multiplicative complexity reductions in cryptography and … · 2015. 12. 3. · notation algebraic...

Multiplicative Complexity Reductions in Cryptography and CryptanalysisTHEODOSIS MOUROUZIS

PRESENTATION @ CRYPTO.SEC

THEODOSIS MOUROUZIS - 2015/16 1

IntroductionsAcademic Background

BSc in Mathematics (University of Cambridge)

MSc in Advanced Mathematics – PART III (University of Cambridge)

MRes in Security Science (University College London)

PhD in Cryptanalysis (University College London – Advisor: Dr Nicolas Courtois)

Professional Experience

Security Architect at a TSB (Technology Strategy Board - UK) funded project

Security SME at Digital Security & Fraud (Lloyds Banking Group)

Advisor at Circles ltd (security of telecommunications – based in Cyprus)


IntroductionsCurrently

Lecturer of Information Management at

(Business School)

Director of MSc in Business Intelligence & Data Analytics (expected to run on 2016)


Research Interests Cryptanalysis

- Algebraic Cryptanalysis (mainly using SAT solvers)

- Advanced Differential Cryptanalysis (truncated differentials, statistical distinguishers)

- Block Ciphers studied (so far):

-- GOST (all variants): general open sets, advanced statistical distinguishers

--- Attack on full block cipher (32 rounds)

-- SIMON (64/128 variant): algebraic + differential attacks

--- Attack on 26 out of 44 rounds (complexity close to brute-force)


Research Interests Cryptanalysis & Multiplicative Complexity

- Computation of MC and proving optimality (for sufficiently small circuits, e.g. small S-boxes)

- Study of MC Reduction in Cryptanalysis (especially algebraic attacks)

-- how does reduction combined with a sample of data affects the “hardness” of (solving for the key) the system

-- guess-then-determine techniques to reduce the MC of a cipher


Research Interests Cryptographic Designs & Security

- evaluation of authentication techniques

-- partial passwords

-- device identity & “trusting the device”


Presentation Overview Nonlinearity and the Four Measures

- Non-Linearity

- Algebraic Degree

- Annihilator Immunity

- Multiplicative Complexity (MC)

Multiplicative Complexity (MC)

- MC Reductions

- Matrix Multiplication (MM)

- Automated MC Reduction

- Optimization of Circuits wrt other metrics

Reductions of MC in Cryptanalysis

- MC and Algebraic Attacks


NotationLet 𝑥 ∈ F2

𝑛 and 𝑓: F2𝑛 F2 a Boolean function

𝐵𝑛 = 𝑓 𝑓: F2𝑛 F2} : The set of Boolean functions on 𝑛 variables

𝐻𝑊(𝑥): Hamming Weight of a vector 𝑥

𝑆 : Cardinality of a set 𝑆

𝑑 𝑓, 𝑔 = | 𝑥 ∈ F2𝑛 𝑓 𝑥 ≠ 𝑔 𝑥 }|: Distance between two function 𝑓, 𝑔 ∈ 𝐵𝑛


Notation Algebraic Normal Form of 𝑓 (or Zhegalkin polynomial) is defined by

𝒇 𝒙𝟏, 𝒙𝟐, … , 𝒙𝒏 =⊕ 𝑺⊆{𝟏,𝟐,..,𝒏} 𝒂𝑺 𝒊∈𝑺𝒙𝒊 ,

where 𝑎𝑠 ∈ 0,1 for all 𝑆 and we define 𝑖∈⊘𝑥𝑖 to be 1

- 𝒂𝑺 = 𝟎 for 𝑺 > 𝟏 we say that 𝑓 is affine

- If the above holds and 𝒂⊘= 𝟎 we say that 𝑓 is linear

- If 𝒂𝑺 = 𝒂𝒔′ whenever 𝑺 = 𝑺′ we say that 𝑓 is symmetric

Σ𝑘𝑛: 𝑘-th elementary symmetric Boolean function. Sum of all terms where 𝑆 = 𝑘

- e.g. Σ2𝑛 = 𝑥1𝑥2 + 𝑥1𝑥3…+ 𝑥𝑛−1𝑥𝑛


The notion of NonlinearityCryptographic Applications such as block ciphers, stream ciphers, hash functions are designed with several properties in mind:

