Improving Integral Cryptanalysis against Rijndael with Large Blocks

(1)

HAL Id: inria-00423681

https://hal.inria.fr/inria-00423681

Submitted on 12 Oct 2009

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Improving Integral Cryptanalysis against Rijndael with Large Blocks

Marine Minier, Benjamin Pousse

To cite this version:

Marine Minier, Benjamin Pousse. Improving Integral Cryptanalysis against Rijndael with Large Blocks. [Research Report] 2009. �inria-00423681�

(2)

a p p o r t

d e r e c h e r c h e

ISSN0249-6399ISRNINRIA/RR--????--FR+ENG

Thème COM

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

Improving Integral Cryptanalysis against Rijndael with Large Blocks

Marine Minier — Benjamin Pousse

N° ????

Octobre 2009

(3)

(4)

Unité de recherche INRIA Rhône-Alpes

655, avenue de l’Europe, 38334 Montbonnot Saint Ismier (France)

Téléphone : +33 4 76 61 52 00 — Télécopie +33 4 76 61 52 52

Marine Minier , BenjaminPousse

ThèmeCOM Systèmesommuniants

ProjetsSWING

Rapportdereherhe n° ???? Otobre200911pages

Abstrat: This report presents new four-round integral properties against the Rijndael ipher with blok

sizes largerthan128bits. Usinghigher-ordermultisetdistinguishersandotherwell-knownextensionsofthose

properties,thededuedattaksreahupto7and8roundsofRijndaelvariantswith160upto256-bitbloks.

Forexample,a7-roundsattakagainstRijndael-224hasatimeomplexityequalto2⁸⁰^.

Key-words: blokipher,ryptanalysis,integralattaks,Rijndael-b

(5)

Résumé: Ce rapportprésentedenouvellespropriétésintégralespourlesvariantesdeRijndaelpourdesblos

detaillessupérieuresà128bits. Enutilisantdesdistingueurspartiuliersetdesextensionsd'attaquesonnues,

lespropriétésdéduitespermettentd'attaquer7et 8étagesdeRijndael.

Mots-lés : hirementparblos,ryptanalyses,attaquesintégrales,Rijndael-b

(6)

1 Introdution

Rijndael-bîsân^SPN^blokîpher^designed^by^Vinent^Rijmenând^Joan^Daemen^[4℄. Ît^has^been^hosenâs^the

new advaned enryption standardbytheNIST[6℄with a128-bitbloksize andavariablekeylength,whih

an be set to 128, 192or 256bits. In itsfull version,the bloklengths b ^and ^the^key^lengths N k ^an ^range

from128upto256bitsinstepsof32bits,asdetailedin[3℄andin[8℄. Thereare25instanesofRijndael. The

number of rounds N r ^depends ôn ^the ^text ^size b ând ôn ^the ^key ^size N k ând ^varies ^between ¹⁰ând ¹⁴ ^(see

Table1forpartialdetails). Foralltheversions,theurrentblokattheinputoftheroundr^isrepresentedby a4×t^witht= (b/32)^matrix^of^bytes A^(r)^:

A^(r)=







a^(r)_0,0 a^(r)_0,1 · · · a^(r)_0,t a^(r)_1,0 a^(r)_1,1 · · · a^(r)_1,t a^(r)_2,0 a^(r)_2,1 · · · a^(r)_2,t a^(r)_3,0 a^(r)_3,1 · · · a^(r)_3,t







Theround funtion, repeatedN r−1 ^times, învolves^four êlementary^mappings, âll^linearêxept ^the^rst

one:

SubBytes: abytewisetransformationthat appliesoneahbyteoftheurrentblokan8-bitto 8-bitnon

linearS-boxS^.

ShiftRows: alinearmappingthatrotatesontheleftalltherowsoftheurrentmatrix. thevaluesof the

shifts(givenin Table1)dependonb^.

MixColumns: alinearmatrixmultipliation;eaholumnoftheinputmatrixismultipliedbythematrix

M ^that^provides^theorrespondingolumnoftheoutputmatrix.

AddRoundKey: anx-orbetweentheurrentblokandthesubkeyoftheroundr Kr^.

ThoseN r−1 ^rounds âre^surrounded ât ^the^top^byânînitial ^keyâddition ^with^the^subkeyK0 ând ât ^the

bottom byanal transformationomposed byaallto theround funtion where theMixColumnsoperation

is omitted. Thekeyshedule derivesN r+ 1b^-bits ^round^keysK0 ^toKN r ^from^the ^master^keyK ^of^variable

length.

