 Hello everyone, I'm Khashir Yorbaruti from EPFL and today I'll be presenting a joint work with Suba Dipanik, Sarj Wodane and Haile Nyan Called new attacks on low MC instances with a single plain text hypertext pair. So as you see the name is long so I've shortened it here So let's talk about picnic low MC first and see why do we even care about it. So picnic is a post-quantum signature scheme which is based on a MPC in the heads paradigm specifically talking to the specialized version of ZKBOO So this is a proof of identification Then we have some Fiat Shamir or similar transform in order to change it to a turn it into a signature scheme And it's currently an alternate Candidates for third round of NISTBQ standardization process So how does ZKBOO work? So simply we have a public key which is going to be a pair of plain text and cypher text So this is important that a key actually consists of a given plain text and cypher text And then we have a key SK a secret key Which is gonna work as the encryption key and what the prover is trying to do is that he's trying to prove that He knows in SK value such that E of PK and SK is going to be C And how does how do how does the prover do this? the prover will simulate an MPC computation of E and Then we'll commit to the computations on each share and then the verifier is gonna ask him to open some of the commitments in a specific way and then Check that's for that share the computation was done correctly So what's the catch here is that because the prover has to do an MPC computation? Multiplications are not ideal. So we want this view as them as possible without losing my security and that's why Like MPC in general is one of the reasons that people have been working on a lot and block ciphers which have low multiplication depths Low MC is one of these ciphers. So it's a substitution permutation network. It has a three-bit S box It's a quadratic S box as you can see pretty simple and It's followed by an affine layer and a key addition round keys are also affine functions of the master key So the only nonlinearity in the cypher comes from the S box So there are two main variants that we will be talking about. It's called the partial S box here and the full S box layer I'll explain those in a sec so By S I will denote the number of S boxes per round and it's going to be the block size I was going to be number of rounds. So this is how a single round looks like So each S box is acting on three disjoint bits of the block of the input And then it's followed by an affine layer on the whole state and then I add the round key and Whenever my S is exactly equal to n over 3 meaning that every bit of the block passes through The S box I call it a full layer and whenever Three S is less than and I call it a partial layer. So let's talk about work that has already been done So two famous attacks that have that exist on low MC are wreck burgers Attack from to SC 2018 Which uses some difference in numberation attack and then use improvement of it in crypto 21 Which uses some algebraic tricks to improve the previous attack But as you can see from the name we need differences for these attacks meaning that with a single plain text cypher text pair Which is the scenario that we have in picnic. We cannot perform this attacks So we care about complexity one attacks in the in the given plain text cypher text model And this is where these other attacks come into playing So the first one that came out was our previous work that surprisingly is not presented yet so we use some algebraic property of the S box to be able to linearize the S box with not many guesses and Then for the full S box layer variant we break up to two rounds And the partial S box layer variant you break up to 0.8 and over S runs Versions of low MC and these are not arbitrary these numbers. They actually come from the low MC crypt analysis challenge and Also, there is the newest attack from your crypto 21, which is based on multi parity counting and this attack only works for Full S box variants because we need low number of runs We need the degree of the polynomials to be low and then it breaks up to five runs and For any quota hundred twenty nine, which is the smallest Block size that we have it breaks up to four runs Okay, so what's going to happen here? So we will present a two-step MITM attack which uses the linearization ideas from our previous work plus some Greco denomination methods Which breaks the full layer variants Up to three rounds and the partial variant up to an over S So let's talk about the linearization that we already talked about so this is the theorem from a previous paper and what it essentially means is that if I guess Any balance quadratic Boolean function in the inputs of the inputs of the S box Based on that guess I can linearize the S box So I can write the S box for any Balanced Boolean function in the input as that function times a linear function plus another linear function So it's the example that we used Almost everywhere during the previous work was the three-bit majority function as this balanced function and How does the attack work simply for every single as as I said the only non-linearity comes from the S box So if I linearize all the S boxes everything will be