Efficient circuit (hardware) implementation

Efficient software implementation

Resistant against known form of attacks such as:

- linear cryptanalysis

- differential cryptanalysis

- algebraic attacks

This is very often a complex engineering and optimization task


The notion of Nonlinearity[Intuition]

In order to achieve “hardness” against known attacks, the cryptographic functions are required to be hard to invert.

Linear algebra should not be applicable to the problem of saying something about 𝑥 given 𝑓(𝑥),

i.e these functions are sufficiently distant from linear [1]

“Nonlinearity” is introduced to encryption algorithms in several ways:

- SP Networks Substitution Layers S-box

- Feistel Networks S-box, additions modulo e.g. 232,

bitwise multiplications, field multiplications


The notion of NonlinearityClaude Shannon introduced (somehow) nonlinearity in the paper “Communication Theory of Secrecy Systems ” by defining the fundamental concepts of confusion (& diffusion)

Confusion: The ciphertext should depend on the plaintext statistics in a manner complicated to be exploited by the cryptanalyst

Diffusion: Each digit of the plaintext and each digit of the secret key should influence many digits of the ciphertext


Four Measures of NonlinearityWe have several measures of “how linear or non-linear” a Boolean function is.

Boyar and Peralta discuss in [3] four measures of nonlinearity for a Boolean function:

1. Nonlinearity

2. Algebraic Degree

3. Annihilator Immunity

4. Multiplicative Complexity

These measures are incomparable and need to be studied separately

For each pair of measures 𝝁𝟏, 𝝁𝟐there exist functions

𝒇𝟏, 𝒇𝟐 with 𝝁𝟏 𝒇𝟏 > 𝝁𝟏 𝒇𝟐 but 𝝁𝟐 𝒇𝟏 < 𝝁𝟐 𝒇𝟐


Four Measures of NonlinearityNonlinearity - Hamming distance to the closest affine function

0 ≤ 𝑁𝐿 𝑓 ≤ 2𝑛−1 −↾ 2𝑛

2−1 ↿ [3]

affine functions have nonlinearity 0

Functions with maximum nonlinearity exists iff n is even (Bent functions)


Four Measures of NonlinearityLinearity: 𝐿 𝑓 is defined by max

𝑎∈𝐹2𝑛|𝑓𝑊 𝑎 |where 𝑓𝑊 𝑎 is the Walsh Coefficient at 𝑎 given by

𝑥∈𝐹2𝑛 −1𝑓 𝑥 +𝑎.𝑥

Maximum value is 2𝑛 and obtained iff 𝑓 is affine or linear function


Boolean Function f L(f)

𝑥1 + 𝑥2 4

𝑥1𝑥2 + 𝑥1 2

𝑥1𝑥2 + 𝑥1𝑥3 + 𝑥2𝑥3 4

1 + 𝑥0 + 𝑥1 + 𝑥0𝑥1 + 𝑥0𝑥2 + 𝑥1𝑥2 4

Four Measures of NonlinearityAlgebraic Degree (deg 𝑓 ): The number of variables in the highest order term with non-zero coefficient in the ANF representation

Intuitively, the higher the algebraic degree, the higher the resistance of the function against algebraic attacks

The optimal value is 𝑛

Example:

𝑀𝐴𝐽 𝑥1, 𝑥2, 𝑥3 = 𝑥1𝑥2 + 𝑥1𝑥3 + 𝑥2𝑥3 has algebraic degree 2


Four Measures of NonlinearityAnnihilator Immunity

Let 𝑓 a Boolean function on 𝑛 inputs. Then, the annihilator immunity is given by,

𝐴𝐼 𝑓 = min𝑔(deg(𝑔))

such that either 𝑓𝑔 = 0 or 𝑓 + 1 𝑔 = 0. The function 𝑔 is called an annihilator.

