 Hello everyone. My name is Marek Boll and in this recording I'm going to present the paper Generic Framework for Keygassing Improvements, which is joint work with Federico Canale and Toni Flores-Gatieres, Greg Orliander and Mariana Placencia. In this paper we present a method of optimizing the key recovery part in a wide range of attacks against symmetric block ciphers by introducing more sophisticated keygassing strategies. First I will give you a general but simplified setting in which our improvement is applied. Then I will introduce the keygassing strategies and finally I will give you an overview of the more specific applications of our technique. Consider the following setting. We are given a cipher which is divided into three parts, E0, E1 and E2. Each of these parts depends on some part of the key material, which we will denote by K0, K1 and K2. In a key recovery attack we are usually given a set of plaintext ciphertext pairs, M and C, for each of which we guess K0 and K2 to determine the intermediate states A and B around the middle part of the cipher. We also assume that we have a distinguisher for the middle part. If we guess K0 and K2 correctly, we assume that the property the distinguisher tests for A and B holds. Otherwise we assume that A and B behave randomly. Here we will concentrate on how to optimize the keygassing part, which means lines two and three of our pseudocode, without touching the distinguisher. The first thing to note is that usually we don't have to supply the full states A and B to the distinguisher. Instead it is usually sufficient to supply smaller parts of those states to the distinguisher. Our first observation is that these smaller states usually do not depend on all of K0 and K2. Thus we can guess less key material. Note that not only the key bits involved in inactive S-boxes do not need to be guessed, but also that for example sometimes the relevant output of a certain S-box might not depend on all of its input bits. But even when we would usually need to guess the whole key material influencing an S-box, we can sometimes cut short depending on the bits we have guessed so far. Our second observation is that we can stop before guessing all bits influencing a function. Furthermore, in the case of determining S-box outputs, the key bits involved in evaluating the function depend on the input. This is reminiscent of the partitioning technique commonly used in the analysis of ARX ciphers. In our paper we formalized this approach for SPNs. I will walk you through an example given in our paper. We are given a 4-bit S-box which is applied to a message directly after a key has been added. We are interested in the last output bit. Here we denote this by Y3. Instead of looking at the key, we will look at the input of the S-box, which is equivalent. The specific S-box we will be looking at is the Noikin S-box. Here given an hexadecimal notation, the first line is the input and the second line is the output. We are only interested in the last output bit and in order to formulate a guessing strategy, we first write down its truth table. The way we wrote down the table, the left half corresponds to X3 being 0 and the right half corresponds to X3 being 1. As you can see, the values of the function on the left half are exactly identical to the values of the function on the right half. Therefore, the output bit does not depend on X3 at all. We will express our guessing strategies first using if-then-else statements. Each decision splits the space of inputs in half according to some linear function of the input bits. The first such function we choose is simply the bit X1. This corresponds to a guess of K1. If X1 is equal to 0, you can see in the picture that the input values will be sent to 1 and the even input values will be sent to 0. So the output of the function is in this case exactly identical to X0. Therefore, we have to guess K0 next. Going back to the guess of X1, if it is 1, you can see that the truth table of S3 of X restricted to this case is exactly the XOR of X0 and X2. Therefore, we can simply guess X0 plus X2 or equivalently K0 plus K2 to determine the target bit. On this slide, we have rewritten the guessing strategy to only contain if-then-else statements and constant outputs. On the right-hand side, you see in the final decision tree. We use the final decision trees to formalize guessing strategies in our paper. There are regular and binary trees whose labels are linear combinations of the input and whose leaves are function values. I will briefly describe how to read those trees. Given an input X, you first look at the root. The linear combination indicated by the root label will be compared to 0. If it is 0, then you go into the left branch. Then you look at the linear combination indicated by that node. If it is 0, then the output of the function is constant 0. Otherwise, the output is 1. We proceed in the same way when X1 is equal to 1. Then we go into the right branch and compare X0 plus X2 to 0. If it's 0, then the output is 0. Otherwise, the output is 1. Note that the tree would have more leaves if we first guessed X0 and then X2. In our paper, we show that the number of leaves often corresponds to the attack complexity. So we usually look for trees with a minimal number of leaves. Also note that we are not restricted to boolean output values. The outputs can also be binary vectors. Going back to our example, naively, we would have had to guess 4 bits. So in total, we would have had to perform 16 guesses. After observation 1, we know that the function is independent of one key bit. Therefore, we only need to guess 3 key bits. Thus, we actually only have to do 8 guesses. Looking at the tree, we see that no matter what input we get, we only have to guess 2 bits. Therefore, we only have to do 4 guesses. We show in the paper that this is equal to the number of leaves, even for more