linear and then I get a equation system in my key Based on the majority guess that I do so what I will do exactly I will guess all the majorities for every single S box in the cipher Then I will form a linear equation in the key Describing the cipher text in the plain text and the key and then I will do a Gaussian elimination to solve this and then I need to do one re-encryption to To see if this key is a good candidate whether all the majorities match So as you can see I need two to the power number of S boxes guesses majority guesses and for each majority guess one encryption So this only works when S times R is less than And now let's talk about the new attack So this attack is also influenced by the previous work But it's a bit different because it uses the other attack proposed in our former work Which was a meet in the middle tack with a worse complexity than the linearization So the idea is I will not touch the first round, but for everything that comes after I Will guess the majorities and linearize them So what I get is that if I look at the output of the first round or the input of the rest of the runs They're the same thing then I can write the value here As a linear function of the key and the cipher text So simply I will split my key into two parts the first half of the key and the second half of the key K1 and K2 so I can get equations of this form describing the state at the middle So simply it's going to be a k1 plus bk2 plus some constant. It's going to be describing the state in the middle Again dependent on the majority guess Now I'll do the same thing in the forward direction, but this time I will not do any linearization I will just describe the state here as a quadratic function of the plain text and the keys And again, I can write it in this form as fk1 plus gk2 plus Some constant is going to be equal to that state So and what I have is that these two terms should be equal to each other And I will use this to mount a meet in the middle attack Okay, so let's see how it goes So I take in the case that I have now I will take k1 to be n over 3 k2 to be 2n over 3 I will guess the majority of the s boxes on the late later rounds as I said I'm going to linearize them and then I'm going to make these quadratic equations bringing everything in k1 to the left I'm bringing everything in k2 to the right side Now these functions only depend on k1 and these functions only depend on k2 So what we did in the previous work was that we guess the value of k1 we make this list one We simply holds It's the left hand side evaluated for the k1 guesses and then another list Which holds the right hand side of the equation for the k2 guesses and then we check for we look for a collision between these two lists Here we will do something slightly different So you have that AI's are linear and F and G are both quadratic But F and G are not quite right our quadratic functions, but they don't if I if I look at their spectrum They don't have every possible monomial In the key bits and every possible quadratic monomial. In fact, the only monomials that they have Are the simple ones Plus the ones that appear in the output of the s-box. So what do I do? I split my k2 again into two parts into k2 1 and k2 2 then I Express this F and G that I had as linear functions in a space of twice the size with the spaces and I will call them. Let's say F bar and G bar. So now I have a linear Equality of this form simply both left-hand side and right-hand side are linear And what I can do because I this is for every I I can write this as a matrix Equation of this form Now this F function this large capital F is for sure It's not a full-rank matrix. So it has a null space. Let's call that H H is the kernel of F as I said and then I split G Based on this splitting of k2 that I did already So and I derive to an equation of this form and then I'm going to multiply both sides by H so and What I will have is that H was the kernel of F So I get an equation of this form because the left-hand side is going to be zero So again now I have a left-hand side, which is only in k2 1 right-hand side Which is only in k2 2. So this is perfect to mount a meet in the middle attack again so It goes exactly as you think so I'm just going to Exhaust all the values of k2 1 and compute The values evaluate the values on the left-hand side of my equation And then I'm going to exhaust all the k2 2 values and evaluate everything on the right-hand side of the equation and look for a collision And then I will keep a list of all these good collisions. So let's see how many collisions we will be finding So we have 2 to the power n over 3 possible values for k2 1 We have 2 to the power n over 3 possible values for k2 2 So what is the size of k2? Let's see so we said that's k2 1 and k2 2 are of equal size and I say that k2 is 2 and over 3 bits so The only whenever for every x1 and x2 I have that H x1 is equal to H x2 It means that x1 minus x2 is going to be in kernel of H So the probability of for every random x1 and x2 H times x1 being equal to H times x2 is going to be 2 to the power Dimension of kernel of H1 over 2 to the power 2n so These are the differences and these are the possibilities, so And I have that the dimension of the kernel is 2n minus n