 Okay, welcome to the second session of the second day of AJA Group 2016, and I'm Mitsumi Matsue from Mitsubishi Electric. It's a great pleasure and honor to introduce one of the two papers that the Program Committee of AJA Group 2016 has decided to invite to the Journal of Cryptology. The title of the paper is Nonlinear Invariant Attack, a practical attack on full ice cream and Midori 64, written by Yosuke Todo, Gregor Render, and Yu Sasaki. Todo-san is going to talk. Please give us your talk. Thank you very much for introduction. So my name is Yosuke Todo from NTT Secure Platform Laboratories. So today's my talk title is Nonlinear Invariant Attack. So this work is joint work with Gregor Render in Rural University, Bohon, and Yu Sasaki at NTT Secure Platform Laboratories. Okay, so first of all, I want to explain what happened by new attack. So this is a case study of cryptanalysis on screen. So screen is a tweakable block cipher. So this is a framework of a tweakable block cipher. So input is a plain text and signature key and tweak. And output is cipher text. So I find under the weak key setting, so screen has following magical Boolean function g of x, and x is a 128 bit length. Then g of p plus g of c is always equal to g of t plus g of k. So this is an example. So now we choose tweak like this. And k is a secret key is chosen from the weak key space. And in the condition of the weak key, so this 4 byte is always 0. So in this case, g of k plus g of t is always 1. And this is a plain text is chosen from uniformly random. And the cipher text is computed from the screen block cipher. Then so for any plain text p, g of p plus g of c is always 1. So nonlinear invariant attack is a new type of cryptanalysis technique. And there's a weak key setting. And surprisingly, this attack is practical attack. And we can extend this attack to cipher text-only message recovery attack under the reasonable assumption. And so I have three applications. So one is the screen. This is the season second round candidates authenticated encryption. And ice cream is our first round candidate. And this attack is, this attack is, so attack middle 64. So which is a proposal block cipher of last age equip. So this is a summary of results. So nonlinear invariant attack has two type attack. One is a distinguishing version. Another is a message recovery version. So it's a distinguishing version. So it is very easy. We can only, we only correct k-norm plain text. Then so we can distinguish the target cipher from ideal cipher for success, success probability is 1 minus 2 to the 1 minus k. And in the message recovery attack, so in the case of screen, we can recover 32 bits from only 33 cipher text using with the time complexity 2 to the 50. So it's a practical time complexity. And the wiki space, but our attack is a wiki attack. And the screen has, screen accepts 128 bits secretly, but the wiki space is 2 to the 96. So the density is 2 to the minus 32. Okay, so let's start main topic. So I first explain related work. So nonlinear invariant attack has two related works. And one is a stream from linear cryptanalysis and another is a stream from invariant subspace attack. Okay, so first I explain this stream. So as you know, linear cryptanalysis was proposed by Matsui-san in 1993. So for the simplicity, I explain this attack, a key alternating structure. So this is a round function. So xi is the input of the round function and xi plus 1 is the output of the round function. And in the round function, the first round key, ki, is x0. And this x0 value is the input of the public function, f. So the motivation of the linear cryptanalysis is to find linearly Boolean function fi and fi plus 1, such that fi over xi plus fi plus 1 and over xi plus 1 is highly biased. And now, so f is a linearly Boolean function, so it is very easy to join two linear approximations. And so we can append a linear approximation sequentially, we can create a linear approximation for a target cycle. So nonlinear cryptanalysis is natural extension from the linear cryptanalysis. So linear cryptanalysis uses linear approximation, linear Boolean function. But nonlinear cryptanalysis, so alternatively, we use a nonlinear Boolean function, gi and gi plus 1, and satisfying this x0 value is highly biased. So the advantage of the nonlinear cryptanalysis is we can find the nonlinear Boolean function for the bias, it was more higher bias than linear cryptanalysis. But unfortunately, so the probability depends on the specific value. So now xi is, if xi is a plaintext, so it is easy because the attacker can know plaintext value. But xi plus 1 depends on the round key and the attacker cannot know the Ki. So the probability for next round nonlinear approximation, probability of nonlinear approximation depends on the specific value of xi plus 1. So we cannot join nonlinear mask for two rounds. So this is an insurmountable problem. So nonlinear invariant attack uses another idea. So nonlinear invariant attack, we first alternatively limit at the space of the round key. But so we only focus on the nonlinear Boolean function gi plus gi and gi plus 1, such that this extra value is always constant. So we don't use a probabilistic behavior. So now, so this is probability 1, so we can easily extend this nonlinear approximation for the arbitrary number of rounds. And for the simplicity, so if