 Hello everyone and thank you for watching this video. I am Baptiste Lombard and today I will present our paper at EJCRIP 2021 which is called Strong and Tight Security Guarantees against in-stakehold distinguishers and this is a joint work with Phil Hepburn, Gregor Leander and Yosuke Todu. So the main topic is block ciphers. So block ciphers are one of the main way to build symmetric encryption and the idea is to generate a family of permutations such that to compute the encryption of a plaintext M we will simply choose a key which will select one of these permutations and then the resulting ciphertext C is simply the image of M through this permutation. So an ideal block cipher would be a random selection of permutation and this is quite hard to do. So in practice we try to build block ciphers which approximate this ideal block cipher. So one of the way to do so is to use a keyalterniting block cipher. So instead of designing the whole set of permutations or that once we will first design a round function f and a key schedule and this key schedule will take the key k, derive some subkeys k0, k1 and 2kr and then to encrypt we will take the plaintext at k0, apply the round function f at k1, apply the round function f again and again until the end and we obtain the ciphertext. So most if not all block ciphers these days are keyalternative block ciphers and one of them is for example AES. And so we want to study the security of this block cipher. So how far do they differ from a random set of permutation? And one example to do so is integral attacks. So I will introduce them with an example on AES so it's a very well-known integral attack, but the idea is that we will generate a set m of 2 to the 8 plaintext which have the following structure. So we set each of the bytes of the plaintext to be some constant except one byte, the first one for example, which would take all values. So this leads to 2 to the 8 plaintext and we will encrypt this set of plaintext with three rounds of AES so resulting to the ciphertext and something we can assume is that if we take the sum of all of the ciphertext, so when I say sum, I mean the xor of all of the ciphertext together, then whatever the value of the key that was used in the three round AES, this sum will be zero. So each byte with sum to zero. And this is not really a behavior that we would expect from a random permutation. So this is distinguisher, so this is something that distinguishes a block cipher from an ideal block cipher from a set of random permutation. And the important part here is that it's true for any key. So in general, the framework of integral attacks is to find such a set M of plaintext such that the sum of the resulting ciphertext is always equal to zero with probability one, no matter the value of the key. And obviously the set needs to be non-empty and also to not cover the full input set. But it's something that dates back from quite a while now. It was introduced by Knudsen with higher-than-differentials. It was then refined a bit, especially with delta sets, so sets a bit like the previous one where some bytes are constant and other take-all values. And I will talk a bit about it later, but there are some links with the ANF of the cipher, so with the algebraic representation of the cipher. And these days the most common way to study integral attacks is to consider division property introduced by Iosuke Todo a few years ago to actually find this set M. So integral attacks are the goal of integral attacks is to find this set M such that the resulting sum is zero. So if we want to argue about the security of a block cipher against these attacks, well, we need to show that no such set M of plaintext exists. And to do so, we need to take a closer look at how we can describe a block cipher. So something very general is that for any Boolean function, we know that we can represent this Boolean function with its algebraic normal form, so it's ANF, which is simply writing it as a polynomial over F2. And so for a block cipher, a block cipher is not just a Boolean function. It's essentially a keyed Boolean function. So now we have a key and instead of having just a coefficient lambda u in F2 in front of each monomial, we will have a polynomial pu, which depends on the key k. So this is how we will see our block ciphers now as keyed Boolean function, and we have the ANF given as the sum of some pu k times some monomials x2u. And so something very useful to study block ciphers when seeing them like this is the notion of algebraic degree. So the algebraic degree is essentially just what is the degree of the highest monomial in x that appeared in the ANF. So we are only considering the monomials in x, and whatever the highest degree monomial appears in the whole ANF, then this is defined as the degree of the block cipher. And so to show that this monomial x2u appear in the ANF, it means essentially that the corresponding key polynomial is non-zero. And one way we could show that this key polynomial pu is non-zero, is with the following lemma, which is a very well known result, which basically states that we can compute this polynomial pu by doing the sum of all x lower or equal to nu, where lower or equal for vectors is defined as just all coordinates are lower or equal to the other. And so if we do the sum of all of the x lower or equal to nu, then we obtain pu. And this looks very close to what we want for integral attacks, and actually this is one of the ways to build integral attacks. So if we can show that the algebraic degree of block cipher is equal to d, then for any u of weight larger than d, the key polynomial pu will be zero, otherwise it wouldn't be of degree d. But if this key polynomial pu is equal to zero, this means that the sum of all of the x lower or equal to nu of the resulting ciphertext is equal to zero, which is exactly what we want for an integral attack. So we can define the set m as the set of all x lower or equal to nu, and now we have a set m for which if we take the corresponding ciphertext, they're all summed down to zero. So in a necessary condition we want for a block cipher to be immune to integral attacks, it's obviously to have a high degree. And so estimating the degree of a block cipher is not easy. It was quite well known now to obtain upper bound on this degree, but if we really want to prove security, first step would be to show lower bound on the algebraic degree. And this was considered quite hard until last year at Egecript 2020. And so last year at Egecript, we actually, the same author, showed how to compute lower bound on the degree of block ciphers and also a few stronger notion. And