 So welcome back everyone. I hope you all enjoyed your lunch and are now ready for this session on crypt analysis with algebraic structures The first talk is on non-linear approximations in crypt analysis revisited and is on a paper by Christoph Bayerle, Ancanto and Gregor Lernder And the talk is going to be by Christoph. Yeah, thanks for the introduction. Can you all hear me? So today I want to talk about non-linear approximations in crypt analysis and more More generally how how we can express those in a unified framework with linear crypt analysis And so linear crypt analysis is nowadays a standard attack methods on cryptographic primitives And the basic idea is to approximate a linear Boolean function in the output of of the primitive by a linear function in the input and One year after after linear crypt analysis was introduced in generalization to non-linear approximations was introduced and Very recently as we heard in Gregor's talk before Those were rediscovered in the context of invariant attacks Which which employ and deterministic non-linear approximations for this non-linear Boolean function that holds with Yeah, with probability one over over the block cipher And in this work we want to look at non-linear approximations a bit more generally and Try to express this it's using the framework of linear crypt analysis So first I will talk about this unified framework and Then I will talk about the case of invariance again and show How they in many cases imply the existence of highly biased linear approximations and As a third step, I will talk about how how one could go to to Utilize probability probabilistic non-linear approximations so those that do not hold with with probability one So throughout this talk we will consider a function f from m bit to n bit for example a block cipher with a fixed key and The idea of these these approximations is that we want to approximate the Boolean function h in the output by a Boolean function g in the input and We want to quantify the probability That g of x equals h of the function of x minus one-half So how much it deviates from one-half and this is quantified in the in the notion of the correlation So for these two functions g and h The correlation of the approximation by the function G in the input and h in the output Is quantified by the correlation which is defined as two times the probability that these these are equal minus one And so in that way the correlation will be a value between minus one and one As an example we can look at linear crypt analysis where these g and h are defined to be linear functions Which can be given by by a mask gamma as an n-bit vector? And then the linear function corresponding to gamma is defined as the inner product of gamma with x and Then in linear crypt analysis we exploit the existence of the input mass gamma and an output mass gamma prime for which the correlation of the fixed key instance is Is larger than two to the minus half of the block size this threshold is therefore Yeah for having having a text depending on the data complexity So this is this is higher than you you would have enough data to to eventually Use it as an attack in I will briefly go to to non-linear invariant attacks So we have seen lots a lot about this in the talk by Gregor already So in invariant attacks, we are looking at an invariant set that stays Invariant for for the application of a permutation f. So either s is mapped to itself or Or this this set s is mapped to Is mapped to the complement and This can be expressed by a by a Boolean function in on n-bit which is defined to be the indicator function on this set and Then we have exactly this property for for this this Boolean function and in the notion of of the approximation we can phrase it that way that The correlation over f with the input function g and the output function g is Either plus one or minus one depending on which case we are So we have transformed this in the notion of non-linear approximations So usually when you look at linear crypt analysis you look at linear trails and for an iterated Function there is the well-known notion notion of a linear trail composition Which means if you have a function f which is iterated by round functions fi Then you can express the correlation of the approximation of the linear approximation by the sum over all linear trails so by all intermediate masks And you sum over the correlation of the trail which is defined as the product of the correlations over the round functions And we try to generalize this to two non-linear approximations and we came out with With the notion of some kind of non-linear trail composition Which means if you look if you generalize this to arbitrary functions g and h the correlation over f can be expressed as a bunch of linear linear correlations that's all linear approximations over over the function and so you sum over over lots of them and multiply each of The terms in the sum by a correlations over the Boolean functions, which input mask Gamma and output mask one and for the output it's input mask gamma prime and output mask So this is just a simplified notion for What is this correlation here? So this is this is the idea for this framework and now I will talk about about invariance as a special case to apply this So this is this is our decomposition or trail composition a theorem and Suppose we have an invariant for for a permutation f This would mean that the absolute value of this correlation over the function is equal to 1 and Then you can express this this correlation by this this trail composition so you can express it is it as a sum of Linear approximation correlations of linear approximations times these these correlates correlations over g and So you can trivial trivially exclude those Approximations test that's lead to zero for these terms So we be some only over the mask lying in this big gamma g set Which are exactly all those all those masks such that the correlation over gamma is non-zero If you apply this to to one special case of so-called balance plateaued functions for the invariant We can come up with with this This theorem so a balanced plateau function is a balanced Boolean function such that the Walsh spectrum takes Is either zero or it takes only one absolute value L Yeah, and in this case you can express the the size of this gamma g set as a sign sum of correlations of linear approximations Where you can express the sign? Of each of these terms by a Boolean function f And from this formula you can immediately derive that there because it sums up to a high value There must be must be exist one pair of of gamma and gamma prime Which has a high correlation higher than the absolute