Closely related to algebraic degree

0 ≤ 𝐴𝐼 𝑓 ≤↾𝑛

2↿ – [Courtois-Meier 2003]

Specific functions are known to achieve these bounds


Four Measures of NonlinearityMultiplicative Complexity: The smallest number of AND gates necessary and sufficient to compute the function using the circuit over the basis (XOR,AND,1) – i.e. using arithmetic over 𝐹2

Clearly MC is at least zero with equality iff the function is affine

Proven Bounds:

𝐧 even: 𝑀𝐶 ≤ 2𝑛

2+1 −

𝑛

2− 2 [Lupanov]

n odd: 𝑀𝐶 ≤3

2 22𝑛

2+1 −

𝑛+3

2[Boyar-Peralt-Pochuev]


Four Measures of NonlinearityThese notions are incomparable and need to be studied separately


NonLinearity Algebraic Degree Annihilator Immunity

MultiplicativeComplexity

Σ2𝑛(n odd)

2𝑛−1 − 2𝑛−12

2 2 ⇂𝑛

2⇃

Σ𝑛𝑛 1 𝑛 1 𝑛 − 1

Multiplicative ComplexityRelation between MC and nonlinearity

If a function has low nonlinearity, this gives a bound on the MC

[Boyar-Find-Peralta Theorem, 3]

If 𝑓 ∈ 𝐵𝑛 with 𝑀𝐶 ≤𝑛

2, it has nonlinearity at most 2𝑛−1 − 2𝑛−𝑀𝐶−1

For 𝑓 with 𝑀𝐶 =𝑛

2there exist a simple function with this nonlinearity [3]


MC & One-wayness

MC and One-Wayness [3]

If a function 𝑓 has multiplicative complexity MC, then it can be inverted in at most 2𝑀𝐶 evaluations of 𝑓

𝑀𝐶 𝑓 ≤𝑛

2⇒ NL ≤ 2𝑛−1 − 2𝑛−𝑀𝐶−1

Theorem [Boyar and Peralta]: Collision resistance of a function 𝑓: 𝐹2𝑛 → 𝐹2

𝑚 requires that 𝑀𝐶 𝑓 ≥ 𝑛 −𝑚


Multiplicative ComplexityMatrix Multiplication, MC computation and Circuit Complexity computation are among the most important problems in Computational Complexity

All these problems are still intractable

Most of the existing algorithms are based on well-chosen ad-hoc heuristics

Not [formally] proven that the existing techniques can yield optimal solutions


Multiplicative ComplexityImprovements in such problems might lead to direct improvements in other fields

o Commercial software

o Forecasting techniques

o Statistical analysis of large data sets

o Gauss Elimination algorithm for solving a system of equations

o Computer Graphics

o Reduction in required silicon to implement digital circuits


Multiplicative Complexityo Cryptanalysis based on SAT-solvers benefits immediately from MC reductions as the time taken for a SAT solver to find a solution depends on the “compactness” of the circuit

o Develop certain bitslice parallel-SIMD software implementations of block ciphers

o Optimizing wrt MC is a countermeasure against Side Channel Attacks (SCA) on smart cards such as Differential Power Analysis (XOR gates are easier to protect against such attacks – linear masking).

o Block ciphers with lower MC are less resistant against algebraic attacks

(heuristically demonstrated in [4,5])


Multiplicative ComplexityThe Boyar-Peralta heuristic [2,3] used to obtain more efficient implementations of arbitrary digital circuits with respect to Boolean Complexity is based directly on the notion of MC

It consists of the following 2(+1 optional) steps:

Optimize wrt AND gates

Optimize with respect to XOR gates separately – equivalent to problems of computing linear forms which is well studied

(optional) Perform additional optimizations to decrease the circuit depth, possible gate count, power consumption, etc.


Multiplicative ComplexityUnfortunately, there is no formal method (and unlikely to be true in general) that optimization wrt to AND gates yields circuits with optimal Boolean Complexity

However, it produces sufficiently good results.

