
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
AES-192 6 7 10 13 2 1 2 1 2−60 2−78
AES-256 8 9 10 15 2 4 2 4 2−60 2−92
8 18 1 1
9 24 3 3
10 29 7 7
2−108
2−146
2−176
10 16 1 1
11 20 1 1
12 20 1 1
13 24 1 1
14 24 1 1
2−98
2−122
2−122
2−146
2−146
36 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Revisiting AES RKD Characteristics with CP Differential cryptanalysis of the AES First CP model for Step 1 Second CP model for Step 1 Third CP model for Step 1 CP model for Step 2 Results Conclusion
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
37 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Conclusion (1/2): Better RK Diff Characteristics
Attack RK rectangle RK amplified boomerang RK distinguisher basic RK differential
Nb rounds 10 12 10 10
Attack RK boomerang RK distinguisher basic RK differential q-multicollisions RK distinguisher basic RK differential q-multicollisions
Nb rounds 14 14 14 14 14 14 14
AES-192 Nb keys Data 64 2124 4 2123 280 2108 ∗ 244 2156 AES-256 Nb keys Data 4 299.5 235 2119 ∗ 35 2 2131 2q 2q 232 2114 ∗ 32 2 2125 2q 2q
Time 2183 2176 2108 ∗ 2156
Memory N/A 2152 265
Source [Kim et al. 07] [Biryukov et al. 09] CP CP
Time 299.5 2119 ∗ 2131 q267 2114 ∗ 2125 q266
Memory 277 265 265 -
Source [Biryukov et al. [Biryukov et al. [Biryukov et al. [Biryukov et al. CP CP CP
09] 09] 09] 09]
Table: ∗ means for each key.
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
38 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Conclusion (2/2): go further ? First Results for Rijndael block sizes 128 160 192 224 256
128 5, 2−105 4, 2−106 3, 2−54 3, 2−54 3, 2−54
160 8, 2−144 6, 2−138 5, 2−112 4, 2−122 4, 2−121
Key sizes 192 10, 2−176 9, 2−177 7, 2−153 6, 2−160 5, 2−142
224 13, 2−217 10, 2−202 10, 2−222 7, 2−161 7, 2−207
256 14, 2−146 11, 2−198 9, 2−173 9, 2−222 7, 2−172
Declarative framework for Cryptanalysis? CP models describe problems, not how to solve them: I Easier to define and check than a full program Better solutions than [Biryukov et al 2009] and [Fouque et al 2013] I Models are defined with the MiniZinc language: We can use different CP solvers to solve them
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
39 / 40
Diff. Crypt.
Step 1 (1)
Step 1 (2)
Step 1 (3)
Step 2
Results
Conclusion
Thanks for Your Attention ! Questions ?
D. G´ erault(1) , P. Lafourcade(1) , M. Minier(2) , C. Solnon(3)
40 / 40