ALGORITHMIC CRYPTANALYSIS

  © 2009 by Taylor and Francis Group, LLC

  

CHAPMAN & HALL/CRC

CRYPTOGRAPHY AND NETWORK SECURITY

Series Editor

  

Douglas R. Stinson

Published Titles Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography Antoine Joux, Algorithmic Cryptanalysis Forthcoming Titles Burton Rosenberg, Handbook of Financial Cryptography Maria Isabel Vasco, Spyros Magliveras, and Rainer Steinwandt, Group Theoretic Cryptography Shiu-Kai Chin and Susan Beth Older, Access Control, Security and Trust: A Logical Approach

  © 2009 by Taylor and Francis Group, LLC

  Chapman & Hall/CRC CRYPTOGRAPHY AND NETWORK SECURITY Antoine Joux ALGORITHMIC CRYPTANALYSIS

  © 2009 by Taylor and Francis Group, LLC Chapman & Hall/CRC Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2009 by Taylor and Francis Group, LLC Chapman & Hall/CRC is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number: 978-1-4200-7002-6 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts

have been made to publish reliable data and information, but the author and publisher cannot assume

responsibility for the validity of all materials or the consequences of their use. The authors and publishers

have attempted to trace the copyright holders of all material reproduced in this publication and apologize to

copyright holders if permission to publish in this form has not been obtained. If any copyright material has

not been acknowledged please write and let us know so we may rectify in any future reprint.

  

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-

ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,

including photocopying, microfilming, and recording, or in any information storage or retrieval system,

without written permission from the publishers.

  

For permission to photocopy or use material electronically from this work, please acces

) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood

Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and

registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,

a separate system of payment has been arranged.

  

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used

only for identification and explanation without intent to infringe.

  

Library of Congress Cataloging-in-Publication Data

Joux, Antoine.

  Algorithmic cryptanalysis / Antoine Joux. p. cm. -- (Chapman & Hall/CRC cryptography and network security) Includes bibliographical references and index.

  ISBN 978-1-4200-7002-6 (hardcover : alk. paper) 1. Computer algorithms. 2. Cryptography. I. Title. III. Series. QA76.9.A43J693 2009 005.8’2--dc22

  2009016989 Visit the Taylor & Francis Web site at and the CRC Press Web site at _{© 2009 by Taylor and Francis Group, LLC}

  ` A Katia, Anne et Louis

  Contents Preface

  34

2.3.2 Primality testing . . . . . . . . . . . . . . . . . . . . .

  65

  63

2.7.2 Diffie-Hellman key exchange . . . . . . . . . . . . . . .

  63

2.7.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  61 2.7 The RSA and Diffie-Hellman cryptosystems . . . . . . . . . .

  55 2.6 Vector spaces and linear maps . . . . . . . . . . . . . . . . .

  49

2.5.3 Solving univariate polynomial equations . . . . . . . .

  

2

ⁿ

. . . . . . . . . . . . . . . . .

  48

  47

2.5.1 The general case . . . . . . . . . . . . . . . . . . . . .

  47 2.5 Finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  45

2.4.2 Derivative of polynomials . . . . . . . . . . . . . . . .

  44

2.4.1 Greatest common divisors and modular arithmetic . .

  41 2.4 Univariate polynomials and rational fractions . . . . . . . . .

  38

2.3.3 Specific aspects of the composite case . . . . . . . . .

  33

2.3.1 Basic algorithms for modular arithmetic . . . . . . . .

  I Background

  16

1.2.3 Authenticated encryption . . . . . . . . . . . . . . . .

  1 A bird’s-eye view of modern cryptography

  3 1.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . .

  3

1.1.1 Typical cryptographic needs . . . . . . . . . . . . . . .

  6 1.2 Defining security in cryptography . . . . . . . . . . . . . . .

  10

1.2.1 Distinguishers . . . . . . . . . . . . . . . . . . . . . . .

  11

1.2.2 Integrity and signatures . . . . . . . . . . . . . . . . .

  17

1.2.4 Abstracting cryptographic primitives . . . . . . . . . .

  31 2.3 Modular arithmetic . . . . . . . . . . . . . . . . . . . . . . .

  21

  2 Elementary number theory and algebra background

  23 2.1 Integers and rational numbers . . . . . . . . . . . . . . . . .

  23 2.2 Greatest common divisors in Z . . . . . . . . . . . . . . . . .