Inversion in 𝐺𝐹 24 : 5 ANDs, 11 XORs

Inversion in 𝐺𝐹 28 : 32 ANDs

Applied to AES S-box and gave the smallest circuit known (32 AND, 83 XOR/XNOR gates) [3]

Applied (modified technique) to PRESENT S-box and gave the smallest circuit known

- Our Implementation: 14 gates (2 ANDs, 2 ORs, 9 XORs, 1 NOT)

- Previous Implementation by Martin Albrecht: 39 gates

- Berkley’s Logic Friday software: 25 gates


Multiplicative ComplexityWe built an automated tool based on SAT-solvers which can compute optimal values in both MM and MC computational problems [4,5,8] (for “sufficiently small” problems).

It consists of three major steps:

1. Write the problem as a set of algebraic equations based on the target value of MC [encoding]

2. Convert it to its Conjunctive Normal Form (CNF) – [Courtois-Bard-Jefferson software]

3. Attempt to solve using SAT solvers


Multiplicative Complexity Tricky part is to write down the algebraic description of the problem – encoding step

Conversion from ANF to CNF can be done by ready software (e.g. Courtois-Bard-Jefferson)

We have applied this methodology to three areas:

1. Matrix Multiplication [4,6,7,8]

2. MC computation of circuits [4,6,7]

3. Optimization of digital circuits with respect to more complex metrics [7]

We can achieve optimal results for sufficiently small problems

e.g. S-boxes from 4-bits to 4-bits, multiplication of matrices up to dimension 4


Matrix MultiplicationWe used Brent Equations as form of encoding for MM problem

Firstly, we solve it over 𝐹2 and then we heuristically lift the solution to more general rings


Matrix Multiplication[Basic Idea of our Research] We search for tri-linear algorithms of optimal bi-linear complexity in an automated way as follows:

1. Algebraically encode the problem (using say k multiplications) [Brent Equations]

2. Search for solutions valid mod2 (heuristic)

3. Convert it to CNF-SAT problem using Courtois-Bard-Jefferson Method

4. Search for a solution using a SAT solver (SAT or UNSAT)

5. Lift the solution to a general ring


Matrix MultiplicationWe succeeded in finding new formulas for small instances of the MM problem (like up to dimension 3)

Multiplication of two 3x3 matrices using 23 multiplications (non-isomorphic to Laderman’ssolution) in a few days with one single CPU to get the result

5 symmetries for isomorphism of solutions in this dimension

This are important to check for better solutions in a more general case using the paradigm of divide-and-conquer (Strassen: 2x2 case with 7 multiplications - 22.81 general case)

(cf. Julian D. Laderman. A Non-Commutative Algorithm for Multiplying 3x3 Matrices Using 23 Multiplications. 1976)


Matrix Multiplication


Matrix Multiplication Using this methodology we can obtain also exact results (optimality).

Multiplication of 2x2 and 2x3 matrices requires at least 11 multiplications

– SAT (k=11): CryptoMiniSat, Average Time 0.132h

– UNSAT (k<11): CryptoMiniSat and MiniSat


Optimization of small-circuitsWe are interested in optimizations in a more general case

- Vectorial Boolean functions ( S-boxes)

NP-hard problem to synthesize an optimal circuit wrt a metric

For example, there is no known provably optimal circuit representation for a Boolean function with arity 8 (Circuit Complexity)

No analytic techniques are known and most techniques rely on ad-hoc heuristics.

