Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf ·...
Transcript of Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf ·...
![Page 1: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/1.jpg)
Nicolas T. CourtoisUniversity College London, UK
Block Ciphers: Lessons from the
Cold War
T-310
![Page 2: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/2.jpg)
Block Cipher Invariants
2
Topics:
Part 1: Lessons from Cold War: see • Nicolas Courtois, Jörg Drobick and Klaus Schmeh:
"Feistel ciphers in East Germany in the communist era," In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.
Part 2: NonLinear Cryptanalysis:– Attacks with polynomial invariants
• Product attack [P*Q*R*…] = very powerful
![Page 3: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/3.jpg)
Block Cipher Invariants
3
Topics:
Part 1: Lessons from Cold War: see • Nicolas Courtois, Jörg Drobick and Klaus Schmeh:
"Feistel ciphers in East Germany in the communist era," In Cryptologia, vol. 42, Iss. 6, 2018, pp. 427-444.
Part 2: NonLinear Cryptanalysis:– Attacks with polynomial invariants
• Product attack [P*Q*R*…] = very powerful
– References: • Courtois @Crypto 2004
• (NEW) eprint/2018/1242
• few more…
![Page 4: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/4.jpg)
Block Cipher Invariants
4
Dr. Nicolas T. Courtois
blog.bettercrypto.com
![Page 5: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/5.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
5
Question 1:Why 0% of symmetric encryption
used in practice areprovably secure?
![Page 6: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/6.jpg)
A New Frontier in Symmetric Cryptanalysis
6
Provably Secure Encryption!
Based on MQ Problem. Dense MQ is VERY hard. Best attack ≈ 20.8765n
• top of the top hard problem.• for both standard and PQ crypto
=> Allows to build a provably secure stream cipher based on MQ directly!
C. Berbain, H. Gilbert, and J. Patarin:
QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005
mqchallenge.org FXL/Joux 2017/372
![Page 7: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/7.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
7
Question 2:Why researchers have found
so few attacks on block ciphers?
![Page 8: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/8.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
8
Question 2:Why researchers have found
so few attacks on block ciphers?
“mystified by complexity” lack of working examples: how a NL attack actually looks like??
-for a long time I thought it would about some irreducible polynomials-
![Page 9: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/9.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
9
Cryptanalysis=def=Making the impossible possible.
How? two very large polynomials are simply equal
![Page 10: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/10.jpg)
Crypto Currencies
10
![Page 11: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/11.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
11
Russian Translation:
code breakers ==
взломщики кодов
![Page 12: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/12.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
12
History: Cold WarRussia vs. USA
![Page 13: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/13.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
13
Cold War
Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…
[Source: Cryptologia, interviews by David Kahn with gen. Andreev=first head of FAPSI=Russian NSA]
Example: In 1967 GRU (Soviet Intelligence) was intercepting cryptograms from 115 countries, using 152 cryptosystems, and among these they broke 11 codes and “obtained” 7 other codes.
![Page 14: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/14.jpg)
Code Breakers
14
Compromise of Old Crypto
• USS Pueblo / North Korea Jan 1968
![Page 15: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/15.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
15
US/NATO crypto broken
Russia broke the NATO KW-7 cipher machine: Walker spy ring, rotors+keys,
• paid more than 1M USD (source: NSA)
• “greatest exploit in KGB history”
• allowed Soviets to “read millions”of US messages [1989, Washington Post]
![Page 16: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/16.jpg)
Bugs or Backdoors?
16
1970sModern block ciphers are born.
In which country??
Who knows…
![Page 17: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/17.jpg)
Backdoors
Nicolas T. Courtois17
Our Sources
![Page 18: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/18.jpg)
Backdoors
Nicolas T. Courtois18
MfS Abteilung 11 = ZCO = Zentrales Chiffrierorgan
der DDR
![Page 19: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/19.jpg)
Backdoors
Nicolas T. Courtois19
Our Sources
BStU = Stasi Records Agency
ZCO = Zentrales Chiffrierorgan
der DDR
![Page 20: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/20.jpg)
Bugs or Backdoors?
20
Boolean Functions Expertise: Imported
![Page 21: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/21.jpg)
Block Cipher Invariants
21
Algebraic Cryptanalysis – 1927The real inventor of the
ANF = Algebraic Normal Form, see
en.wikipedia.org/wiki/Zhegalkin_polynomial
Russian mathematician and logician
Ива́н Ива́нович Жега́лкин [Moscow State University]
“best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2”
Bn,+,*
![Page 22: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/22.jpg)
Bugs or Backdoors?