  26

2.2.1 Binary GCD algorithm . . . . . . . . . . . . . . . . .

  30

2.2.2 Approximations using partial GCD computations . . .

2.5.2 The special case of F

  II Algorithms

  5.1 Introductory example: Dictionary attacks . . . . . . . . . . . 155

  4.1.3 Finding primes faster: Atkin and Bernstein’s sieve . . 133

  4.2 Sieving for smooth composites . . . . . . . . . . . . . . . . . 135

  4.2.1 General setting . . . . . . . . . . . . . . . . . . . . . . 136

  4.2.2 Advanced sieving approaches . . . . . . . . . . . . . . 148

  4.2.3 Sieving without sieving . . . . . . . . . . . . . . . . . 152

  

5 Brute force cryptanalysis 155

  5.2 Brute force and the DES algorithm . . . . . . . . . . . . . . 157

  4.1.1 Overview of Eratosthenes’s sieve . . . . . . . . . . . . 123

  5.2.1 The DES algorithm . . . . . . . . . . . . . . . . . . . 157

  5.2.2 Brute force on DES . . . . . . . . . . . . . . . . . . . 161

  5.3 Brute force as a security mechanism . . . . . . . . . . . . . . 163

  5.4 Brute force steps in advanced cryptanalysis . . . . . . . . . . 164

  5.4.1 Description of the SHA hash function family . . . . . . 165

  5.4.2 A linear model of SHA-0 . . . . . . . . . . . . . . . . . 168

  5.4.3 Adding non-linearity . . . . . . . . . . . . . . . . . . . 171

  4.1.2 Improvements to Eratosthenes’s sieve . . . . . . . . . 125

  4.1 Introductory example: Eratosthenes’s sieve . . . . . . . . . . 123

  3 Linear algebra

  89

3.2.3 Relation to other linear algebra problems . . . . . . .

  71

  3.1 Introductory example: Multiplication of small matrices over F

  2

  71 3.2 Dense matrix multiplication . . . . . . . . . . . . . . . . . .

  77

3.2.1 Strassen’s algorithm . . . . . . . . . . . . . . . . . . .

  80

3.2.2 Asymptotically fast matrix multiplication . . . . . . .

  93 3.3 Gaussian elimination algorithms . . . . . . . . . . . . . . . .

  4 Sieve algorithms 123

  94

3.3.1 Matrix inversion . . . . . . . . . . . . . . . . . . . . .

  98

3.3.2 Non-invertible matrices . . . . . . . . . . . . . . . . .

  98

  3.3.3 Hermite normal forms . . . . . . . . . . . . . . . . . . 103

  3.4 Sparse linear algebra . . . . . . . . . . . . . . . . . . . . . . 105

  3.4.1 Iterative algorithms . . . . . . . . . . . . . . . . . . . 106

  3.4.2 Structured Gaussian elimination . . . . . . . . . . . . 113

  5.4.4 Searching for collision instances . . . . . . . . . . . . . 179

  5.5 Brute force and parallel computers . . . . . . . . . . . . . . . 182

  7.1.4 Value-dependent cycle finding . . . . . . . . . . . . . . 228

  7.5.1 Collisions between meaningful messages . . . . . . . . 243

  7.5 Collisions in hash functions . . . . . . . . . . . . . . . . . . . 242

  7.4.3 Delayed CBC beyond the birthday bound . . . . . . . 240

  7.4.2 CBC encryption beyond the birthday bound . . . . . 239

  7.4.1 Blockwise security of CBC encryption . . . . . . . . . 239

  

7.4 A direct cryptographic application in the context of blockwise

security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

  7.3.3 Pollard’s kangaroos . . . . . . . . . . . . . . . . . . . . 237

  7.3.2 Pollard’s Rho discrete logarithm algorithm . . . . . . 236

  7.3.1 Pollard’s Rho factoring algorithm . . . . . . . . . . . . 233

  7.3 Number-theoretic applications . . . . . . . . . . . . . . . . . 233

  7.2.3 Extremal properties . . . . . . . . . . . . . . . . . . . 232

  7.2.2 Local properties . . . . . . . . . . . . . . . . . . . . . 232

  7.2.1 Global properties . . . . . . . . . . . . . . . . . . . . . 231

  7.2 Analysis of random functions . . . . . . . . . . . . . . . . . . 231

  7.1.3 Finding the cycle’s start . . . . . . . . . . . . . . . . . 227

  

6 The birthday paradox: Sorting or not? 185

  6.3.2 Hash tables . . . . . . . . . . . . . . . . . . . . . . . . 207

  6.1 Introductory example: Birthday attacks on modes of operation 186

  6.1.1 Security of CBC encryption and CBC-MAC . . . . . . 186

  6.2 Analysis of birthday paradox bounds . . . . . . . . . . . . . 189

  6.2.1 Generalizations . . . . . . . . . . . . . . . . . . . . . . 190

  6.3 Finding collisions . . . . . . . . . . . . . . . . . . . . . . . . 192

  6.3.1 Sort algorithms . . . . . . . . . . . . . . . . . . . . . . 196

  6.3.3 Binary trees . . . . . . . . . . . . . . . . . . . . . . . . 210

  7.1.2 Brent’s cycle finding algorithm . . . . . . . . . . . . . 226

  6.4 Application to discrete logarithms in generic groups . . . . . 216

  6.4.1 Pohlig-Hellman algorithm . . . . . . . . . . . . . . . . 216

  6.4.2 Baby-step, giant-step algorithm . . . . . . . . . . . . . 218

  