we can find the nonlinear Boolean function gi and so if, sorry, previous gi and gi plus 1, but if gi is equal to gi plus 1, so this property is preserved in arbitrary number of rounds if all round key is a weak. So another string is from invariant subspace attack proposed by Lender at 2011. So this is the overview of invariant subspace attack. So similar to the nonlinear invariant attack, as a round key space is chosen from the weak space. And first, the input xi is chosen from the subspace u plus a. And even if the key x is holding, so u plus a, this element always maps to u plus b. And even if the function f is applied, this element is mapped to u plus a. And so repeat this subspace. So this subspace is preserved. So if the plaintext p is chosen from u plus a, so ciphertext also belongs to u plus a. So by using this property, Lender attack, so many ciphertexts are using invariant subspace attack. So nonlinear invariant attack is similar to the invariant subspace attack. So that's the invariant subspace attack uses such subspace, but nonlinear invariant attack uses this subset, satisfying the output of g is 0 or 1. So this element maps to here and maps here and repeat. So in the nonlinear invariant attack, it is no problem if this subspace goes to this subspace. Because we use g, so the function g is balanced function. So thanks to this structure, invariant subspace attack is chosen plaintext attack, but nonlinear invariant attack is non-plaintext attack. So this is the distinguishing version, so it is very easy. Assume ek has a nonlinear invariant g, so correct k non-plaintext pj fj and compute this x value and for all pairs, so this x value is constant. And the probability that ideal cipher has this property is 2 to the minus k plus 1. So next, so I want to explain the extension to practical attack. So actually we use several attack assumptions. So she chooses plaintext attack, non-plaintext attack, and ciphertext theory attack. So cpa is natural assumption for cryptographers, but it is debatable in practical case. But if the target cipher is broken under this assumption, so cryptographer says that this target cipher is broken. So no plaintext attack is weaker assumption than cpa. And if the target cipher is vulnerable against this assumption, so it sometimes holds in practical case. So clearly ciphertext only attack is the most weak assumption. But it is unlikely to happen for cryptographers because it is information theoretically impossible with that assumption. But if possible, it causes non-negligible risks in practical case. So this is our attacker assumption. So our assumption is attacker can correct multiple ciphertext blocks whose original message is the same, but the IV is different. So now we have one plaintext block, and this plaintext block is encrypted using different IV. And we can correct this ciphertext block. In this case, we can recover the plaintext block from only ciphertext block. So I have to discuss whether this assumption is practical or not. So actually it is very difficult to answer this question because it depends on the application. But I think it is a reasonable assumption because in example case, so for example, application sometimes sends ciphertext of a password. And of course password is a secret and for the authentication. And attackers know the behavior of the application, so attacker can correct ciphertext for original message is the same. So in such situation, we can have this framework. We can have this framework so we can recover the password from only ciphertext. So the attack procedure is very simple. So now EK has nonlinear invariant. And so this is the case of CBC mode. So now plaintext is a secret, and IV and ciphertext is public. So now EK has nonlinear invariant. We have this equation, and this value is already constant. So now Cj-1 is known, and Cj is known. But Pj is unknown. So we guess Pj, and confirm whether this value is constant or not. So if we want to recover t bits from t bits of Pj, so it requires 2 to the t time complexity. But now, so we use a special nonlinear Boolean function d. So thanks to this structure, so practically the time complexity to recover t bits of Pj is at most t2 to the 3. So next, so explain how to find nonlinear invariant. So this is a core idea of the invariant subspecial attack. So for the simplicity, assume as a KSP type round function. So this is a round function, and first round key is x-word, and S-box is applied in parallel, and this output is diffused by the linear function n. So first, so I want to find nonlinear invariant for one S-box. But the size of S-box is generally small, for example 4-bit or 8-bit. So it is not difficult to find nonlinear invariant for one S-box. So by exhaustively search, so we can find an example for the S-box in screen. So like this, g of x is x1, x2, plus x0, plus x2, plus x5. So this Boolean function is nonlinear invariant for a S-box. And then for all x and s is a S-box, g of x is always equal to g of s, g of s of x plus 1. And now, so we extend this nonlinear invariant to nonlinear invariant for the S-box layer. So, but now S-box is independently upright, so the function gi is nonlinear invariant for the S-box. So the sum function is nonlinear invariant for the S-box layer for any sum set. And next, round key is x0. So if 1 in k, so round key k, involved in only linear term of the