value is higher than one over over the size of the gamma set and a Special case of a balance plateau function is the quadratic function. So those of degree two and For degree two functions. You only have exactly those two Two values in the in the Walsh spectrum. So this theorem directly applies And so for example if you look at the non-linear invariant on scream Which is published in this Asia Asia group 2016 paper We have a cypher with a block size of 128 bit and the quadratic invariant Which is balanced and it works for two to the 96 weak keys So by this theorem before this means that for each weak key K There exists such a Boolean function that takes care of the sign such that you can express the size of the gamma set with which is two to the 32 as a sign sum of linear a correlations of linear approximations and This implies that you have for each for each weak key You have at least one linear approximation in this sum Which which has a correlation higher than two to the minus 32? And this is much larger than two to the minus half of the block size so in in principle that this could be exploitable by an attack and Since this function g it is invariant for each of the rounds and you iterate this for for the rounds The existence of this approximation is independent of the actual number of rounds you use in the in the cypher But what could change is is which correlation exactly is is the higher one? So another example is the case of invariant subspaces Where this this invariant function g it is the indicator function of some affine subspace, so it's not Necessarily balanced anymore So and we have shown that if you have if you if you have an invariant affine subspace u plus plus some offset a For a permutation then for any non-zero output masks lying in the orthogonal complement of u You can find a non-zero input masks such that the absolute value of the correlation Where this this invariant function g it is the indicator function of some affine subspace, so it's not Necessarily balanced anymore So and we have shown that if you have if you if you have an invariant affine subspace u plus plus some offset a For a permutation then for any non-zero output masks lying in the orthogonal complement of u You can find a non-zero input masks such that the absolute value of the correlation is is higher than this value depending on the dimension of u and And a similar theorem was already shown in the invariant subspace paper in 2011 and They have proven the also the existence of a highly biased Approximation with a similar term, but there is some error term you have to subtract there And they only show the existence of of one specific approximation and not not many of those here Okay, so this leads to this observation leads to to some open questions So first of all can we say anything more about this highly biased linear approximations besides the mere existence? So these arguments we have here are basically exists and so arguments of existence And they don't show a particular way to construct those and to to identify those approximations and This is related to to whether we can understand more about the distribution of the actual Correlations of these linear approximations over all these masks in this gamma set gamma set so now I want to talk about Yeah, about probabilistic non-linear approximations so far. We were only in the set of the invariant attack So the goal would be to express the probabilistic Non-linear approximations in the framework of linear crypt analysis and The idea would be instead of using non-linear approximations over the over the cipher itself We transformed the cipher a bit so we use a Different representation and use linear crypt analysis over this transformed version of the cipher So the idea would work like this So we have a permutation f and the balanced Balanced function g so we really we cry here that that g is balanced And we would construct an n-bit permutation big g such that this function Small g is embedded as one component function alpha And then we would look at the transform permutation where we would first apply the inverse of g followed by f and then g again and then in this framework this transforms to Instead of looking at the the approximation By g over f we look at the linear approximation With mask alpha over the transformed version of the cipher And then we would use linear crypt analysis methods to look at the transformed version Note that we need balance function here because we want to embed this As a component in a bijection and we want to to apply the inverse here So this requires that that every component function is balanced the other component functions can be chosen arbitrarily So to pick as typical for linear crypt analysis. We will look at linear trails So suppose we have a round iterated cipher e then we can if we look at the transformed version of the cipher We can look at every transformed round by this function g because we can We can apply the inverse of g followed by g which means we have identities in between that would cancel out so we can express it in this in this variant and Then we would express the correlation over Over the transformed cipher of this linear approximation by the by the linear trail composition by summing over the correlations of all in linear trails in in this linear hull and And for our analysis we we base it on a single linear trail for now Because this is the standard analysis method So we look at the at the correlation of the trail which is defined as the product of the correlations of surround functions and In this notion we can express the invariant on on Midori 64 also from this Asia prep paper quite simply so we have our Forbit S box SB which is applied 16 times in parallel denoted by by the S box layer s and By by s sub k we denote We denote the keys keyed S box layer. So we we X or the key To the state and then apply the S box layer And then in the in the invariant attack on Midori The quadratic function of this form is used as an invariant for the S box and the weakies are exactly those that are zero in the first two coordinates of every S box and Then we would we would go on and choose a forbit permutation that embeds this invariant as one coordinate function denoted by this mask 8 so it's the fourth coordinate function in in X notion and We define our our big permutation as the parallel application of this forbit permutation and Then we can we can look at the linear trail Corresponding to to this approximation so every every S box would be active in this in this notion and Because we have this this invariant over the over the S box for the week he space this means that If we go over over this transformed S