7 Birthday-based algorithms for functions 223

  7.1 Algorithmic aspects . . . . . . . . . . . . . . . . . . . . . . . 224

  7.1.1 Floyd’s cycle finding algorithm . . . . . . . . . . . . . 225

  7.5.2 Parallelizable collision search . . . . . . . . . . . . . . 244

  7.6 Hellman’s time memory tradeoff . . . . . . . . . . . . . . . . 246

  9.2 Algebraic normal forms of Boolean functions . . . . . . . . . 285

  

9 Fourier and Hadamard-Walsh transforms 273

  9.1 Introductory example: Studying S-boxes . . . . . . . . . . . 273

  9.1.1 Definitions, notations and basic algorithms . . . . . . 273

  9.1.2 Fast linear characteristics using the Walsh transform . 275

  9.1.3 Link between Walsh transforms and differential charac- teristics . . . . . . . . . . . . . . . . . . . . . . . . . . 279

  9.1.4 Truncated differential characteristics . . . . . . . . . . 282

  9.3 Goldreich-Levin theorem . . . . . . . . . . . . . . . . . . . . 286

  8.4.3 Birthday attack on plain RSA . . . . . . . . . . . . . . 269

  9.4 Generalization of the Walsh transform to F p . . . . . . . . . 288

  9.4.1 Complexity analysis . . . . . . . . . . . . . . . . . . . 291

  9.4.2 Generalization of the Moebius transform to F p

  . . . . 293

  9.5 Fast Fourier transforms . . . . . . . . . . . . . . . . . . . . . 294

  9.5.1 Cooley-Tukey algorithm . . . . . . . . . . . . . . . . . 296

  8.4.4 Birthday attack on plain ElGamal . . . . . . . . . . . 270

  8.4.2 Plain RSA and plain ElGamal encryptions . . . . . . 269

  7.6.1 Simplified case . . . . . . . . . . . . . . . . . . . . . . 247

  8.2.1 Xoring bit strings . . . . . . . . . . . . . . . . . . . . . 257

  7.6.2 General case . . . . . . . . . . . . . . . . . . . . . . . 248

  

8 Birthday attacks through quadrisection 251

  8.1 Introductory example: Subset sum problems . . . . . . . . . 251

  8.1.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . 252

  8.1.2 The algorithm of Shamir and Schroeppel . . . . . . . 253

  8.2 General setting for reduced memory birthday attacks . . . . 256

  8.2.2 Generalization to different groups . . . . . . . . . . . . 258

  8.4.1 Noisy Chinese remainder reconstruction . . . . . . . . 267

  8.2.3 Working with more lists . . . . . . . . . . . . . . . . . 262

  8.3 Extensions of the technique . . . . . . . . . . . . . . . . . . . 263

  8.3.1 Multiple targets . . . . . . . . . . . . . . . . . . . . . 263

  8.3.2 Wagner’s extension . . . . . . . . . . . . . . . . . . . . 264

  8.3.3 Related open problems . . . . . . . . . . . . . . . . . . 265

  8.4 Some direct applications . . . . . . . . . . . . . . . . . . . . 267

  9.5.2 Rader’s algorithm . . . . . . . . . . . . . . . . . . . . 300

  9.5.3 Arbitrary finite abelian groups . . . . . . . . . . . . . 303

  10 Lattice reduction 309

  10.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

  10.2 Introductory example: Gauss reduction . . . . . . . . . . . . 311

  10.2.1 Complexity analysis . . . . . . . . . . . . . . . . . . . 315

  10.3 Higher dimensions . . . . . . . . . . . . . . . . . . . . . . . . 318

  10.3.1 Gram-Schmidt orthogonalization . . . . . . . . . . . . 319

  10.3.2 Lenstra-Lenstra-Lov´ asz algorithm . . . . . . . . . . . 320

  10.4 Shortest vectors and improved lattice reduction . . . . . . . 327

  10.4.1 Enumeration algorithms for the shortest vector . . . . 327

  10.4.2 Using shortest vectors to improve lattice reduction . . 330

  10.5 Dual and orthogonal lattices . . . . . . . . . . . . . . . . . . 331

  10.5.1 Dual of a lattice . . . . . . . . . . . . . . . . . . . . . 332

  10.5.2 Orthogonal of a lattice . . . . . . . . . . . . . . . . . . 333

  

