 and construction. The first talk is going to be by Charles Bouillagais and Patrick Derbert and Pierre Alain Foucq and it's about automatic search of attacks on round reduced AS and applications and Charles is going to present. Thanks for the introduction. So as you might have a guess this talk is going to be about block cipher cryptanalysis. So first recall that the block cipher is in fact a family of permutation indexed by a key and we hope that these permutations are sufficiently random and independent. So in fact the block cipher takes as input a k-bit key and n-bit plain text and produces an n-bit cipher text. So often the size of the key doesn't need to be the same the size of the plain text anyway and against these constructions attackers usually aim to retrieve the secret key given some plain text cipher text pairs and it is usually assumed that they have to do so faster than exhaustive search on the key which means using less time that performing 2 to the k encryption and they have to use a bit less data than the entire code book which means less than 2 to the n plain text cipher text pairs. So these days breaks of widely deployed block ciphers are relatively rare at least in comparison with what happens in the hash function of stream cipher world and so if we cannot break these full things what can we do but we could weaken them before trying to break them and so the usual approach to weaken the block cipher is to reduce its number of rounds because most block ciphers are iterated constructions where a round function is iterated on the plain text using sub keys generated by a key schedule algorithm. So a natural option is to reduce the number of rounds that makes it easier to break and the objective of the attacker then becomes to break as many rounds as possible under the limits of exhaustive search and the full code book and when that is not enough we could also we could also have another option it would be to get stronger we could work in a stronger attack model for instance instead of having just known plain text cipher text pairs we could have chosen plain text cipher text pairs we could have access to a decryption or a call we could even maybe tweak the key have side channel informations or whatever but at this point it becomes questionable whether these assumptions makes any sense in practice so in this look we chose a third option which was to focus on attacks with very low data complexity attacks that use a very small number of plain text cipher text pairs in this way at least we are sure to be on the safe side of the practicality this well the discussion about the models so we still want to be faster than exhaustive search though and since we're working under strong restriction we probably won't find the best attack today but this is still interesting because first of all it's a rather unexplored territory and we could discuss what's harder in practice is it is it harder to perform two to the 50 elementary operations or to steal 50 plain text cipher text pairs from from someone and in addition low data complexity attacks are also interesting because sometimes they could be used as sub components or over attacks on larger primitives and for instance at fsc this year there has been a crypt analysis of the full ghost which at some point uses an attack on eight rounds with just two plain text so it's really a low data complexity attack uh so our target is the most natural one it's the AES the most one of the most widely deployed encryption primitive so the AES has been designed by Raymond and Damon for the AES competition it was selected as a winner in 2001 so it's a substitution permutation network that operates on a 128 bit block and in this talk we'll focus on the one version with 128 bit keys and this version has 10 rounds so the round function is like that so the 128 bit plain text is represented as a four by four matrix of bytes and in the first step a non-linear permutation is applied in parallel to each byte so this is the sub byte operation then the rows of the matrix are shifted by different indices then the each column is multiplied by a fixed matrix this is the mixed column operation and then the round key is exored to the to the internal state so that's the round function that's iterated ten times so against these constructions I am aware of an attack on eight rounds on the AES 128 and kryptonis can go one more round on the larger versions and if in the related key model or related sub-key model there are attacks on the full AES 256 but all these the complexity of all these attacks are just slightly less than the natural bonds of exhaustive search and the full codebook so if we want to find low data complexity attacks we won't be able to use most of the usual cryptanalytic techniques and for instance we cannot use statistical attack such as differential cryptanalysis because because by definition they require a large amount of data to perform the statistics we also cannot really use attacks such as slide attacks because they require some data until a special event happens the sleet pair for instance so we are essentially left with algebraic attacks the guess and determine attacks meeting the middle attacks and maybe some of a few but in this talk I will really focus on guess and determine attacks and meeting the middle so I will just quickly remind how meeting the middle attack works so this is a very bad way to build an AES with 256 bit keys out of two versions of the smaller one with just the composition of the AES with two different keys and this this can be attacked if you more faster than exhaustive search by first enumerating all the possible values of k1 encrypting the