Professional Documents
Culture Documents
ASIACRYPT 2015
ASASA Structure
At Asiacrypt 2014, Biryukov, Bouillaguet and
Khovratovich considered various applications of
the ASASA structure.
A Affine layer
S Nonlinear layer
e.g. S-boxes
F = A◦S◦A◦S◦A A
S
A
2
ASASA
2. Cryptanalysis.
4. Cryptanalysis (same).
4
Public-key ASASA
5
Multivariate Cryptography
Hard problem: solving a system of random, say,
quadratic, equations over some finite field.
6
ASA
Fnq
A Affine layer
A Affine layer
n
Fq
Many proposed scheme follow an ASA structure.
Fnq
8
History of ASASA
9
Structure ASASA + P [BBK14]
p n p
F2 F2
A
Perturbation:
S Quadratic layer
random
P
polynomials
A
of degree 4
S Quadratic layer
n
F2
Note : this is slightly different from BBK14.
Instances of ASASA + P
11
𝝌 function of Keccak
n
a2 F2 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11
bi = ai ai+1 · ai+2
12
𝝌-based instance
24
F2 103
F2
Random S 𝝌
degree-4 P
polynomials A
S 𝝌
Random invertible
A
affine layers
127
F2
13
Attack!
14
Cubes
15
Degree deficiency
n
a2 F2 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11
bi = ai ai+1 · ai+2
c
c = bi · bi+1
= (ai ai+1 · ai+2 ) · (ai+1 ai+2 · ai+3 )
17
ASASA Cryptanalysis
A Let F be an output mask, i.e. we
𝝌 look at hF | F i = x 7! hF (x)| F i.
G
A Then there exists a mask G s.t.
F hF | F i = hG| G i.
𝝌
mask G
A
mask F
18
ASASA Cryptanalysis
A Let F,
0
Fbe two output masks,
0
𝝌 and G , G the associated masks.
G
A
F ▸ If G and 0
single
𝝌 G activate
0
adjacent bits, hF | F i · hF | Fi
masks G,
0
G has degree 6.
A
0
masks F,
0 ▸ Otherwise hF | Fi · hF | Fi has
F
degree 8.
19
ASASA Cryptanalysis
A Goal : Find F,
0
F such that
𝝌 deg(hF | F i · hF |
0
F i) =6
G
A
F Let C be a dimension-7 cube. Then :
𝝌 0
⌃c2C hF (c)| Fi · hF (c)| Fi =0
masks G,
0
G
0
A ➞ we get an equation on F, F.
0
masks F, F
20
ASASA Cryptanalysis
0
View F, F as two vectors of n binary unknowns:
0 0
( 0, . . . , n 1 ) and ( 0 , . . . , n 1 ). Then:
� �� �
0 0
hF (c)| ihF (c)| i = i Fi (c) j Fj (c)
c2C c2C i<n j<n
� �� �
0
= Fi (c)Fj (c) i j
i,j<n c2C
=0
0
We get a quadratic equation on the i, i ’s.
21
ASASA Cryptanalysis
0
Each cube yields 1 quadratic equation on the i, i ’s.
0
Using relinearization, there are 1272≈214 terms i j
22
“Black-box” ASASA
23
SASAS structure
n
F2
Analyzed by Biryukov and
S S S S S S S S Shamir at Eurocrypt 2001.
A
8 bits
S S S S S S S S Goal : recover all internal
components.
A
Note: degree ≤ 49
distinguisher w. 250 CP
F128
2
25
ASASA cryptanalysis
A
Degree of an S-box = 7.
S S S S
A ▸ Let a = product of 2 output bits of
S S S S a single common S-box.
26
Cryptanalyse de ASASA
A Goal : Find F,
0
F such that
S S S S deg(hF | F i · hF |
0
F i) = 49
G
A
F Let C be a dimension-50 cube. Then:
S S S S 0
⌃c2C hF (c)| Fi · hF (c)| Fi =0
masks G,
0
G
0
A ➞ we get an equation on F, F.
0
masks F, F
Indeed the main obstacle is that the overall function must not
be full degree (➞ use results by Boura, Canteaut and Cannière
on the degree of composite boolean functions).
28
Conclusion
• A new attack on ASASA-type structures.
•Open problems:
29
Conclusion
Questions ?
30