function g, the sum function is nonlinear invariant for key x0. So it's a very simple example. So this is a nonlinear invariant for the screen S-box. So x1, x2 is involved in nonlinear term, but other term is only linear. So if k1 is equal to k2 is equal to 0, so this equation holds. So this is a nonlinear invariant. So finally, I have to overcome the linear function n. So actually it is the most difficult to search for a nonlinear invariant. So I find a vulnerable structure. So if the linear function is binary orthogonal, and there is a quadratic invariant for the S-box, so this sum function is nonlinear invariant for the linear layer. So this property is derived from the invariance of an inner product. So now, so the g is a quadratic function. So we can represent this Boolean function like this. And now let's focus on this sum. So this is an inner product. And so if m is an orthogonal matrix, so this value is equal to this value, and this Boolean function is completely equal to g of x. So if l is a binary orthogonal, and g is a quadratic function, so such g function g is a nonlinear invariant for the linear layer. So finally, I want to explain practical attack of the Boolean function. So Scream perfectly follows our assumption. So first, orthogonal matrix was used because of the duality of differential and linear cryptanalysis. And then nonlinear term is applied to only second and third row, but the round constant is only explored with first row. So round constant is not so... So round constant is not important for the nonlinear invariant attack. And all round key are the same as the secret key. So now, nonlinear term is a second and third row. So we choose weak key space, weak key space satisfying this 32 bits is zero. So this secret key is weak key. So now, I want to explain how to break Scream authenticated encryption. So Scream is authenticated encryption, and so unfortunately the print text is directly input of the EK. But let's focus on the last block. So last block as an input is only the length of Pm-1. So we attach the last block. Then the length of Pm-1 is unknown, but the length is known. So this value is known, and this value is known, and this value is unknown. So we guess Pm-1 and recover this value. So I conclude my talk. So I propose a new type of prefect analysis nonlinear invariant attack, and I explain how to find nonlinear invariant. And so I explain application to Scream, Ice Cream, and Midory 64. And so we can recover the 32 bits of message in the last block on Scream and Ice Cream. And in the Midory 64, we can recover the 32 bits of message in every block. And there's a CBC, CTR, OFP, CFB, mode of operation. So thank you very much. We have time for a couple of questions. Yes, Adi? Beautiful result. In the case of Scream, you were lucky that it had just the right properties for your analysis. And you could find out the nonlinear invariant. In a general scheme, how would you propose checking whether the new block cipher which had been proposed has or does not have nonlinear invariant? The search space is huge. So is there any mechanism how to do it? So first of all, the most difficult point of the nonlinear invariant attack is to overcome the linear layer. So if the linear layer is trivially overcome, so nonlinear cryptanalysis was successful. So maybe quadratic invariant, so if the S-box is not quadratic invariant, so in this case I think nonlinear invariant doesn't work. But if the S-box is 4-bit, so I search for almost many 4-bit S-box, but 4-bit S-box always have nonlinear quadratic invariant. So if we use 8-bit S-box, so it is very easy to avoid nonlinear invariant attack. So the 4-bit S-box, so it is difficult to avoid the nonlinear invariant for one S-box. So we need to use non-orthogonal matrix or very high dense round constant. So if such a counter measure, I think nonlinear invariant attack doesn't work. I have two questions for you. The first, can your provost attack, can your provost attack apply to other block cipher than screen? And the second. Sorry, the first question is screen. Sorry, I don't understand your question. In your presentation, you can attack to the screen, right? So I want to ask, can your provost attack to apply to other block cipher? Yeah. Okay, so first I answer the question. Yeah, so first of all, our attack uses a weak attack. And so if the target cipher is not right-weight block cipher, it's a very complicated key scheduling algorithm. So it is very difficult to apply this attack. So as far as I search, I can find these three applications. That's the other target cipher. So first, let's see the right-weight block cipher. And so with that key schedule, right-weight block cipher with very simple key scheduling algorithm. And so if an additional application is possible, such cipher is made possible as an application. Thank you. And another question. The final goal of your attack is to find the secret key or the blank text. Yeah, thank you. Yeah, so this type of attack is a message recovery attack. So we never recover the secret key. So distinguishing version. So actually we can recover one bit of secret key. So because from g of p plus u of c is equal to g of t plus u of k. g of k plus u of t. And t is public. And p and c is public. So we can recover g of k. And this information is only one bit. So I don't have any idea to recover more than one bit.