Surprisingly, such techniques are good enough to discover better and better circuit representations


Automated MC Reduction[Problem] Given a multi-dimensional Boolean function of the form 𝑓: F2

𝑛 F2

𝑚 , find a circuit that computes the same function with at most MC multiplications


Automated MC Reduction

Encode the circuit as a straight-line problem




Start with the input variables 𝑥1, 𝑥2, … , 𝑥𝑛 in the circuit and let S= {𝑥1, 𝑥2, … , 𝑥𝑛}





Allow a new variable 𝑧 to be the product of two elements of the form 𝑎1𝑥1 + 𝑎2𝑥2 +⋯+𝑎|𝑆|𝑥|𝑆| from elements in 𝑆






Insert 𝑧 in 𝑆 and repeat generating |MC| such variables







Write affine equations that make each output of the circuit an affine combination from elements in 𝑆








Substitute all input/output pairs from the truth table of the circuit to generate more equations









Convert to CNF form and solve using SAT solver


Automated MC ReductionAchieving Optimality …

SAT obtained for 𝐾 = 𝑘

Keep decreasing 𝐾 until UNSAT

MC: minimum 𝑘 with SAT but UNSAT for all 𝐾 < 𝑘

Constraints:

Works sufficiently well for small problems


Automated MC Reduction Applied to PRESENT S-box

MC=4

Further optimizations: Best-known bitslice implementation with 14 gates


Automated MC Reduction 4-bits to 4-bits S-boxes

Applied to the 8 principal GOST S-boxes

GOST is a 256-bits key block cipher that operates on 64-bits inputs (32 rounds)

Maximum MC is 5


Automated MC Reduction Applied to Majority Function & bounds proven optimal

3 inputs

5 inputs

7 inputs


Optimization of Circuits wrt other metricsWe study another 3 more complex metrics

Bitslice Gate Complexity: The minimum number 2-input gates of type XOR, OR, AND, NOT needed to compute a given circuits

(Relevant in bitslice implementation of block ciphers on standard CPUs)

Gate Complexity: The minimum number of 2-input gates of type XOR, AND, OR, NAND, NOR, NXOR needed to compute a given circuit

(Bitslice parallel-SIMD implementations of block ciphers)

NAND complexity: The minimum number of 2-input NAND gates required to compute a circuit


Optimization of Circuits wrt other metricsThe encoding part becomes trickier.

Consider six sort of variables for this problem

𝑥: input to the truth table

𝑦: outputs of the truth table

𝑞, 𝑞’: inputs of internal gates

𝑡: output of gates

𝑏: variables which define the function of this gate (of the form 𝑏 𝑢𝑣 + 𝑏’ 𝑢 + 𝑣 + 𝑏′′)

𝑎: variables which will be the “unknown connections” between different gates


Optimization of Circuits wrt other metricsBasic Idea

Each element of the set 𝑆 (as previously defined) can be a combination of other variables which corresponds to an allowed gate representation

Variables 𝑎 are used in order to ensure that the combination of two elements yield only one gate –avoid extra XOR gates


Generic Optimization Encode the circuit as a straight-line problem




Write q = 𝑎1𝑥1 + 𝑎2𝑥2 +⋯+ 𝑎|𝑆|𝑥|𝑆| and q' = 𝑎1′𝑥1 + 𝑎2′𝑥2 +⋯+ 𝑎 𝑆 ′𝑥|𝑆| where exactly one from each 𝑎𝑖𝑠 and a𝑖

′𝑠 is allowed to be 1






Write 𝑡 = 𝑏 𝑞𝑞′ + 𝑏′ 𝑞 + 𝑞′ + 𝑏′′






Write 𝑡 = 𝑏 𝑞𝑞′ + 𝑏′ 𝑞 + 𝑞′ + 𝑏′′

Insert 𝑡 in 𝑆 and repeat generating K such variables






Write 𝑡 = 𝑏 𝑞𝑞′ + 𝑏′ 𝑞 + 𝑞′ + 𝑏′′








Write 𝑡 = 𝑏 𝑞𝑞′ + 𝑏′ 𝑞 + 𝑞′ + 𝑏′′




Convert to CNF form and solve using SAT solver


Optimization of Circuits wrt other metrics


Optimization of Circuits wrt other metricsApplied to CTC S-box (3-bits to 3-bits)


Optimization of Circuits wrt other metricsBitslice Gate Complexity is 8


Optimization of Circuits wrt other metricsGate Complexity is 6


Extension to Optimization of Circuits wrtother metricsNAND complexity is 12


MC Reductions in Cryptanalysis Investigation of how reduction of MC affects the algebraic attacks