I will need to describe a bit what we did, because our work this year strongly relies on the techniques introduced in this paper. So the idea is that we have a block cipher e and we can write its a and f. And if we develop the key polynomial pu, it basically results in this expression. So the sum of some lambda uv times kv times x to the u. And so this is of degree d, if we can find a u of weight d such that lambda uv is not zero. And ideally for a block cipher, we want to show that it is of maximum degree, which means degree n minus one. And so there is not a lot of choice for this vector u, because there are only n vectors of weight n minus one. However, for v, there is a lot more freedom. So again, we are in the context of key alternating block ciphers. So we have this round function and between each round function, we have a key addition. So when we build block ciphers, we use a key schedule to derive this round function, but to show this lower bound of the degree to basically show, try to show the security of this block cipher. We would work under slightly stronger assumption, which is that we have independent round keys. And more specifically, in the work of, at Egecrypt last year, we didn't need the first and the last key. So we are only considering the keys in the middle of the ciphers, and we consider them all independent. So now our monomial kv is defined as, well, the following expressions. So monomial in k1 times a monomial in k2, et cetera. And so we need to do two things. We need to be able to show that a given lambda uv is different from zero. And we also need to choose which v to use, so which vi to use to actually compute this lambda uv. So the first question was answered at Egecrypt last year, using basically a variant of the division property, which is a mathematical way to show some things about the degree and the monomials appearing in the NF of a block cipher. And what we did last year essentially comes down to, okay, how do we actually choose the vector v so that we can actually compute this coefficient lambda uv in practical time. And so we can compute this lambda uv. And by doing so, we can actually compute some lower bounds on the algebraic degree. And with a bit more work, we can even prove some stronger notions of just the algebraic degree called minimum degree and max degree monomial property, which I will not describe here. But even the stronger notions of the max degree monomial property was not enough to prove true resistance against integral attacks. What our paper last year did was prove resistance against only a subset of integral attacks. And moreover, the bounds that we gave and the resistance, the partial resistance that we showed, was only true for a given number of rounds r, but we did not provide any arguments for a larger number of rounds, knowing that, for example, the degree is maximum r. So this was another problem. And last, computationally, it was still quite expensive and took a lot of time to compute. So our contribution this year is to actually improve all of these three points. And I will mostly focus on proving actual resistance against integral attacks. So let's come back to our initial problem. So we want to show that there is no set M of plant X, so that the resulting sum on ciphertext is equal to 0. We show that if the degree is high enough and discover some form of set M, but not all of them. So if we look a bit closer in a bit more details, if there is an integral attack, if there is such a set M, so that the sum is equal to 0, it actually means that the key polynomials Pum are linear dependent. So if we wanted to show that a given block cipher is resistant against integral attacks, we will need to show that all of the 2 to the n polynomials Pum are linear independent. And this seems very hard, because so each polynomial can also be developed as a polynomial, so this is some of some lambda uv times kv. And well, each polynomial has about 2 to the n coefficients, and we have 2 to the n polynomials, so we will need to compute 2 to the n times 2 to the n coefficients and show that the following matrix is full rank, which when you consider modern block ciphers where n is equal to 64, for example, it's a very large number, and it's absolutely not doable in practice. So we need to do something a bit smarter, and to do so, we will simply use a whitening key. So we have our block cipher e, which depends on the key k, and what we do is considering an augmented cipher, where we just add a whitening key, so a key k0, before the actual block cipher. So we have the a and f of our block cipher e k, which is the sum of some p u times x to the u, and now we also have the a and f of the augmented block cipher, which is the sum of some qv times x to the v, and qv now are polynomials in both the key k and the whitening key k0. And the main theorem that we show is that if we consider only one output bit of the block cipher, then by showing that all of the polynomials p, e, i are linearly independent, so the polynomials in the original block cipher, then all of the resulting polynomials in the augmented block cipher, so the block cipher with the whitening key are linearly independent. So why is this useful, because the polynomials p, e, i are the polynomials associated with the vector e, i, which is defined as one in each coordinate, a set coordinate i, which is set to zero. And there are only n vectors of this form. So if we are able to show that n polynomials are linearly independent, then only by adding a whitening key, we show that all of the 2 to the n resulting polynomials are linearly independent. So now we reduce the work from 2 to the n to n polynomials. So this was only for one output bit. Block cipher obviously has more than just one output bit, has multiple output bits. And an attacker could try to see if the sum of sum of this output bit is zero, but also try to sum, for example, linear combination of output bits. So we don't just need to show that all of the output bit verifies the theorem, we need to show that any linear combination of output bit verifies the theorem, which means that for any non-zero beta, the inner product between beta and ek verifies the previous theorem. So this is just one output bit function. We need to show that all of these functions verifies the previous theorem. And again, there are 2 to the n of these functions, so we cannot do it very naively. We need to do something a bit smarter. And it's actually very somewhat easy to see. So yeah, we need to show that all of these functions, so inner product of beta and the block cipher verifies the previous theorem, which means that we want actually that all