11 Polynomial systems and Gr¨ obner base computations 337

  11.1 General framework . . . . . . . . . . . . . . . . . . . . . . . 338

  11.2 Bivariate systems of equations . . . . . . . . . . . . . . . . . 340

  11.2.1 Resultants of univariate polynomials . . . . . . . . . . 341

  11.2.2 Application of resultants to bivariate systems . . . . . 343

  

11.3 Definitions: Multivariate ideals, monomial orderings and Gr¨ obner

bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

  11.3.1 A simple example: Monomial ideals . . . . . . . . . . 346

  11.3.2 General case: Gr¨ obner bases . . . . . . . . . . . . . . 346

  11.3.3 Computing roots with Gr¨ obner bases . . . . . . . . . . 349

  11.3.4 Homogeneous versus affine algebraic systems . . . . . 351

  11.4 Buchberger algorithm . . . . . . . . . . . . . . . . . . . . . . 352

  11.5 Macaulay’s matrices . . . . . . . . . . . . . . . . . . . . . . . 354

  11.6 Faug`ere’s algorithms . . . . . . . . . . . . . . . . . . . . . . . 355

  11.6.1 The F approach . . . . . . . . . . . . . . . . . . . . . 356

  4

  11.6.2 The F approach . . . . . . . . . . . . . . . . . . . . . 359

  5

  11.6.3 The specific case of F 2 . . . . . . . . . . . . . . . . . . 360

  11.6.4 Choosing and changing monomial ordering for Gr¨ obner bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

  11.7 Algebraic attacks on multivariate cryptography . . . . . . . . 362

  11.7.1 The HFE cryptosystem . . . . . . . . . . . . . . . . . 363

  11.7.2 Experimental Gr¨ obner basis attack . . . . . . . . . . . 364

  11.7.3 Theoretical explanation . . . . . . . . . . . . . . . . . 365

  11.7.4 Direct sparse approach on Macaulay’s matrix . . . . . 366

  11.8 On the complexity of Gr¨ obner bases computation . . . . . . 367

  III Applications

  

12 Attacks on stream ciphers 373

  12.1 LFSR-based keystream generators . . . . . . . . . . . . . . . 374

  12.2 Correlation attacks . . . . . . . . . . . . . . . . . . . . . . . 376

  12.2.1 Noisy LFSR model . . . . . . . . . . . . . . . . . . . . 376

  12.2.2 Maximum likelihood decoding . . . . . . . . . . . . . . 377

  12.2.3 Fast correlation attacks . . . . . . . . . . . . . . . . . 380

  12.2.4 Algorithmic aspects of fast correlation attacks . . . . . 383

  12.3 Algebraic attacks . . . . . . . . . . . . . . . . . . . . . . . . 387

  12.3.1 Predicting an annihilator polynomial . . . . . . . . . . 388

  12.4 Extension to some non-linear shift registers . . . . . . . . . . 389

  12.5 The cube attack . . . . . . . . . . . . . . . . . . . . . . . . . 390

  12.5.1 Basic scenario for the cube method . . . . . . . . . . . 392

  12.6 Time memory data tradeoffs . . . . . . . . . . . . . . . . . . 393

  

13 Lattice-based cryptanalysis 397

  13.1 Direct attacks using lattice reduction . . . . . . . . . . . . . 397

  13.1.1 Dependence relations with small coefficients . . . . . . 397

  13.1.2 Some applications of short dependence relations . . . 402

  13.2 Coppersmith’s small roots attacks . . . . . . . . . . . . . . . 407

  13.2.1 Univariate modular polynomials . . . . . . . . . . . . 407

  13.2.2 Bivariate polynomials . . . . . . . . . . . . . . . . . . 410

  13.2.3 Extension to rational roots . . . . . . . . . . . . . . . 413

  13.2.4 Security of RSA with small decryption exponent . . . 414

  

14 Elliptic curves and pairings 417

  14.1 Introduction to elliptic curves . . . . . . . . . . . . . . . . . 417

  14.1.1 The group structure of elliptic curves . . . . . . . . . . 418

  14.1.2 Double and add method on elliptic curves . . . . . . . 423

  14.1.3 Number of points on elliptic curves . . . . . . . . . . . 423

  14.2 The Weil pairing . . . . . . . . . . . . . . . . . . . . . . . . . 424

  14.2.1 Weil’s reciprocity law . . . . . . . . . . . . . . . . . . 424

  14.2.2 The Weil pairing on ℓ-torsion points . . . . . . . . . . 429

  14.3 The elliptic curve factoring method . . . . . . . . . . . . . . 432

  14.3.1 Pollard’s p 432 − 1 factoring . . . . . . . . . . . . . . . . .

  14.3.2 Elliptic curve factoring . . . . . . . . . . . . . . . . . . 433

  