We applied this in two ciphers

- GOST block cipher (high MC – 71=5*8+31 per round)

- SIMON block cipher (low MC – 32 per round)


GOST block cipher The official encryption standard of Russian Federation

Developed in the 1970s

-First ‘’Top Secret” algorithm

-Downgraded to “Secret” in 1990 and declassified in 1994

Much cheaper than DES, AES


GOST block cipherWidely implemented and used:

-Crypto++

-OpenSSL

-RSA Labs

-Central Bank of Russia


GOST block cipherFeistel Structure

-256-bits key, 32 rounds

Round Function

-Key insertion via modular addition 232

-Eight 4-bits to 4-bits S-boxes

(can be kept secret – 354+256 key)

-Left Rotation by 11 positions

Very Simple Key Schedule


GOST block cipherMore efficient representations could speed up algebraic attacks

Based on this idea we optimize the number of AND gates in the representation of a cipher and then try an algebraic attack

In our research, we used SAT solvers


MC Reductions in Cryptanalysis

We applied an algebraic attack to an optimized version (wrt MC) of GOST cipher using SAT solvers

1. Write all the equations in their ANF

2. For the S-boxes use the optimized versions (wrt MC) .

For modular addition use the following encoding which is optimal



3. For each input of each AND gate we add one new variable. All the other gates give linear equations over 𝐹2

4. Convert to CNF using ready software

5. Solve using SAT solver

We can solve for the key up to 6 rounds in 10 seconds.


MC Reductions in CryptanalysisMC Reductions might yield better results in algebraic attacks

MC Reduction as pre-processing in algebraic attacks


Application on SIMON Proposed by NSA in June 2013

Optimized for performance in hardware implementation

Feistel cipher


Algebraic attack on SIMON cipher (MC=32) of very low MC

- (10/44) round broken faster than brute-force using SAT-solvers (truncated differentials of low Hamming Distance)

- No key guessing is required

- Not sufficient guess-then-determine strategy found to break more rounds


Possible Future Directions Determine better guess-then-determine techniques that might reduce the MC

Determine the relation between number of (P,C) pairs and MC Reduction and the efficiency of a solver to break a cipher up to R rounds

Formalize the relation between MC and truncated differential properties of a cipher


References[1] Boyar, J., Matthews, P., & Peralta, R. (2013). Logic minimization techniques with applications to cryptology. Journal of cryptology, 26(2), 280-312.

[2] Boyar, J., & Peralta, R. (2010). A new combinational logic minimization technique with applications to cryptology. In Experimental Algorithms (pp. 178-189). Springer Berlin Heidelberg.

[3] Boyar, J., & Peralta, R. (2013). Four Measures of Nonlinearity. In Algorithms and Complexity (pp. 61-72). Springer Berlin Heidelberg.

[4] Courtois, N., Hulme, D., & Mourouzis, T. (2011). Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. IACR Cryptology ePrint Archive,2011, 475.

[5] Courtois, N., Hulme, D., & Mourouzis, T. (2012). Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. SHARCS Workshop, 2012.

[6] Courtois, N., Hulme, D., & Mourouzis, T. (2012). Multiplicative Complexity and Solving Generalized Brent Equations With SAT Solvers. In COMPUTATION TOOLS 2012, The Third International Conference on Computational Logics, Algebras, Programming, Tools, and Benchmarking (pp. 22-27).

[7] Courtois, N., Mourouzis, T., & Hulme, D. (2013). Exact Logic Minimization and Multiplicative Complexity of Concrete Algebraic and Cryptographic Circuits. International Journal On Advances in Intelligent Systems, 6(3 and 4), 165-176.

[8] Mourouzis, T. (2015). Optimizations in Algebraic and Differential Cryptanalysis(Doctoral dissertation, UCL (University College London)).


multiplicative complexity reductions in cryptography and … · 2015. 12. 3. · notation algebraic...

Documents