# Preventing Algebraic Attacks on Ciphers

CS 463 Lecture, Dr. Lawlor

There's an annoying problem with round-based ciphers, that the rounds can sometimes be folded together using algebraic manipulation.

For example, if each round consists of:
valuei = keyi ^ valuei-1

Then a four-round cipher produces this final output:
value4 = key4 ^ (key3 ^ (key2 ^ (key1 ^ plaintext)))

This looks fine, but re-associating we can algebraically combine all the round keys:
value4 = (key4 ^ key3 ^ key2 ^ key1) ^ plaintext = key ^ plaintext

This is bad, because an attacker now only needs to brute-force the single end-to-end key, instead of each of the four round keys (which would be harder to the fourth power!).

This simple reassociation trick works identically for *any* associative round operation, including +, *, or any of the finite field versions of these operations.

## Multi-Operation Attacks

You might think you're better off mixing different operations, but consider adds and multiplies:
valuei = Akeyi + Mkeyi * valuei-1

We can't directly re-associate, so this looks better at first glance:
value3 = Akey3 + Mkey3 * (Akey2 + Mkey2 * (Akey1 + Mkey1 * plaintext))

But of course, multiplication distributes over addition, so this is equivalent to:
value3 = (Akey3 + Mkey3 * (Akey2 + Mkey2 * (Akey1))) + (Mkey3 * Mkey2 * Mkey1) * plaintext

And an attacker just needs to brute-force the two equivalent key values in the outermost parenthesis:
value3 = Akey + Mkey * plaintext

This rearranging trick works whenever your round operations distribute over one another.

## Algebraic Resistance in AES

I was a little worried to notice that AES keeps every operation inside the GF(28) finite field.  Because the field operations are associative, distributive, commutative, and invertible, there are many opportunities for algebraic attacks.  AES is resistant against algebraic attacks primarily because of the finite field division in the S-box, for an equivalent round function of:

valuei = keyi + matrix / valuei-1

("matrix" here is the product of the affine part of the S-box, the row shifts, and MixColumns.)

The advantage here is after a few rounds, we get:
value3 = key3 + matrix / (key2 + matrix / (key1 + matrix / plaintext))

The big advantage is it's hard to separate the key terms from the plaintext terms in the denominator of each divide--divide doesn't distribute over addition (in the denominator).

I think if I were designing AES, I would have made one of the steps use ordinary addition (with carries) instead of finite field addition (XOR), purely to break the associative and distributive properties of the finite field.  But that's clearly a belt-and-suspenders approach.

## Algebraic Resistance in SHA-1

SHA-1 is a hash function, so it uses a fixed key, and doesn't need a decryption operation.  This means it can be built from non-invertible operations.

Each SHA-1 round consists of mixing 32-bit values a,b,c,d, and e:
e += rol(a,5) + F(b,c,d) + stage_key + round_key;
b = rol(b,30);
The round keys (W array) are derived from the original data.  After this, the five values a,b,c,d,e are circularly shifted.

The round function F provides the only nonlinearity and noninvertibility, and varies depending on the round:

• The first 20 rounds use the function (z ^ (x & (y ^ z))).  This is actually equivalent to the bit selection function (x&y) ^ ((~x) & z), which more clearly shows the symmetry (and non-invertibility) involved.
• The middle 20 rounds use XOR (x ^ y ^ z).  The purpose here is to mix the bits well.
• The next 20 rounds use the function ((x & y) | (z & (x | y))).  The output of AND is biased toward zero; OR is biased toward one.  Alternating them removes the bias.
• Ends with 20 rounds of XOR.
The round functions (other than the XOR stages) are chosen so they're:
• Nonlinear, so you can't build a linear series of equations.
• Non-commutative, so you can't rearrange the operations.
• Non-associative, so you can't reorder the operations.
• Non-distributive, so you can't shuffle the operations.
• Non-invertible, so you can't undo the operations.
SHA-256 uses the same nonlinear functions, but applies both functions at every round.