An Im Improved Affi fine Equivalence Alg lgorithm for Random - - PowerPoint PPT Presentation

an im improved affi fine equivalence alg lgorithm for
SMART_READER_LITE
LIVE PREVIEW

An Im Improved Affi fine Equivalence Alg lgorithm for Random - - PowerPoint PPT Presentation

Sep 25, 2022 347 likes •555 views

An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations Itai Dinur Ben-Gurion University, Israel EUROCRYPT 2018 Affine Equivalence Problem (AEP) F G n n n n Given two functions F,G, are there invertible affine

slide-1
SLIDE 1

An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations

Itai Dinur

Ben-Gurion University, Israel EUROCRYPT 2018

slide-2
SLIDE 2

Affine Equivalence Problem (AEP)

F G

n n n n

  • Given two functions F,G, are there invertible affine

transformations A1,A2 (over GF(2)n) such that G = A2◦F◦A1 ?

  • A1(x)= L1(x) ⊕ b1, A2(x)= L2(x) ⊕ b2 for square matrices L1,L2
  • If so, find A1,A2
  • Variant in asymmetric-key cryptography: isomorphism of

(low-degree) polynomials (over some field)

  • Importance in symmetric-key cryptography:
  • Design and analysis of Sboxes
  • Affine equivalent Sboxes share many differential\linear properties
  • Cryptanalysis of white-box ciphers
slide-3
SLIDE 3

Best Known Algorithms for AEP

F

  • “A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms”

By Biryukov, De Cannière, Braeken, and Preneel (Eurocrypt 2003)

A1 A2 G

slide-4
SLIDE 4

Affine Equivalence Algorithms [BCBP03]

  • Evaluate G on inputs x and F on inputs y
  • Assume F,G are affine equivalent
  • 1) Look for “good event”: matching triplet

A1(x1)=y1, A1(x2)=y2, A1(x3)=y3

  • 2) Distinguish between good\bad events:
  • Use affine properties of A1,A2 to detect good\bad match
  • Matching triplet can be used to recover A1,A2

F A1 A2 G

x1,x2,x3 y1,y2,y3 w1,w2,w3 z1,z2,z3

slide-5
SLIDE 5

Affine Equivalence Algorithms [BCBP03]

F

  • Algorithm 1: guess and verify
  • Complexity ≈23n (search space: all 23n triplets)
  • After optimization ≈22n
  • Algorithm 2: birthday paradox
  • Extend triplets independently for F,G using linear relations
  • Look for a matching triples in a table
  • Complexity ≈23n/2 (square root of search space size)

A1 A2 G

x1,x2,x3 y1,y2,y3 w1,w2,w3 z1,z2,z3

slide-6
SLIDE 6

New Improved Algorithm

F

  • Complexity: ≈2n (improving the ≈23n/2 complexity)
  • Note: A1 transfers an affine subspace to an affine subspace
  • Main idea: match affine subspaces of dimension n-1

through A1

  • Each match gives n+1 linear equations on A1
  • Need about n matches to recover A1
  • Motivation: only 2n+1 such affine subspaces
  • Much less than 23n vector triplets
  • “Good event” more likely, but how to detect it?

A1 A2 G

S S’

slide-7
SLIDE 7

Restricted Functions and Masks

F

  • Problem: how do we know that S and S’ match?
  • Represent n-1 dimensional affine subspace S by linear

equation with n+1 coefficients (mask M)

  • For n=3, affine subspace {000,001,010,011} is represented by

equation x1=0

  • Written as 1∙x1+0∙x2+0∙x3+0=0 (M=1000)
  • There are 2n+1-2 such non-zero valid masks (equations)
  • If A1(S)=S’ write M→M’ for their masks

A1 A2 G

S S’

slide-8
SLIDE 8

Restricted Functions

F

  • Problem: how do we know that M→M’?
  • Restricted functions F|M’ and G|M from n-1 bits to n bits
  • For G|M (and F|M’), represent each of the n output bits as a

polynomial over GF(2) in n-1 input bits

A1 A2 G

M M’ F|M’ G|M

slide-9
SLIDE 9

Restricted Functions

Example: G:{0,1}3 -> {0,1}3 G1(x1,x2,x3) = x1x2 ⊕ x1x3 ⊕ x2 ⊕ 1 G2(x1,x2,x3) = x1x2 ⊕ x1 ⊕ x2 G3(x1,x2,x3) = x1x3 ⊕ x3

  • Assume M=1000 (linear equation x1= 0)

G1|M (x2,x3) = x2 ⊕ 1 G2|M (x2,x3) = x2 G3|M (x2,x3) = x3

slide-10
SLIDE 10

Restricted Functions

F

  • Problem: how do we know that M→M’?
  • Restricted functions F|M’ and G|M from n-1 bits to n bits
  • For G|M (and F|M’), represent each of the n output bits as a

polynomial over GF(2) in n-1 input bits

  • View n polynomials as vectors (over space of monomials) and

compute their rank r (0≤r≤n)