22
Cipher Class Alpha –1970s
Who invented Alpha? [full document not avail.]
![Page 23: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/23.jpg)
T-310
Nicolas T. Courtois23
East German T-310
240 bits
long-term secret 90 bits only!
“quasi-absolute security” [1973-1990]
has a physical
RNG=>IV
![Page 24: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/24.jpg)
Backdoors
Nicolas T. Courtois24
Contracting Feistel [1970s Eastern Germany!]
1 round
of T-310φ
![Page 25: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/25.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
25
Differential Cryptanalysis
(DC)
![Page 26: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/26.jpg)
Security of DES (overview)
26
“Official” History
• Davies-Murphy attack [1982=classified, published in 1995] = early LC
• Shamir Paper [1985]……… early LC
• Differential Cryptanalysis :Biham-Shamir [1991]
• Linear Cryptanalysis: Gilbert and Matsui [1992-93]
![Page 27: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/27.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
27
IBM USA 1970s
Wikipedia DC entry says:
[…] IBM had discovered differential cryptanalysis on its own
[…] IBM have agreed with the NSA that the design criteria of DES should not be made public.
![Page 28: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/28.jpg)
Bugs or Backdoors?
28
One form of DC was known in 1973!
![Page 29: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/29.jpg)
Roadmap
29
Open Problem
– Backdoor symmetric encryption?
![Page 30: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/30.jpg)
Backdoors
30
How to Backdoor T-310 [1st method]
bad long-term
key
omit just 1 out of 40 conditions: ciphertext-only
![Page 31: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/31.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
31
Linear Cryptanalysis
(LC)
![Page 32: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/32.jpg)
Security of DES (overview)
32
LC “Official” History
• Davies-Murphy attack [1982=classified, published in 1995] = early LC
• Shamir Paper [1985]……… early LC
• Differential Cryptanalysis : Biham-Shamir [1991]
• Linear Cryptanalysis: Gilbert and Matsui [1992-93]
![Page 33: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/33.jpg)
Bugs or Backdoors?
33
LC at ZCO - 1976!
![Page 34: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/34.jpg)
Backdoors
Nicolas T. Courtois34
Contracting Feistel [1970s Eastern Germany!]
1 round of T-310
φ
![Page 35: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/35.jpg)
Backdoors
35
LC Method to Backdoor T-310
bad long-term key1,3,5 => 1,3,5 P=1
703P=7,14,33,23,18,36,5,2,9,16,30,12,32,26,21,1,13,25,20,8,24,15,22,29,10,28,6D=0,4,24,12,16,32,28,36,20
![Page 36: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/36.jpg)
Backdoors
36
Shamir 1985
x_2 y_1 y_2 y_3 y_4 .
Common to all S-boxes !!!!
Super strong pty, See our paper:
Courtois, Goubin, Castagnos eprint/2003/184
![Page 37: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/37.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
37
revisiting crypto history
AdvancedDifferential Cryptanalysis
![Page 38: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/38.jpg)
Bugs or Backdoors?
38
Higher Order Differentials – 1976 !
Higher Order:
![Page 39: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/39.jpg)
Bugs or Backdoors?
39
Same as Today’s Cube Attack
.
.
.
![Page 40: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/40.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
40
Part 2
GeneralizedLinear Cryptanalysis
(GLC)
![Page 41: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/41.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
41
Scope
We study how an encryption function of a block cipher acts on
polynomials.
Stop, this is extremely complicated???
![Page 42: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/42.jpg)
Block Cipher Invariants
Main Problem:Two polynomials P => Q.
P(x1,…)
Q(y1,…)
is P=Q possible??
“Invariant Theory” [Hilbert]: set of all invariants for any block cipher forms a [graded] finitely generated [polynomial] ring. A+B; A*B
![Page 43: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/43.jpg)
Bugs or Backdoors?
43
Generalised Linear Cryptanalysis= GLC =
[Harpes, Kramer and Massey, Eurocrypt’95]
![Page 44: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/44.jpg)
Bugs or Backdoors?
44
Connecting Non-Linear Approxs.Black-Box Approach [Popular]
Non-linear functions.
F(x1,…)
G(x1,…) H(y1,…)
I(z1,…)
![Page 45: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/45.jpg)
Bugs or Backdoors?
45
GLC and Feistel Ciphers ?