plain text under this key and obtaining the internal state m then we can store m and k1 in a hash table and then we can enumerate all the possible values of k2 they creep the safer text and we should obtain the we should obtain the same value in the middle so by looking at the hash table we could as we can associate to each value of k2 a value of k1 and we will and we've thus something like two to the 128 encryptions we can recover the full key and that uses only two plain text pair to known plain text so which is as low as it gets so to find to find such such low data complexity attacks well we first we are lazy and it's also it's difficult or finding all kind of attack is difficult but these ones are really difficult and have to trying to find you know these 100 steps get some determine attacks for hours and nearly drove us to madness so we use the standard solution which is to build a tool that does the job for you and it is a standard solution and has been used several times in the past most mostly to find differential attacks automatically so there is a list here of tools designed to break crypton to break symmetric primitives but I won't really comment on that list so you might have heard some several times that the AES has a very nice and clean algebraic structure of a field with 256 elements and concerns who have been raised several times that the simple structure could be a problem that it could be a way to to attack to attack the cipher but in fact as far as I know no no attacks have exploited this property yet so we use it a bit though and for instance if you look at the round function so there is the nonlinear permutation the nonlinear permutation is annoying it doesn't have a nice representation of a finite field so we just leave it leave it as is we will have a function s all along but the rest of the operations are very nicely expressed of a final finitely finite field sorry it's just a matrix matrix product and an addition of a field and if you look at the key schedule which I will describe at the same time so first so each next sub key is generated using the current sub key so first the blue byte goes into the nonlinear permutation XOR is XOR to the gray byte and this creates the the red byte all right and then we can do the same thing one row below and do the same thing one row below and there is a round constant somewhere for asymmetry and since the blue byte hit the bottom we just wrap it around to generate the fourth byte of the first column and then once we have the first column we XOR it with the second column of the previous key to get a new column and so on and so on so if you look at the equations describing this process there are most of them are just linear and here there is the annoying s box but it occurs only four times so the equation describing the as are very sparse they're structured and if it were not for the s box they would be completely linear of a field with 256 elements so we can just say that all right if x is a variable then s of x is another variable and then that would just be all linear and so a direct algebraic attack would consist in taking these equations feeding them to your favorite of the shelf equation solvers such as a set solver a basic algorithm or so on run it and pray that it would solve the equations and and reveal the key if we were able to solve equations such equations we would break the cipher but the problem with this approach is that besides that it doesn't really work in practice we don't know what is the time complexity of the solver we have no useful bound besides the worst case which is not interesting so this approach didn't didn't really work so far did not produce interesting results and what we do we do something a bit different we we constructed several tools that take the equation crunch the equation for a while and then try to find a way to solve these equations using either a guess and determine or a meet in the middle approach and when this thing is found its its code is generated and then the corresponding program can be compiled and run and once when it will when it runs it will find the solution and the good thing is that we know how long it is expected to run so we don't really have to run it to know whether it's an actual attack or not and the structure of the equations makes the tool somewhat easy to to implement and it makes it possible to find interesting results on some occasions so the properties of the equation that are used is that well first of all they are sparse and for instance in guess and determine attack sparse equations are a good thing because if you know all the terms but one then you can easily deduce the value of the last one if you know the if you know the red variables you will find the value of the blue variables but the fact that the equations are nearly linear are also very helpful because it allows to use Gaussian elimination and this allows even more knowledge propagation because you only need to find a linear combination of the equation where you know all the terms but one and in this example for instance if you combine the equations with the right coefficient you would find that knowing the red bytes is enough to find out all the blue bytes as well so a possible way to find guess and determine attacks automatically on such equations would be this simplistic procedure so enumerate all the possible subsets of the variables assume that your subset is known you can guess the values of the corresponding bytes and then as well you can by taking linear combinations obtain the value of a new variable just iterate the procedure and if it stalls then throw x away and and start start afresh or if you find