15 Index calculus algorithms 439

  15.1 Introduction to index calculus . . . . . . . . . . . . . . . . . 439

  15.2 A simple finite field example . . . . . . . . . . . . . . . . . . 441

  15.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 441

  15.2.2 A toy example . . . . . . . . . . . . . . . . . . . . . . 448

  15.3 Generalization to finite fields with small enough characteristic 449

  15.3.1 Overview of the regular function field sieve . . . . . . 453

  15.4 Introduction to the number field sieve . . . . . . . . . . . . . 455

  15.4.1 Factoring with the quadratic sieve . . . . . . . . . . . 456

  15.4.2 Discrete logarithms with the Gaussian integer method 457

  15.4.3 Constructing number field sieve polynomials . . . . . . 461

  15.5 Smoothness probabilities . . . . . . . . . . . . . . . . . . . . 463

  15.5.1 Computing smoothness probabilities for polynomials . 463

  15.5.2 Asymptotic lower bound on the smoothness probability 467

  15.5.3 Smoothness probabilities for integers . . . . . . . . . . 467 References 471 Lists 491

  Preface

  The idea of this book stemmed from a master’s degree course given at the University of Versailles. Since most students in this course come from a math- ematical background, its goal is both to prime them on algorithmic methods and to motivate these algorithmic methods by cryptographically relevant ex- amples. Discussing this course with colleagues, I realized that its content could be of interest to a much larger audience. Then, at Eurocrypt 2007 in Barcelona, I had the opportunity to speak to Sunil Nair from Taylor & Fran- cis. This discussion encouraged me to turn my course into a book, which you are now holding.

  This book is intended to serve several purposes. First, it can be a basis for courses, both at the undergraduate and at the graduate levels. I also hope that it can serve as a handbook of algorithmic methods for cryptographers. It is structured in three parts: background, algorithms and applications. The background part contains two chapters, a short introduction to cryptography mostly from a cryptanalytic perspective and a background chapter on ele- mentary number theory and algebra. The algorithms part has nine chapters, each chapter regroups algorithms dedicated to a single topic, often illustrated by simple cryptographic applications. Its topics cover linear algebra, sieving, brute force, algorithms based on the birthday paradox, Hadamard-Fourier- Walsh transforms, lattice reduction and Gr¨ obner bases. The applications part takes a different point-of-view and uses recipes from several chapters in the algorithms part to address more advanced cryptographic applications. This final part contains four chapters dealing with linear feedback shift register based stream ciphers, lattice methods for cryptanalysis, elliptic curves and index calculus methods.

  All chapters in the algorithms and applications parts have an exercise sec- tion. For all exercises whose number is marked with an “h” exponent, e.g.,

  h

  exercise 1 , hints and solutions are given on the book’s website whose ad-

  http://www.joux.biz/algcrypt

  dress is . To allow the book to serve as a textbook, about half of the exercises have neither hints nor solutions.

  The content of this book should not necessarily be read or taught in linear order. For a first reading or an introductory course, the content of Chapters 2 ,

  3 and 6 covering basic number theory, linear algebra and birthday paradox al-

  gorithms should suffice. For a longer course, the choice of chapters depends on the background of the reader or students. With a mathematical background, I would recommend choosing among Chapters 4 ,

  7 , 10 and 11 . Indeed, these

  chapters are based on mathematical premises and develop algorithms on this basis. With a computer science background, Chapters 5 ,

  8 and 9 are more

  suited. Finally, the applications presented in the last part can be used for dedicated graduate courses. Alternatively, they can serve as a basis for course end projects.

  Throughout this book, we discuss many algorithms. Depending on the spe- cific aspect that needs to be emphasized, this is done using either a textual description, an algorithm in pseudo-code or a C code program. The idea is to use pseudo-code to emphasize high-level description of algorithms and C code to focus on lower-level implementation details. Despite some drawbacks, the C programming language is well suited for programming cryptanalytic applications. One essential advantage is that it is a relatively low-level pro- gramming language that allows to tightly control the behavior of the code that is executed by the target processor. Of course, assembly language would give an even tighter control. However, it would be much harder to read and would only be usable on a single microprocessor or family of microprocessors.

  Note that for lack of space, it was not possible to present here C programs for all algorithms that are discussed in this book. Several additional codes are available for downloading on the book’s website. All these codes were developed and tested using the widely available Gnu GCC compiler. Note that these codes are not optimally tuned, indeed, fine tuning C code is usually specific to a single compiler version and often hurt the code’s legibility. Where timings are given, they were measured on an Intel Core 2 Duo at 2.4 Ghz.