AES Rijndael-160 Rijndael-192 Rijndael-224 Rijndael-256

ShiftRows (1,2,3) (1,2,3) (1,2,3) (1,2,4) (1,3,4)

N b^rounds⁽N k⁼¹²⁸⁾ ¹⁰ ¹¹ ¹² ¹³ ¹⁴

N b^rounds⁽N k⁼¹⁹²⁾ ¹² ¹² ¹² ¹³ ¹⁴

N b^rounds⁽N k⁼²⁵⁶⁾ ¹⁴ ¹⁴ ¹⁴ ¹⁴ ¹⁴

Table1: ParametersoftheRijndaelblokipherwherethetriplet(i, j, k)^for^the^ShiftRows^operation^designated

therequirednumberofbyteshiftsfortheseondrow,thethird oneandthefourthone.

ManyryptanalyseshavebeenproposedagainstRijndael-b^,^the^rstôneâgainstâll^the^versionsôf^Rijndael-b

is duetothealgorithmdesignersthemselvesandisbaseduponintegralproperties([1℄,[2℄,[10℄)thatallowsto

eientlydistinguish3Rijndaelinner roundsfrom arandompermutation. Thisattakhasbeenimprovedby

Fergusonetal. in[5℄allowingtoryptanalysean8roundsversionofRijndael-b^withâômplexityêqual^to2²⁰⁴

trialenryptionsand2¹²⁸−2¹¹⁹plaintexts.

Followingthedediatedworkof[7℄,thispaperpresentsnewfour-roundintegralpropertiesofRijndael-b^and

theresulting7and8roundsattakswhih aresubstantiallyfaster thanexhaustivekeysearh. Note alsothat

those attaksgreatlyimprovethepreviousresultsonRijndael-b^,essentiallytheonesgivenin [8℄ andin[9℄.

This paper is organizedas follows: Setion 2realls theintegral properties known againstRijndael-b ^and

investigatesthe newfour and verounds properties. Setion 3presents thededued 7and 8roundsattaks.

Setion 4onludes thispaper.

2 The integral properties

We desribe in this setion thefour inner rounds original integralproperty againstthe AESdesribed in [5℄,

theveroundsintegralpropertyofRijndael-256desribedin[7℄andthenewintegralpropertiesagainstallthe

Rijndael-b^versions^whereb ^is^larger^than¹²⁸^bits.

(7)

2.1 Introdution and Notations

In[10℄,L. KnudsenandD. Wagneranalyseintegralryptanalysisasadual todierentialattakspartiularly

appliabletoblokipherswithbijetiveomponents. Arst-orderintegralryptanalysisonsidersapartiular

olletionofm ^wordsⁱⁿ^the^plaintextsând îphertexts^that^dierônâ^partiularômponent. ^Theâimôf^this

attak isthus topredit thevaluesin thesums(i.e. theintegral) of thehosenwordsafter aertainnumber

ofrounds ofenryption. Thesameauthorsalsogeneralizethis approahtohigher-orderintegrals: theoriginal

set to onsider beomes a set of m^d ^vetors ^whih ^dier ⁱⁿ d ômponents ând ^where ^the ^sum ôf ^this ^set îs

preditable afteraertainnumberofrounds. Thesumofthissetisalled ad^th-order^integral.

2.1.1 Notations

We rst introdueand extend theonsistent notationsproposed in [10℄ forexpressing word-orientedintegral

attaks. Forarstorderintegral,wehave:

Thesymbol`C^'^(for^Constant)ⁱⁿ^thei^thêntry,^means^that^the^valuesôfâll^thei^th^wordsⁱⁿ^theôlletion

oftextsareequal.

ThesymbolÀ^'^(forÂll)^means^thatâll^wordsⁱⁿ^theôlletionôf^textsâre^dierent.

Thesymbol`S^'^(for^Sum)^means^that ^the^sumôfâlli^th^wordsân^be^predited.

Thesymbol`?^'^means^that^the^sum^of ^words^an^not^be^predited.

Forad^th ^order^integralryptanalysis:

ThesymbolÀ^d^'ôrresponds^with^theômponents^that ^partiipateⁱⁿ âd^th-orderîntegral,î.e. îfâ^word

antakem^dierent^values^thenA^d^means^thatⁱⁿ^theîntegral,^the^partiular^word^takesâll^valuesêxatly m^d−¹^times.

ThetermÀ^d_i^' ^means^thatⁱⁿ ^theîntegral^the^stringonatenationofallwordswithsubsripti ^take^the m^d ^valuesêxatlyône.

Thesymbol`(A^di)^k^'^means^thatⁱⁿ^the^integral^the^stringonatenationofallwordswithsubsripti^take

them^d ^values^exatlyk^times.

ThesymbolÈqi^'^found^for^two^dierent^words^means^that^the^sumsôfâll^values^takenôn^those^partiular

wordsareequal.