complicated trees that might be unbalanced. Applying both observations, we have reduced the number of necessary key guesses by a factor of 4. Note that in practical attacks, you usually can use this technique more than once. In our paper, we apply our technique to several different types of attacks. For example, to differential cryptanalysis against rectangle, to linear cryptanalysis against noikion, to rectangle attacks against gift, and to meet in the middle attacks against present. Furthermore, together with two other authors, we've applied our method for differential linear attacks, in this case against serpent. This is not part of the present paper, but it's going to appear at CTRSA 2022. When applying our technique in a classical linear attack, we are exactly in the situation we described in the beginning. We only need two single bits around the middle layer instead of the whole cypher states. It is straightforward to replace the guesses of full S boxes by our guessing strategies. But doing this for the popular FFT key recovery is not as obvious. Please consult our paper for details on this. When performing differential cryptanalysis, we are not only interested in finding specific function values, but also in choosing good pairs M and M' to a cypher, which lead to a fixed difference delta after some rounds. Here, our goal is given M to apply our technique in order to get some information about its partner M' and using as few key guesses as possible while doing so. We can assume that M is fixed. In this example, we again have a nonlinear function S applied to message M after adding a key. Instead of directly guessing K, we can again guess the input to the S box M plus K denoted by X. We pass X through the S box, then we add delta, and then we pass back through the inverse S box. At this point, we have modeled M' plus K. To remove the influence of K, we simply add X. This yields the formula for the function F delta you see here, which simply models the possible input differences leading to delta given M. We can now try to find guessing strategies for a subset of the output of F delta. Note that even if you are looking at the full output for F delta, you might find non-trivial strategies because the function F delta is not a permutation. Another trick we've used plenty of times, which works for linear and differential cryptanalysis alike, is key absorption. With it, we can join key guesses occurring over multiple rounds. In this example, we are given a side of the two rounds with the linear layer L in the middle. Each round consists of a key addition and an S box layer. We denote the first key by K and the second key by Kappa. The input of the first round is X of the linear layer Y and of the second ground Z. Let's assume that we need to find the first input bit of the second S box layer, Z0 plus Kappa 0. Since we only look at one output bit of the linear layer, we can rewrite this expression to be Kappa 0 plus the inner product of some vector alpha with Y. Now assume that we have chosen a guessing strategy for alpha times Y in which we guess gamma times K. Then we can express alpha times Y as the sum of gamma times K and a nonlinear function in X and K prime, where K prime is the part of the key material that does not depend on gamma times K. Instead of guessing gamma times K and Kappa 0 separately, we can now guess their sum and reduce the number of key bits to guess by one. For finding optimal guessing strategies, we opted for the simplest method. Given a function, we naively enumerate all linear combinations of the input X, alpha 0 times X in the picture and then restrict the target function twice, once to the inputs where alpha 0 times X is 0 and once to the inputs where it is 1. We then recursively apply the algorithm to find optimal trees for the subfunctions. Finally, we choose the best of the resulting trees. Our most important optimization was to filter out those linear combinations when considering each subfunction whose value has no influence. This provides an algorithm which can analyze functions up to input dimension 6 in a reasonable amount of time and also, though noticeably slower, functions up to dimension 7. Together with the paper, we have made our program available under the URL shown here. Here's a table of the attacks we improved. Our general approach was to manually analyze the dependencies through the cipher and whenever we needed to evaluate some nonlinear expression, we applied the algorithm I've just sketched. Our attack framework is so general that it also applies to several extensions of linear and differential crypt analysis and even some unrelated attacks, like the meet and the middle attack. For noikian and rectangle, we improve the best attacks, while the improvement for noikian is more the ones for gift and rectangle are significant. I would like to conclude the talk by providing further research topics. First, our algorithm for finding decision trees works well for functions up to input dimension 7, but as they are somewhat relevant ciphers using 8-bit S-boxes, it would be worth looking into whether good heuristic algorithms exist in this case. Second, it would be interesting to find meaningful bounds for decision tree sizes and to answer the question whether cryptographically good functions resistant against this type of key recovery can be constructed. Third, our attacks were mostly pieced together manually. Deriving trees using our program were never necessary. It should be possible to derive fully automatic algorithms that capture most of what we did by hand. Finally, apart from other attacks against symmetric ciphers, also attacks against other symmetric primitives might profit from this type of key recovery. If you're interested in a more extensive treatment of what I presented here, please consult our paper on ePrint under the link shown here. Thank you very much for your attention.