[Knudsen and Robshaw, EuroCrypt’96
“one-round approximations that are non-linear […] cannot be joined together”…
At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes!
![Page 46: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/46.jpg)
Bugs or Backdoors?
46
BLC better than LC for DES
Better than the best existing linear attack of Matsui
for 3, 7, 11, 15, … rounds.
Ex: LC 11 rounds:
BLC 11 rounds:
![Page 47: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/47.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
47
Phase Transition=def=Making the impossible possible.
How? Use polynomials of higher degree
![Page 48: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/48.jpg)
Block Cipher Invariants
48
Better Is Enemy of Good!DES = Courtois @ Crypto 2004 :
proba=1.0
deg 1
deg 2
deg 10
![Page 49: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/49.jpg)
Bugs or Backdoors?
49
New White Box Approach
[Courtois 2018]
F(inputs) = F(outputs) with probability 1.
Formal equality of 2 polynomials.
![Page 50: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/50.jpg)
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
50
shocking discovery
Eastern Bloc Ciphersare WEAK w.r.t.
our Attack
1. Closed Loops2. Key Entropy per Round
![Page 51: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/51.jpg)
Code Breakers
Nicolas T. Courtois, 201251
Military Enigma[1930s]
stecker=plugboard
[after 1929]
![Page 52: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/52.jpg)
Code Breakers
Nicolas T. Courtois, 201252
Enigma Stecker
Huge challenge for code breakers
*common point in all good Enigma attacks: eliminate the stecker, “chaining techniques”…also for Abwehr
![Page 53: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/53.jpg)
Bugs or Backdoors?
Nicolas T. Courtois, 201253
Double Encryption Method – Big Mistake
15 Sept 1938 - 1 May 1940
E
3 digit « random »message key
9-digit header
repeat twicedaily settings: -rotors I III IV-ring settings-random start
3
3
3
3
33
«random IV »
![Page 54: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/54.jpg)
GOST 28148-89
Developed in 1970s…
– First "Top Secret" / Type 1 algorithm.
• Declassified in 1994.
Bugs or Backdoors? 54
![Page 55: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/55.jpg)
Block Cipher Invariants
55
Closed Loops
In GOST block cipher:
highlyvulnerable!
![Page 56: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/56.jpg)
Block Cipher Invariants
56
Closed Loops - DES
![Page 57: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/57.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
57
Big Winner
“product attack”
a product of Boolean polynomials.
Claimed extremely powerful.Why?
@eprint/2018/1242
![Page 58: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/58.jpg)
Algebraic Attacks on Block Ciphers Nicolas T. Courtois
58
Key Remark:
To insure that P * R => P * R
we only need to make sure that P=>P but ONLY for a subspace
where R(inp)=1 and R(out)=1
![Page 59: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/59.jpg)
Block Cipher Invariants
59
Impossible?
“Only those who attempt the absurd will achieve the impossible.”
-- M. C. Escher
?
![Page 60: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/60.jpg)
Block Cipher Invariants
60
Cycles
![Page 61: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/61.jpg)
Block Cipher Invariants
61
Thm 5.5. In eprint/2018/1242 page 18.
P =ABCDEFGH
is invariant if and only if this polynomial vanishes:
Can a polynomial with 16 variables with 2 very complex Boolean functions just disappear?
![Page 62: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/62.jpg)
Block Cipher Invariants
62
Hard Becomes EasyPhase transition: eprint/2018/1242.
• When P degree grows, attacks become a
LOT easier.
• Degree 8: extremely strong:
15% success rate over the choice of a random Boolean function and with P =ABCDEFGH.
![Page 63: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/63.jpg)
Block Cipher Invariants
63
*work for a fraction of keys
![Page 64: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/64.jpg)
Block Cipher Invariants
64
Degree 5 Attack on DESTheorem: Let P =
(1+L06+L07)*L12 * R13*R24*R28
IF
(1+c+d)*W2==0 and (1+c+d)*X2==0
e*W3==0 and f*Z3==0
ae*X7==0 and ae*Z7==0
THEN P is an invariant for
2 rounds of DES.
![Page 65: Block Ciphers: Lessons from the Cold War - Nicolas Courtois › papers › ...War_US_Oct2019.pdf · Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists…](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f102b397e708231d447c8f4/html5/thumbnails/65.jpg)
Better Card-only Attacks on Mifare Classic
Nicolas T. Courtois, 2009-1765
East vs. West Block Ciphers