2.1.2 Integral properties ofthe AES

In orderto well understandthe priniples ofanintegralproperty, wegivetheexampleof theAES(Rijndael-

128). Consideraolletionof 256texts, whihhavedierentvaluesin onebyte and equalvaluesin allother

bytes. Thenit follows that aftertworounds ofenryption thetexts takeall256valuesin eah of thesixteen

bytes, andthat after threerounds ofenryption thesumofthe256bytesin eahpositionis zeroasshownin

[2℄. Also,notethatthereare16suhintegralssinethepositionofthenon-onstantbyteintheplaintextsan

be in any of thesixteen bytes. Theintegral isillustrated in Figure 1(where an arrowrepresentsaomplete

round). Thisintegralan be usedto attakfourrounds ofRijndael-128 withsmall omplexity(note that the

nal roundisspeial anddoesnotinludeMixColumns)ountingoveronekeybyte atatime. Simply guessa

keybyte andomputebyte-wisebakwardstohekifthesumofall256valuesiszero.

This 3-round property ould be extended by one round at the beginning using 2³² plaintexts, i.e. to a 4th-orderintegralpropertyasdesribedin[5℄. Themainobservationisthatthe2³²^plaintextsôuld^be^seenâs 2²⁴ôpiesôf^theâbove^rst-orderîntegrals^(startingⁱⁿ^the^seond^round). ^Sine^the^textⁱⁿêahîntegral^sums

to zeroin anybyte afterthefourthround, sodoesthesumof all2³² plaintexts. Therunningtimeomplexity of this attak greatlyimprovestheprevious oneespeially onerning thekey-bytes searh. Figure 2 depits

this four-roundfourth-orderintegralagainstRijndael-128.

A C C C C C C C C C C C C C C C

→

A C C C A C C C A C C C A C C C

→

A A A A A A A A A A A A A A A A

→

S S S S S S S S S S S S S S S S

Figure 1: The3-roundrst-orderintegralforRijndael-128,where S= 0

2.1.3 Anintegral propertyfor Rijndael-256

In [7℄, theauthors show a new3th-order integral property against 4-round of Rijndael-256 whih essentially

reliesontheslowdiusionofRijndael-256. Usingthepreviousnotations,weouldeasilydesribethisproperty

asshownonFigure3.

(8)

A⁴₀ C C C C A⁴₀ C C C C A⁴₀ C C C C A⁴₀

→

A⁴₀ C C C A⁴₀ C C C A⁴₀ C C C A⁴₀ C C C

→

A⁴₁ A⁴₁ A⁴₁ A⁴₁ A⁴₂ A⁴₂ A⁴₂ A⁴₂ A⁴₃ A⁴₃ A⁴₃ A⁴₃ A⁴₄ A⁴₄ A⁴₄ A⁴₄

→

A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴ A⁴

→

S S S S S S S S S S S S S S S S

Figure2: A4-roundfourth-orderintegralforRijndael-128with2³²^texts.

A³₀ C C C C C C C A³₀ C C C C C C C A³₀ C C C C C C C C C C C C C C C

→

A³₀ C C C C C A³₀ A³₀ A³₁ C C C C C A³₁ A³₁ A³₂ C C C C C A³₂ A³₂ A³₃ C C C C C A³₃ A³₃

→

A²₀ C A²₀ A²₄ A²₄ A³₀ A³₀ A³₀ A²₁ C A²₁ A²₅ A²₅ A³₁ A³₁ A³₁ A²₂ C A²₂ A²₆ A²₆ A³₂ A³₂ A³₂ A²₃ C A²₃ A²₇ A²₇ A³₃ A³₃ A³₃

→

? A³ A³ A³ ? A³ A³ A³

→

? ? S ? ? ? S ?

Figure3: 4-round3th-orderintegralpropertyofRijndael-256

As shown in [7℄, this partiular property ould be extended by one round at the beginning using a 4th-

order integral(onsideringthat itrepresents2⁸ ôpiesôf^the^3th-order^four ^roundîntegral)^to ^buildâ^5-round

distinguisherthatuses2³²^plaintexts^testingîf^the^sum^takenôverâllînitial^valuesôfâ^partiular^byte^belonging

tothethirdortotheseventholumnisequaltozero. Thisleadstotherst9-roundattakagainstRijndael-256.

2.2 The new integral properties of Rijndael-b

Inthis setion,wepresentnewintegralpropertiesagainstRijndael-b^. ^Those ^properties^have^been^found^using

alwaysthesamemethodology: onsider afteroneround afullolumn ofativebytes, say(y0, y1, y2, y3)^,^then

after tworounds,expresseahbyteoftheorrespondingiphertextaordingto thisolumn. Thus,oneould

see thedependeniesbetweentworounds bytesand andiretly deduethe bytesthat must takeallpossible

valuestoobtainbalanedbytesattheendofthethirdroundandthuspreditablesumsattheendofthefourth

round.