  Writing this book was a long and challenging undertaking. It would not have been possible without the help of many people. First, I would like to thank my Ph.D. advisor, Jacques Stern, without his guidance, I would not have taken the path of research and cryptography. I also wish to thank all my colleagues and co-authors, for discussing fascinating research problems. It was a great source of inspiration while writing this book. All my students and former students deserve special thanks, especially for forcing me to reconsider previous knowledge again and again. Through sheer coincidence, I happened to be the program chair of Eurocrypt 2009 while writing this book, it was a very nice experience and I am extremely grateful to the wonderful people who accepted to serve on my committee. During the finalization of the manuscript, I attended a seminar on “Symmetric Cryptography” at the “Leibniz-Zentrum f¨ ur Informatik” in Schloss Dagstuhl, Germany. Attending this seminar and discussing with all the participants was extremely helpful at that time, I would like to give due credit to the organizers and to the wonderful staff at Schloss Dagstuhl. A few of my colleagues helped me during proofreading, thanks to Johannes Buchmann, Pierre-Alain Fouque, Steven Galbraith, Louis Goubin, Reynald Lercier, Michael Quisquater, Michael Schneider and Nicolas Sendrier, this book contains much fewer typos than it would have. Thanks to Michel Abdalla for putting together a large bibliography of cryptography- related articles and for letting me use it. Last but not least, I would like to express all my gratitude to my family for supporting me all these years and for coping with my occasional absentmindedness.

  Finally, I wish to acknowledge institutional support from the D´el´egation G´en´erale pour l’Armement and the University of Versailles and Saint-Quentin- en-Yvelines.

  Many of the algorithms presented here have been programmed, in very ef- ficient ways, into existing computer packages. In many cases, reprogramming the methods might not be needed or might even be counter-productive when the available programs are very efficient.

  Existing programs or libraries

  We give here a short discussion of available programs and libraries which contain algorithmic methods discussed in this book. This discussion does not pretend to exhaustivity. We regroup the stand-alone tools on one side and libraries that need to be used in conjunction with a user written program on the other. Note that stand-alone tools usually incorporate a programming language to allow the development of user’s applications. Some of the pro- grams offer both options, a stand-alone tool and a library; we list them in the stand-alone category. The various programs are listed in alphabetical order. We recommend using them for benchmarking and before considering to write user’s specific code.

  Stand-alone tools

• GAP This computer algebra system is developed by the GAP group, its home page is . It includes many features and offers very useful group theoretic algorithms. In particular, it is able to manipulate group characters and group representation.
• MAGMA Magma is a computer algebra system that can be bought online at . An online calculator, with limited computing power, is also available. The Magma language is mathematically oriented and every object belongs to a rigourously defined structure. Magma includes a large number of features. In par- ticular, it offers algebraic geometry tools and knows how to compute with elliptic curves and divisors. Magma also contains a fast implemen- tation of F 4 Gr¨ obner basis algorithm and lattice reduction tools.
• Maple Maple computer algebra is a very well-known and versatile sys- tem, used in a large variety of applications. The current version contains a very efficient implementation of the F 5 Gr¨ obner basis algorithm.
• PARI/GP This computer algebra system was initiated by Henri Cohen and is currently maintained by Karim Belabas under the GPL license. It offers both a stand-alone tool and a C library. In addition to classical features such as modular computation, linear algebra, polynomials, it offers some specific functionalities to compute information about general number fields and elliptic curves over the complex field. For more infor- mation, look up the webpage at .

  

• SAGE Sage is an open-source mathematics software system

   based on the Python language. It incorporates

  many efficient implementations of algorithms for algebra. One speci- ficity of Sage is that it offers the option of interfacing with other com- puter algebra systems and of incorporating functionalities from existing libraries.

  Libraries • FFTW This library developed at MIT by Matteo Frigo and Steven G.

  Johnson is dedicated to high-performance computation of Fourier trans- forms. The home page of the library is located at

  

• NTL This library written by Victor Shoup and available at

  

  is based on the C++ language. It implements finite fields, routines for univariate polynomials, linear algebra and sev- eral lattice reduction algorithms.

  Part I Background

Chapter 1 A bird’s-eye view of modern

  cryptography

  Since cryptanalysis cannot exist without cryptography, this background chap- ter aims at making a brief, necessarily incomplete survey of modern cryptog- raphy, recalling some essential definitions and facts for the perusal of this book and laying down the notational ground. In particular, it presents vari- ous security notions, corresponding to several classes of adversaries. Modern cryptanalysis is the counterpart to these security notions. The fundamental goal of a cryptanalyst is to violate one or several of these security notions for algorithms that claim, implicitly or explicitly, to satisfy these security notions. This can be achieved in two main ways, either by overcoming an underlying security hypothesis or by exhibiting a specific flaw in the considered algorithm or protocol.

  This chapter only intends to serve as an introduction to the topic and certainly to give a complete description of modern cryptography. The reader may wish to consult a reference book on cryptography. There are many such books, a few examples are [Buc04, MvOV97, Sch96, Sti02].

