Two philosophies for solving non-linear equations in algebraic cryptanalysis

Algebraic Cryptanalysis [45] is concerned with solving of particular systems of multivariate non-linear equations which occur in cryptanalysis. Many different methods for solving such problems have been proposed in cryptanalytic literature: XL and XSL method, Gröbner bases, SAT solvers, as well as many other. In this paper we survey these methods and point out that the main working principle in all of them is essentially the same. One quantity grows faster than another quantity which leads to a “phase transition” and the problem becomes efficiently solvable. We illustrate this with examples from both symmetric and asymmetric cryptanalysis. In this paper we point out that there exists a second (more) general way of formulating algebraic attacks through dedicated coding techniques which involve redundancy with addition of new variables. This opens numerous new possibilities for the attackers and leads to interesting optimization problems where the existence of interesting equations may be somewhat deliberately engineered by the attacker

Random Permutation Statistics and An Improved Slide-Determine Attack on KeeLoq

KeeLoq is a lightweight block cipher which is extensively used in the automotive industry. Its periodic structure, and overall simplicity makes it vulnerable to many different attacks. Only certain attacks are considered as really "practical" attacks on KeeLoq: the brute force, and several other attacks which require up to 2p16 known plaintexts and are then much faster than brute force, developed by Courtois et al., and (faster attack) by Dunkelman et al. On the other hand, due to the unusually small block size, there are yet many other attacks on KeeLoq, which require the knowledge of as much as about 2p32 known plaintexts but are much faster still. There are many scenarios in which such attacks are of practical interest, for example if a master key can be recovered, see Section 2 in [11] for a detailed discussion. The fastest of these attacks is an attack by Courtois, Bard and Wagner from that has a very low complexity of about 2p28 KeeLoq encryptions on average. In this paper we will propose an improved and refined attack which is faster both on average and in the best case. We also present an exact mathematical analysis of probabilities that arise in these attacks using the methods of modern analytic combinatorics

A nonlinear invariant attack on T-310 with the original Boolean function

There are numerous results on nonlinear invariant attacks on T-310. In all such attacks found so far, both the Boolean functions and the cipher wiring were contrived and chosen by the attacker. In this article, we show how to construct an invariant attack with the original Boolean function that was used to encrypt government communications in the 1980s

Systematic Construction of Nonlinear Product Attacks on Block Ciphers

A major open problem in block cipher cryptanalysis is discovery of new invariant properties of complex type. Recent papers show that this can be achieved for SCREAM, Midori64, MANTIS-4, T-310 or for DES with modified S-boxes. Until now such attacks are hard to find and seem to happen by some sort of incredible coincidence. In this paper we abstract the attack from any particular block cipher. We study these attacks in terms of transformations on multivariate polynomials. We shall demonstrate how numerous variables including key variables may sometimes be eliminated and at the end two very complex Boolean polynomials will become equal. We present a general construction of an attack where multiply all the polynomials lying on one or several cycles. Then under suitable conditions the non-linear functions involved will be eliminated totally. We obtain a periodic invariant property holding for any number of rounds. A major difficulty with invariant attacks is that they typically work only for some keys. In T-310 our attack works for any key and also in spite of the presence of round constants

Stealth address and key management techniques in blockchain systems

Bitcoin is an open source payment system with a market capitalization of about 15 G$. During the years several key management solutions have been proposed to enhance bitcoin. The common characteristic of these techniques is that they allow to derive public keys independently of the private keys, and that these keys match. In this paper we overview the historical development of such techniques, specify and compare all major variants proposed or used in practical systems. We show that such techniques can be designed based on 2 distinct ECC arithmetic properties and how to combine both. A major trend in blockchain systems is to use by Stealth Address (SA) techniques to make different payments made to the same payee unlikable. We review all known SA techniques and show that early variants are less secure. Finally we propose a new SA method which is more robust against leakage and against various attacks

Variable elimination strategies and construction of nonlinear polynomial invariant attacks on T-310

One of the major open problems in symmetric cryptanalysis is to discover new specific types of invariant properties for block ciphers. In this article, we study nonlinear polynomial invariant attacks. The number of such attacks grows as 22n and systematic exploration is not possible. The main question is HOW do we find such attacks? We have developed a constructive algebraic approach that is about making sure that a certain combination of polynomial equations is zero. We work by progressive elimination of specific variables in polynomial spaces and we show that one can totally eliminate big chunks of the cipher circuit. As an application, we present several new attacks on the historical T-310 block cipher that has particularly large hardware complexity and a very large number of rounds compared with modern ciphers, e.g., AES. However, all this complexity is not that useful if we are able to construct new types of polynomial invariant attacks that work for any number of rounds

Can a Differential Attack Work for an Arbitrarily Large Number of Rounds?

Differential cryptanalysis is one of the oldest attacks on block ciphers. Can anything new be discovered on this topic? A related question is that of backdoors and hidden properties. There is substantial amount of research on how Boolean functions affect the security of ciphers, and comparatively, little research, on how block cipher wiring can be very special or abnormal. In this article we show a strong type of anomaly: where the complexity of a differential attack does not grow exponentially as the number of rounds increases. It will grow initially, and later will be lower bounded by a constant. At the end of the day the vulnerability is an ordinary single differential attack on the full state. It occurs due to the existence of a hidden polynomial invariant. We conjecture that this type of anomaly is not easily detectable if the attacker has limited resources

Low-Complexity Key Recovery Attacks on GOST Block Cipher

GOST is a well-known Russian government block cipher. Until 2010, there was no attack on GOST used in encryption, cf. [9]. More recently, quite a few distinct key recovery attacks on full GOST have been found: [1-4, 6, 7]. Most of these attacks work by so-called “complexity reduction” [1]; they reduce the problem of breaking the full 32-round GOST to an attack with 2,3,4 KP for 8 rounds of GOST. In this article, we develop an alternative last step for these attacks. We present a new meet-in-the-middle attack for eight rounds, which is faster than any previous attack. Then we present a guess-then-determine attack with software using an SAT solver, which, for the same running time, requires much less memory. As a result we are able to improve by a factor of up to 226 various attacks from [1, 3]

Construction of a polynomial invariant annihilation attack of degree 7 for T-310

Cryptographic attacks are typically constructed by black-box methods and combinations of simpler properties, for example in [Generalised] Linear Cryptanalysis. In this article, we work with a more recent white-box algebraic-constructive methodology. Polynomial invariant attacks on a block cipher are constructed explicitly through the study of the space of Boolean polynomials which does not have a unique factorisation and solving the so-called Fundamental Equation (FE). Some recent invariant attacks are quite symmetric and exhibit some sort of clear structure, or work only when the Boolean function is degenerate. As a proof of concept, we construct an attack where a highly irregular product of seven polynomials is an invariant for any number of rounds for T-310 under certain conditions on the long term key and for any key and any IV. A key feature of our attack is that it works for any Boolean function which satisfies a specific annihilation property. We evaluate very precisely the probability that our attack works when the Boolean function is chosen uniformly at random

Fault-Algebraic Attacks on Inner Rounds of DES

Presentation given at eSmart 2010. -Fault attacks on inner rounds of DES with protected implementation - How to adapt (recent) algebraic attacks DES with too few faulty ciphertexts - A new DFA attack on inner rounds faster than brute force