over 3 This is because of the property that it's the null space matrix of function f and Exactly because f hat is Constraining n over 3 variables, so the probability of a collision for a pair for a given pair is 2 to the power Minus n over 3 So what is the expected number of collisions is going to be total number of pairs times this probability which is going to be 2 to the power n over 3 Okay So let's see after we get this sets kb. What are we going to do? Everything's going to be exactly similar to what we did before what I explained in the beginning So for every value of k2 that I have I will evaluate this equation For every value of k1 that I have I will evaluate this equation and I will look for a collision again but here the point is that There are 2 to the power n over 3 that possible values for k1 and 2 to the power n over 3 around 2 to the power n over 3 values for k2 because This set is not all the possible values, but we've already done one check on it And then I would return the whole key that I've recovered from here So let's go through the complexity analysis for a second. So we have this many majority guesses Then we have to compute one equation that the equation that I described in the beginning. So that's going to be one partial encryption There's going to be one Gaussian elimination Because we have to find that kernel matrix and then there are two MITM's. So for the first one I have to evaluate quadratic polynomials on this many inputs two times 2 to the power n over 3 inputs For this I'm going to use some gray code denomination methods and The second MITM is going to be evaluating quadratic polynomials again over 2 to the power n over 3 quadratic polynomial Size input set, okay, so now let's talk about the partial layer version Okay So I will divide my rounds that I have here into four different distinct types So there's going to be the a rounds return in the beginning The keys that appear in the round keys that appear here. I'm going to express them as Ka They're going to be B rounds which are the B rounds after the A rounds So KB describes the keys there I'm going to have the C rounds with corresponding keys KC which are the last C rounds and then I will have The middle rounds which I will be linearizing and then the keys the key the entropy of the key that is left from these three One three round keys. I'll call it K RAM So it's going to be n minus 3s A plus B plus C give it so let's see why this is true first So the idea is for runs A, B and C. I will push the round keys Forward somehow Forward and backward such that the round keys would be small would actually be of for every Single round that I have in these three rounds the round key is going to be three s bits only and how is this done? As you can see the portion that is not passing through the s-box I can just pass it through the affine layer and push it to the next layer And if I keep doing this, I will have one big round key in the end and all the Round keys before that are going to be pretty small Okay, so for a for first a plus B rounds, I'm going to push everything forward and For the last It's R minus R round runs. I'm going to push everything backwards So the big key that I have here is going to appear in that middle rounds that I described and for all a B and C Rounds, I will have small Okay, so as I said K, A, K, B and K, C will be three S, A, three S, B, three S, C, bits long respectively and the entropy left is Okay, so now let's see what I will do. So for every s-box I Will add two sets of variables the inputs and the outputs of the s-box. So U is the input, Z is the output Now if you check here, these DI's are only are a linear function in my X values and my Z values So this is good. So D is a linear function of X values and Z values and then if I look here These E values are a linear function of D's and Z's and D's themselves were a linear function of X and Z So I will get the W, which is the output of my B rounds is going to be a linear function And my Z's are my X's which X's were the outputs of the A rounds and the inputs to the B rounds Okay, and then I Call the output of the middle rounds to be Y or you can think of it as the output of the inverse of the last C rounds So what I will do I will guess the majority for them for the middle rounds and linearize everything. So now I have that Y is a linear function of W and the key bits So as I say W can be written as a linear function of Z And X's and Y can be written as a linear function of W and the keys So Y can be written as a linear function of Z the key bits and X's because I just replace W with the represent with this representation in terms of Z and X Now I have a linear system Which has very more variables than equations so I can eliminate some of these variables So what I will eliminate will be the KB variables the K RAM variables and Z And this will give me a linear equation of this form So an affine function of kA and X is going to be equal to an affine function of KC and Y and This is actually good because if you remember X was the output of the first A rounds and Y was the output of the inverse final C rounds So X only depends on KAMPT and Y only depends on KC and CT so I can mount a meet-in-the-middle attack So how does the first