2.2.1 Rijndael-256

Wehavefoundanother4-roundintegralpropertyof2th-orderasshowningure4. Usingomputersimulations,

wehavefound423th-orderintegralpropertiesand482th-orderintegralproperty(essentiallytheshiftedones).

As previouslydone, this 2th-order four-roundpropertyould beextended byone round at the beginning

using a 8th-order integral (onsidering that it represents 2⁴⁸ ôpies ôf ^the ^2th-order ^four ^round întegral) âs

previouslydesribedandbytworoundsatthebeginningusinga24th-orderintegralasdonein[8℄andasshown

in Figure5.

Thus, weobtain rst afour-rounddistinguisher that uses 2¹⁶ ^plaintexts ^testing îf ^the^sum ^takenôverâll

initial valuesofapartiularbytebelongingtothethird,tothesixth,totheseventhortotheeightholumnis

equaltozero. Wealsoobtainave-rounddistinguisher thatuses2⁶⁴ ^plaintexts^testing ^if^the^same^sum^taken

overthe2⁶⁴^valuesîsâlsoêqual^to^zero. ^The^six-rounddistinguisherthat uses2¹⁹²^plaintextsîs^the^sameêven

iftheorrespondingmemoryomplexityishereunreahable.

(9)

A²₀ C C C C C C C C A²₀ C C C C C C C C C C C C C C C C C C C C C C

→

A²₀ C C C C C C C A²₀ C C C C C C C A²₁ C C C C C C C A²₁ C C C C C C C

→

A²₀ C C C A²₀ A²₄ C A²₄ A²₁ C C C A²₁ A²₅ C A²₅ A²₂ C C C A²₂ A²₆ C A²₆ A²₃ C C C A²₃ A²₇ C A²₇

→

A² A² A² A² ? A² A² A² A² A² A² A² ? A² A² A² A² A² A² A² ? A² A² A² A² A² A² A² ? A² A² A²

→

? ? S ? ? S S S

Figure4: the2th-orderintegralpropertyofRijndael-256

A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀ C C C A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀ C A²₁ C C A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀ A²₁ A²⁴₀ C C A²⁴₀ A²⁴₀ A²⁴₀ A²⁴₀

→

A⁸₀ A⁸₀ C C C C C C C A⁸₀ A⁸₀ C C C C C C C C A⁸₀ A⁸₀ C C C C C C C A⁸₀ A⁸₀ C C

→

A²₀ C C C C C C C C A²₀ C C C C C C C C C C C C C C C C C C C C C C

Figure5: ExtensionofRijndael-256bytworoundsatthebeginningusinga24th-orderintegral

2.2.2 Rijndael-224

In the sameway, wehave founda 2th-order4-round integralproperty for Rijndael-224 asshown in gure 6.

Wehavefound422th-orderintegralproperties(essentiallytheshiftedones).

A²0 C C C C C C C A²₀ C C C C C C C C C C C C C C C C C C C

→

A²0 C C C C C C A²₀ C C C C C C A²₁ C C C C C C A²₁ C C C C C C

→

A²0 C C A²0 C A²4 A²4

A²₁ C C A²₁ C A²₅ A²₅ A²₂ C C A²₂ C A²₆ A²₆ A²₃ C C A²₃ C A²₇ A²₇

→

A² A² A² ? A² ? ? A² A² A² ? A² ? ? A² A² A² ? A² ? ? A² A² A² ? A² ? ?

→

S ? ? ? ? ? ? S ? ? ? ? ? ? S ? ? ? ? ? ? S ? ? ? ? ? ?

Figure6: Four-round2th-orderintegralpropertyofRijndael-224

As previouslydone, this 2th-order four-roundpropertyould beextended byone round at the beginning

using a 8th-order integral (onsidering that it represents 2⁴⁸ ôpies ôf ^the ^2th-order ^four-round întegral) âs

previouslydesribedandbytworoundsat thebeginningusinga24th-orderintegral.

Thus, weobtain rsta four-rounddistinguisher that uses 2¹⁶ ^plaintexts ^testing îf ^the^sum ^takenôverâll

initial values of apartiular byte belonging to therst olumn is equalto zero. Wealso obtaina ve-round

distinguisher that uses 2⁶⁴ ^plaintexts^testing îf ^the ^same^sum^taken ôver^the 2⁶⁴ ^valuesîs âlso êqual^to ^zero.

Thesix-rounddistinguisherthat uses2¹⁹² ^plaintexts^is^the^same.

2.2.3 Rijndael-192

In the sameway, wehave founda 2th-order4-round integralproperty for Rijndael-192 asshown in gure 7.

This integralis dierentfrom theothersbeauseitimpliesthat twopartiularsumsareequalsbetweenthem

and notto zero. This partiularpropertyomesfrom thefat that thersttermEq0 îsâ^linearômbination

of 4partiulartermsof thepreviousround. Inthose words,three arebalaned (i.e. theomplete sumat the