1.1 Preliminaries

  Cryptography is a ubiquitous tool in the world of information security. It is required when trying to keep the secrecy of communications over open channels or to prove the authenticity of an incoming message. It can be used to create many multiparty protocols in a way that makes cheating difficult and expensive. In fact, its range of applicability is very wide and it would not be possible to give a complete list of functionalities that can be achieved through the use of cryptography. Instead, we are going to focus on a small set of fundamental goals and see how they can be formalized into precise security notions. From an historical perspective, the oldest and foremost cryptographic goal is confidentiality.

  Confidentiality appeared quite early in human history. At that time, mes- sengers were regularly sent between troops or traders to carry important mes- sages. They were also regularly captured by enemies and they sometimes

  3

  4 Algorithmic Cryptanalysis turned out to be spies or traitors. In this context, the basic idea was to be able to write messages in a way that would preserve the secrecy of the mes- sage meaning against these events. Later, with the invention of postal services, telegraphs, radio communications and computer networks, it became easier to send messages and at the same time easier to intercept or copy these messages. Thus, the basic question remains: how can we make sure that messages will not be read by the wrong person? One option is to hide the very existence of the message through various means, this is called steganography. We will not consider this option any further. Another option does not try to hide the message but simply to make sure that it cannot be understood except by the intended recipient, using something akin to a scrambling process, called encryption.

  This notion of confidentiality is trickier than it may first appear. What precisely can we hide about a message? Is it possible to be sure that nothing can be learned about it? A first limit is that it is not possible to hide every- thing about a given message, looking at the encrypted message, an attacker can always learn or at least estimate the length of the message. The only way to avoid this would be to output ciphertexts of the maximum accepted input length for all messages. This would, of course, yield utterly impractical cryptosystems. Moreover, the attacker may have some prior information and seeing the message is not going to make him forget it. As a consequence, it is convenient to assume that the length of the message is not hidden by the en- cryption and to measure the amount of new knowledge that can be extracted by the attacker from the message. Similarly, the attacker may obtain prior information about the encryption system. As a consequence, to make cryp- tography useful in a wide variety of contexts, it is necessary to assume that the specifications of the cryptosystem are public, or could be leaked to the ad- versary. The security of the system should only rely on a short secret: the key of the system. This essential principle was proposed by Auguste Kerckhoffs in 1883 and published in [Ker83].

  This approach and its limits were further studied by Shannon in 1945 in a confidential report titled A Mathematical Theory of Cryptography. This report was declassified after World War II and the results published in [Sha49]. In order to study the security of cryptographic systems, this paper introduced a new mathematical theory: information theory. In a nutshell, information theory contained good news and bad news about cryptography. The good news is that perfect confidentiality is possible and can be achieved using a simple encryption algorithm called the One Time Pad. The bad news is that the One Time Pad is impractical for most applications and that according to information theory nothing more practical can be secure. Indeed, the One Time Pad views messages as sequences of symbols (bits or characters) and encrypts them by a simple mixing of each symbol with a corresponding symbol extracted from the key. However, it is crucial for the security of this scheme to use a random key of the same length as the message to encrypt. With any shorter key, the One Time Pad degenerates into a variation of the

  A bird’s-eye view of modern cryptography

  5 Vigenere cipher and becomes very weak. Of course, transmitting very long keys securely is rarely easier than directly transmitting messages securely. Moreover, this system is error prone and any key reuse dooms the security of the corresponding messages. In practice, a user would expect to use a relatively short key for the transmission of long messages. Using information theory, Shannon showed that this not possible. Indeed, a powerful enough cryptanalyst can always try to decrypt the transmitted message using all possible keys. The only key that yields a meaningful message is the correct one.

  In order to bypass this impossibility result, modern cryptography takes into account the amount of work required from the cryptanalyst and assumes that, even for relatively short key lengths, trying all keys costs too much and is not an option. This idea is at the core of computationally based cryptography. An asymptotically oriented approach to this idea can be obtained by using com- plexity theory. In this approach, easy tasks such as encryption or decryption are modeled by polynomial time computations and hard tasks are assumed

  1

  to be in harder classes of complexity . This approach has an essential draw- back, complexity classes are too coarse and they do not always finely reflect the hardness of real computation. For example, a polynomial time algorithm

  100

  of complexity n is usually totally impractical, while an exponential time

  n/100

  algorithm of complexity 2 is often useful. A more concrete approach was proposed by Bellare, Kilian and Rogaway in [BKR00] and aims at giving a more precise information about the cost of attacks for real life parameters of cryptographic schemes. However, even this concrete approach is not complete and comparing the practicality and the full cost [Wie04] of attacks is a difficult art.