meet-in-the-middle work? I will guess the value of kA and compute X out of it Then I will make a hash table and index it by The left-hand side of my equation that I had before with this computed values of kA and X Then I will guess KC and compute Y out of it and do the same thing and look for a collision And I will keep a good list a list of good kAs and kCs So now let's see this how the second MITM works So here I'm trying to get rid of the kBs in a sense. So if you look at the first round KB is simply the XOR of UIs and XIs from here Because exactly the input of the S-box is XIs plus the round keys Then here if you look These kBs that appear here are XOR of DI's and DUIs again and DI's were a linear function in X and Z So kB can be seen as a linear function of U, X and Z So and Y if you remember was a linear function of X, Z, kB, kA, kC and kRound. So I will just replace kB by U, X and kZ And now I will eliminate kRound from here Okay, so this will give me some a fine equation of this one in a fine function of Z and U It's going to be equal to an affine function of kA, kC, X and Y which again This equation is going to allow me to perform a meet-in-the-middle attack So again it goes as we guessed so I've already created a list of good kAs and kCs So for every kC that are in that good list I will compute this value I will evaluate that affine function that I had and kA, kC, X and Y And if you remember X and Y were only dependent on kA and kC Then I will exhaust all the U values which are in 0, 1 to the power 3sp and compute the affine function Which was on the left hand side of my equation based on U and Z guesses. So Z is the output of the S-Box, U is the input of the S-Box So Z can be computed with the U guess and then I will look for a Collision between the two. After I find the collision I had that kB was a linear function of U, Z and X So I can recover kB based on the value of U, Z and X that I found And then I recover the remaining part of the key from the rest of the values that I have So this gives me whole key bits So let's just check the complexity for a bit. So there are these many majority guesses that I have to do There are two MITM stages in each in the first MITM stage I have to eliminate some variables I have to compute X and Y based on kA and kC for all these kA and kC values For the second MITM I have to replace kB by U, Z, X. So this is a So this is a matrix multiplication This is a matrix multiplication. This was a Gaussian elimination And then I have to compute U from Z. This is evaluating the S-Box once and then for both cases I have to evaluate a linear polynomial. So The analysis of this one is a bit tedious, but you can it's pretty similar to the previous one that I explained But there are more details so you can check out the paper for that. But we actually Also implemented the attacks Here you can see I have a variance for the full S-Box version full S-Box layer version and the partial S-Box layer So here you see I have the two step MITM attack here. I have the linearization attack and here is the gray code optimization applied to the two step MITM variant and as you can see The gray code variant is very better than both the others, but already two step MITM is faster than normal linearization So the difference between the gray code variants and the non-gray code variants of the The partial layer is subtle because exactly the The degrees of the equations will go higher. So the gray code method will be less effective But still you can see that both of them are significantly better than the linearization attack Okay, so now let's conclude this talk This is the table of the complexities you can find it in the paper the more Accurate version of it So we've represented the attacks for both the full S-Box variant and the partial layer so for the Full S-Box variants we have that we can break it up to three rounds as you can see here for But the north three round attack is still faster than ours, but for the two rounds Version our attack is the fastest up until now Then for the partial S-Box layer, which is the actual interesting part of this work, I would say We can break up to n over s rounds, which was not done before and for all for both 0.8 times n over s and n over s we get faster attacks so What about what are possible future works that can be done? One thing to check is that can this MITM slash gray code denomination approach extend to more rounds And the answer is yes I would say almost yes So this is some current work that we're doing and the idea is we replace the majority function with some More better tailored functions such that the roots of it are ordered in a gray code manner And uh, this will probably break Variants with more rounds I think the last thing we have is we can break up to seven rounds But the difference fits A normal exhaustive search is really small. So there are still improvements that need to be done And then another Interesting approach would be combining the linearization ideas with the parity counting methods from the north Okay, thank you very much for watching this video and listening And if you were interested if the talk was interesting to you, I would highly encourage you to read the paper Here's the link to it and thank you very much again