box layer The absolute value of the correlation is one for every for every weekly. So here we are restricted in this in this WK space of the key and Then the next step would be the permutation of the of the nibbles in the in the linear layer and those Dispermutation would basically Permute all this all these cells. So because every Every cell is active every cell is active after after the permutation For the transform mix columns layer We would use the the observation made by by the designer by the by the by the attackers on on Midori With which explored the orthogonal orthogonality of the layer so you can get we can show that that the correlation is equal to one and you can also look at the At the correlation matrix for every column you would get the same way experimentally Yeah, and then one round is over and then you can iterate this property for every round So Because in this notion every S box is active we try to to look at the case one where not every S box is active. Yeah, so like More general in your trades For this we looked at the four-round version of Of a transform Midori by transform We mean that not the key schedule for now and assume independent round keys in every round and We choose another balance balanced invariant for the S box now It's not quadratic anymore, but of degree 3 we denoted by G prime You cannot easily show that this is invariant for every S box and Then we choose another permutation Which embeds this G prime as one coordinate function and then we define our big permutation as For the transformation as a parallel application of the smaller Forbit permutations As I said, we omit the key schedule for now And then we can come up with this linear trail here. So now really we have inactive S boxes For every inactive S box you can basically choose any key and go over over the S box layer because nothing happens For every active S box you Can go through this transformed S box layer whenever you choose to be key Because it's an invariant for for the keyed S box layer for wiki. You have the absolute correlation of one for After the S box And then you have to look at this this permute nibble layer and now you really have to permute Permute the cells according to do the state permutation For mixed columns, it's a bit more complicated now because It's it's quite hard to find find some some provable properties there So we looked at the correlation matrix of this one column 32-bit Linear mapping so it's not linear anymore because we transformed it by this G here but you can still compute it and So in this case where you have these three Active active S boxes which go to one active S box. The correlation is 11 over 32 So it's quite high and for each active active column you have to compute it So it's it's 11 over 32 to the power of 3 And so you can go on over the rounds until you You you finish this with four rounds and you can multiply all these correlations to get the correlations of the trail and Out of these two to the 256 possible keys you can choose two to the 208 a week keys if you assume these Independent round keys and by multiplying this correlation you get the correlation of the trail Which is two to the minus 12.3 and Because it's only a trail it's it's up the or it's not clear whether the correlation of the actual Approximation so without looking at the intermediate masks would would be close to this approximation of the trail But by experimentally checking we obtained that the correlation of the actual approximation is very close to this correlation of the trail So in this case, it's the trail really gives a good approximation But What is interesting here is if you look at normal linear cryptanalysis by the white rail strategy you would You you know that there are at least 16 active S boxes in every four round So you would expect by the property of the S box that the absolute correlation is at least two to the minus 16 So by looking at this nonlinear transformation you we have shown that there are there is a Significantly smaller correlation We try to also look at probabilistic nonlinear approximations over over the S box layer because in this example so far The approximation over the S box was deterministic. So this absolute correlation one The question is can we generalize this further by using a different so in this example We use a different bijection G where we embed another permutation in the first S box layer corresponding to this cubic invariant and in this case Every key would be weak With the non trivial correlation. So for the V key space you have an absolute correlation of one over the S box layer and for the other You still have a correlation of one half and in this way you can come up with a trail again where every S box is active and the theoretical Approximation of a full round Midori would be two to the minus 29 point two eight. So it would be higher than Than it would be needed in an actual attack for the full round Midori but Unfortunately in this case this trail does not approximate the correlation of the linear hull very nicely so there are strong linear hull effects and We've made an experiment and one single column by using the same same idea on only one column of the state and We found out that for some keys where it Theoretically works the actual correlation of the approximation is exactly zero This is a very strange observation and we don't really understand why it's exactly zero. So there are some Yeah, some open questions raised So the most important one in which cases can we really approximate The approximation by a single trail and when we can't and also from another view can we maybe use the The non-linear approximations in order to quantify linear hull effects in the more general Cyphers Okay, thanks for your attention. I think I'm a bit over time. Yeah, but we do have time for one So, I think maybe I missed some of the necessary condition for your attack towards but do you need these Really trivial key schedules or could you apply this to some cyphers like for instance present where you have some strongly in attacks? So you were asking whether you need independent round keys Well, like yeah, like a trivial key schedule with the just round constants or Yeah, so so it depends what you want to do if you have this trail here What you would need is if you go to the next round that you have a weak key in every active cell So if you have a key schedule that does not allow this to have a weak key here and also we key here Then this attack would not work in this case. Okay, so it really depends on yes That's why all of your application on cyphers with weak keys somehow. Yes. Okay. Thanks. Any other questions else? Let's thank the speaker again