  • Basic property: if M→M’ then rank(G|M) = rank(F|M’)
  • Since A1 and A2 are invertible
  • Truncated polynomials: Look only at monomials of degree ≥ n-2
  • Otherwise, rank is either (almost) always n (or always 1)

A1 A2 G

M M’ F|M’ G|M

slide-11
SLIDE 11

Restricted Functions

Example: G:{0,1}3 -> {0,1}3 G1(x1,x2,x3) = x1x2 ⊕ x1x3 ⊕ x2 ⊕ 1 G2(x1,x2,x3) = x1x2 ⊕ x1 ⊕ x2 G3(x1,x2,x3) = x1x3 ⊕ x3

  • Assume S defined by linear equation x1= 0 (mask M=1000)

G1|M (x2,x3) = x2 ⊕ 1 G2|M (x2,x3) = x2 G3|M (x2,x3) = x3

  • Keep monomials of degree ≥ n-2 = 1
  • Then rank(G|M) = rank{x2,x2,x3} = 2
  • If M→M’, then rank(F|M’) = rank(G|M) = 2
slide-12
SLIDE 12

Rank Table (simplified)

  • Rank table of G: for each 0≤r≤n, entry r contains all M such

that rank(G|M) = r

  • First step of algorithm:
  • Compute rank table of G: For each non-zero mask M, compute

r=rank(G|M) and store M in entry r in rank table of G

  • Compute rank table of F: For each non-zero mask M’, compute

r’=rank(F|M’) and store M’ in entry r’ in rank table of F

rank Masks 1 0101,0110,1010,1110 2 1000 3 0010, 0011,0100,0111,1001,1011,1100,1101,1111

slide-13
SLIDE 13

Rank Table (simplified)

  • Rank table of G: for each 0≤r≤n, entry r contains all M such

that rank(G|M) = r

  • If M→M’ then rank(G|M)=rank(F|M’)
  • For each rank 0≤r≤n, the number of masks (r,M) in the tables
  • f affine equivalent F,G must be equal
  • If entry r in rank table of G contains a single mask M, then entry r

in rank table of F contains a single mask M’

  • Moreover, M→M’ must hold (giving linear equations on A1)
slide-14
SLIDE 14

Rank Table (simplified)

  • 1000→0111 must hold

rank Masks 1 1010, 0011,0100,1000 2 0111 3 0010,1001,1011,1100,1101,1111,0101,0110,1110 rank Masks 1 0101,0110,1010,1110 2 1000 3 0010,0011,0100,0111,1001,1011,1100,1101,1111

Rank table

  • f G

Rank table

  • f F
slide-15
SLIDE 15

Matchings

  • Problem: for large n, each non-empty rank entry r in rank

table of G (and F) is likely to contain many masks

  • Cannot directly obtain unique matches M→M’
  • Main observation: matching is additive:
  • If M1→M1’ and M2→M2’, then M1⊕M2 → M1’⊕M2’
  • A very strong property that (usually) allows to recover A1 using

additional structures

slide-16
SLIDE 16

Efficiently Computing the Rank Table

  • Computing rank table: for each of the 2n+1 subspaces

(masks M), need to compute rank(G|M)

  • There are 2n+1 subspaces of dimension n-1 (masks M)
  • Each subspace contains 2n-1 vectors
  • Problem: Naïve computation has complexity 2n+1∙2n-1=22n
  • Main idea: use symbolic computation
  • Interpolate n output bit polynomials of G and keep only

monomials of degree ≥ n-2 (complexity: ≈2n)

  • For each of the 2n+1 masks M:
  • Substitute equation M (e.g., x1=0 ) into symbolic representation of all n

polynomials to compute G|M symbolically

  • Perform Gaussian elimination of n polynomials (vectors) to compute

rank(G|M) (complexity: ≈n3 per mask)

slide-17
SLIDE 17

Additional Algorithmic Applications

  • Improves some decompositions attacks on ASASA

construction

  • Efficient way to experimentally look for high order

differential distinguishers

slide-18
SLIDE 18

Conclusions and Open Problems

  • Improved the complexity of the best known algorithm for

AEP from ≈23n/2 to ≈2n

  • Experimentally verified up to n=28
  • Works for almost all functions and permutations
  • Based on a new algebraic algorithm which has additional

application

  • Open Problems:
  • Improve the complexity of the algorithm
  • Devise algorithm that works for all functions\permutations

(e.g., low degree permutations)

  • Find additional applications
slide-19
SLIDE 19

Thanks for your attention!