of the inner product between beta and the specific n polynomials pei associated with the weight n minus 1 vectors are linearly independent. And so what this means, since the pei are vectors of polynomial, is that we only need to focus on n squared polynomials. And show that all of these n squared polynomials are linearly independent, which is much smaller than the 2 to the n polynomials we had before. So we need to show that all of these polynomials are linearly independent. And to do so, again, these polynomials are expressed as some lambda u v times k to the v. So we just need to find a few vi, at least n squared, such that when we write this matrix, so the matrix of the coefficient of each polynomial, this matrix is full rank. If this matrix is full rank, then the n squared polynomials are linearly independent. And we want we actually proved integral resistance, resistance again, integral attacks. So yeah, in short, for block cipher ek, we compute about n to the 4, well-chosen coefficient u v, so that the previous matrix is full rank. And if we are able to do so, we show that the block cipher, when using the weightening key, fulfills the integral resistance property, which means that the block cipher is immune to integral attacks. And we can compute this lambda u v using what we did last year at Eject field. However, a small caveat is that it was still only using the work from Eject last year, was a bit slow. It was still very computationally hard. And even if some result could have been achieved, just doing it naively wouldn't work. Essentially, the issue is that to compute this lambda u v is we need to count the number of solutions in an MILP problem, so a linear programming problem. And generally this is quite hard. So what we did to improve this is essentially try to reduce the number of solutions to this problem. And a big observation was that if we are working on a block cipher which has a worldwide linear layer, so a linear layer working on bytes and nibbles, we can have equivalent representation of the cipher. And more specifically, if the cipher is using the S-box S, we can instead use an S-box S-prime, which is defined as a following, which is just a special case of affin equivalence. So that assuming an opponent run case like we did in the beginning, we have equivalent ciphers. So now instead of just one cipher, we have actually quite a few of them, about 2 to the 22 if the S-box is over 4 bits. And what we did was design some heuristic criteria to pick which representation to use so that the number of solutions in the MILP problem would be rather small. So we can actually enumerate this solution and so obtain our result, which is computing this lambda u v. And so we designed the heuristics. We also show how to actually choose v in a smart way so that we have a lot of lambda u v's which are automatically equals to zero without doing any computation just by design. If we choose v properly, we know for sure that some coefficients will be zero in the matrix, which heavily reduce the number of coefficients we need to compute. And also using some symmetries in some block ciphers, we can also reduce the number of coefficients. And so another example is that we are able to get results on the block cipher craft while last year we were not able to without this improvement. So to give a summary of what we showed, here are the number of rounds we are able to prove some on our several block ciphers. So in the second column, I'll give the number of rounds for which we know the longest integral distinguisher. And on the last column, I chose the number of rounds we were able to prove to be resistant against integral attacks. And in the head, you can see all of the results which are tight, which means that there is no improvement possible. We know that the best integral distinguisher is one less round that the number of rounds we were able to prove to be resistant to integral distinguishers. So you can see that for gift and present, there is still some margin. It doesn't mean that there is necessarily an attack on, for example, the 11 round of gift. It just that, constitutionally, we were not able to show that 11 rounds of gift is resistant to integral attacks. It might be possible, but there are still some improvement we can do here. So I showed how to prove resistance against integral attacks, how we improved the computational aspect. And the last point is, what about more rounds? So I show that a given number of rounds is immune to integral attacks, but what happened for more rounds? We would expect, obviously, that it works. If r rounds are immune, then r prime rounds are also immune. But in practice, it's a bit more complicated. So if we just consider the algebraic degree, and we take two very simple functions, so the two functions here, f and e, both of these functions are of degree two. But if we compose these functions, even with adding a key in the middle, then the resulting function is of degree one. So what we can see is that the algebraic degree, in general, is not preserved. And so we cannot automatically give guarantees. However, in the paper, and I recommend you to see this, if you are interested in the details, we can actually characterize when the algebraic degree is preserved. Now, if we look at integral resistance, so if we show that a block ciphery k is resistant against integral attacks, then in this case, it's a lot easier, because we are able to show that for any permutation f, adding this permutation at the input of the cipher also results in something that is immune to integral attacks. And this is very easy to see, it's just that if we add a permutation at the input, then at the end, we also obtain a sum of some set, so f of m, of some linear combination of the output bits. And we show that all of this sum are non-zero, which essentially means that it depends on the key. So for integral resistance, everything happens nicely. If we are able to show that our rounds of cipher are immune to integral attacks, then any higher number of rounds is also immune. So to conclude, there are still some ways to improve our work, so it's still quite a bit intensive on computations, so we would like to make it faster, we would like to design even better heuristics and understand these heuristics better, and we would also like to make it more usable, because for now, for each block cipher, we actually need a few tweaks here and there to actually really improve the speed and actually have practical results. So there are still some more works to explore, and thank you very much for your interest in this talk, and I hope to see you next week at the live talks for Azure Crypt.