out that at the end you know the value of everything then you have found the possible way to solve these equations it may may not be the optimal way especially if x is big but at least you have found something and you can keep going so that's a possibility so variants of this procedure have found best attack than human cryptanalysts on some occasions but this looks really this looks really simple and possible to do better and to do better we can try to find meet in the middle attacks and again the fact that the equations are linear make meeting the middle attacks easy possible to find because when the equations are linear we can just move say half of the variables on the right hand side of the equations we can just absorb a value on x or the corresponding terms on both sides and then we get we get equations where variables are separated and this allows to use the same procedure as before enumerate all the possible values of x y and z evaluate the left hand side store it in a hash table then evaluate all the possible values of u v and t evaluate the right hand side look up the hash table and match possible match corresponding value of two variables and this runs in time equivalent to the square root of exhaustive of exhaustive search but this can also be improved as well so because the idea is to partition the set of variables into two halves but we may choose the halves somewhat arbitrarily and what would be really great would be to find a partition where there are linear say in patch in x y where there are linear combination of the equations that contain only variables of x or only variables of y and once you have determined the partition you can check for that automatically using just simple linear algebra so vector space intersection essentially and if you find equations like that then the system of equation you have to solve to solve has this shape so there is the mid in the middle part and there are the additional constraints on both sets of variable individually and to solve this kind of systems we can use the same procedure as before enumerate all the values of the first variables that meets the the additional constraints evaluate the g1 and solve the result in the hash table and then do the same thing on the second half evaluate enumerate the values of u v n t that match the second constraints look up the hash table and and so on but here we are so the problem we have to solve here is the same problem as before it's to solve the system of the a s like equations but this time the problem is much smaller and this allows to find to try to find recursive solutions where when you have a solver that solves this system efficiently and once you have a solver that solves this system efficiently you can try to build a bigger solver that solves the whole problem so that's essentially how we find how our tool work it constructs recursive meeting the middle solvers so um so applying that directly to the a s equations yield non-trivial results so for instance if you look at this table you will see that the attacks found found by this tool were often much better than the attacks that had been found by hand by various people often by a factor of two to the 16 or even two to the 20 and I would like for instance to point your attention to this line here where the tool has found an attack that runs in essentially two to the 32 operations when four on four a s rounds with four chosen plain text available and with one more chosen plain text the best attack found by a human being runs in two to the 64 operation so this is this is an actual improvement so some of these attacks are practical and when they are practical we have implemented them run them and tested that they work and that they were working the expected time and so far we hadn't had any bad surprise um so because because the tools are just equation solvers they can be applied to not only to the a s itself but to things that look like the a s for instance they could be applied to uh to pedicom back so in pedicom in pedicom back each the essentially once you it's four a s rounds are applied to a to a new state it's for keyless a s rounds and so the tool was able to find such equations of differential equations to find x such that uh so that follows a certain differential certain differential and it it it found a procedure that solved this problem in practice so this allows to break the mac into two to the 64 queries and it is as far as I know with fs test attack that have been simultaneously discovered by someone by other people and on lex the lex is also a stream is a stream cipher that uses a s rounds inside and so the tool could could rediscover easily the best known attack and also also we will some user input found a higher order differential attack that that's faster so that's that's essentially it what's left to say is that the tool is available online you can try to play with it and I thank you for your your attention so we have time for a question yes for what sorry all right so the problem there would be that operation these things did not have a nice a nice algebraic description of a field because the xor interacts badly with the modular addition and so you wouldn't be able to use the same level of you know a question wouldn't be linear anymore of a field and the two this kind of tool wouldn't really work it only work when the primitive has a very nice description of a field so I don't think that with this kind of technique we can tackle erics problem not in this way at least so maybe there are ways to to find attacks automatically on this kind of constructions but not not exactly with this approach that's possible okay let's thank the speaker again