  Pushing the idea of computationally based cryptography a bit further, in 1976, Diffie and Hellman invented public key cryptography [DH76]. The basic idea is to use trapdoor one-way functions, i.e., functions which are easy to compute, hard to invert and which become easy to invert once a secret value, the trapdoor, is known.

  Note that, in spite of achieving perfect confidentiality, the One Time Pad is not perfectly secure. Indeed security is more than simply confidentiality, it also covers the concept that an attacker should not be able to tamper with messages without being detected. Clearly, this is not true with the One Time Pad, since changing any bit of the ciphertext has a simple effect: changing the same bit in the corresponding plaintext. This property allows an attacker to perform any change of his choice on the transmitted message. To prevent ₁ this, it is necessary to invoke another cryptographic functionality: integrity.

  

At most, one can hope for N P -complete cryptanalysis, since guessing the correct key

suffices to break any cryptographic scheme.

  6 Algorithmic Cryptanalysis

1.1.1 Typical cryptographic needs

  These two basic functionalities, confidentiality and integrity, give a first criteria to classify cryptographic algorithms. Another essential criterion is the distinction between secret key and public key algorithms. Secret key algorithms use the same key, or sometimes distinct but equivalent keys, to encrypt and decrypt, to authenticate or verify authentication. Public key algorithms use different keys, the public key to encrypt or verify signatures, the private key to decrypt or sign.

  Using these two criteria, we obtain four classes of cryptographic systems.

  1.1.1.1 Secret key encryption Typical secret key algorithms encrypt messages using a short secret key common to the sender and the recipient of the secret message. Typically, secret keys of recent algorithm are often between 128 and 256 bits. Secret key encryption algorithms are further divided into two main categories: stream ciphers based and block ciphers based.

  Stream ciphers combine a pseudo-random generator of cryptographic qual- ity, also called a keystream generator, together with One Time Pad encryption. Block ciphers are keyed permutations which act on blocks of bits; blocks of 128 bits are a frequent choice. In order to encrypt messages, they are combined with a mode of operation which describes how to parse the messages into blocks and decompose the encryption of a message into encryption of blocks.

  Some of the basic mode of operations have been known for a long time and were already standardized for use with the DES algorithm. More recently, the

2 NIST encouraged research for new modes of operation in order to propose

  them as standards for use together with the AES block cipher. To illustrate modes of operation and their importance in secret key encryption, let us de- scribe three well-known modes (see Figure 1.1 ): Electronic Code Book (ECB), Cipher Block Chaining (CBC) and Counter mode (CTR).

  The ECB mode works as follows: first it pads the plaintext message P to ensure that its length becomes a multiple of the block length, some care should be taken to make sure that the padding can be reversed after decryption to recover the original message. A standard solution is to add a single 1 after the original message, followed by the number of zeros needed to fill the last message block. Note that with this padding, messages whose original length is already an entire number of blocks are enlarged by one full block. After padding, the ECB mode parses the padded message in n-bit blocks, where n

  (i)

  is the length of the cipher’s blocks. Let the i-th block be denoted by P . To

  (i) encrypt P , each block P is encrypted separately.

  Another very common encryption mode is the Cipher Block Chaining (CBC) ₂ mode. To add security, this encryption mode is randomized. The randomiza-

  National Institute of Standards and Technology

  A bird’s-eye view of modern cryptography

  2 P

  ℓ

  · · ·

  

(b) CBC encryption

  R C

  1 P

  1 R + 1

  C

  2 R + ℓ

  ℓ

  − 2 C

  ℓ −1

  P

  ℓ −1

  R + ℓ C ℓ

  · · · P

  ℓ

(c) CTR encryption

  C

  P

  7 P

  ℓ

  1 C

  1 P

  2 C

  2 P ℓ −1

  C

  ℓ −1

  P ℓ C

  · · ·

  ℓ −1

  

(a) ECB encryption

  P

  1 C

  1 IV

  P

  2 C

  2 P ℓ −1

  C

  Figure 1.1: Some classical encryption modes

  8 Algorithmic Cryptanalysis tion is added at the very beginning of the encryption process by simply adding one block of random initial value (IV ) at the beginning of the message. There are two options when using this initial value, it can be considered either as

  (0)

  an additional plaintext message block, say P or as an additional ciphertext

  (0)

  block, then denoted by C . When the IV is considered as an extra plaintext

  (0) (0)

  block, the first ciphertext block is set to C = Π(P ) where Π denotes the underlying block cipher or random permutation. From the first ciphertext

  (i) (i) (i −1)

  block, we then proceed iteratively, letting C = Π(P ). When the ⊕ C

  IV is considered as a ciphertext block, the first encryption is simply omit- ted. An important fact about CBC encryption is that the encryption of any block of plaintext is a function not only of the block value, but also of all the previous blocks and of the IV .