In cryptography, an interpolation attack is a type of cryptanalytic attack against block ciphers.

After the two attacks, differential cryptanalysis and linear cryptanalysis, were presented on block ciphers, some new block ciphers were introduced, which were proven secure against differential and linear attacks. Among these there were some iterated block ciphers such as the KN-Cipher and the SHARK cipher. However, Thomas Jakobsen and Lars Knudsen showed in the late 1990s that these ciphers were easy to break by introducing a new attack called the interpolation attack.

In the attack, an algebraic function is used to represent an S-box. This may be a simple quadratic, or a polynomial or rational function over a Galois field. Its coefficients can be determined by standard Lagrange interpolation techniques, using known plaintexts as data points. Alternatively, chosen plaintexts can be used to simplify the equations and optimize the attack.

In its simplest version an interpolation attack expresses the ciphertext as a polynomial of the plaintext. If the polynomial has a relative low number of unknown coefficients, then with a collection of plaintext/ciphertext (p/c) pairs, the polynomial can be reconstructed. With the polynomial reconstructed the attacker then has a representation of the encryption, without exact knowledge of the secret key.

The interpolation attack can also be used to recover the secret key.

It is easiest to describe the method with an example.

Example

edit

Let an iterated cipher be given by

 

where   is the plaintext,   the output of the   round,   the secret   round key (derived from the secret key   by some key schedule), and for a  -round iterated cipher,   is the ciphertext.

Consider the 2-round cipher. Let   denote the message, and   denote the ciphertext.

Then the output of round 1 becomes

 

and the output of round 2 becomes

 
 

Expressing the ciphertext as a polynomial of the plaintext yields

 

where the  's are key dependent constants.

Using as many plaintext/ciphertext pairs as the number of unknown coefficients in the polynomial  , then we can construct the polynomial. This can for example be done by Lagrange Interpolation (see Lagrange polynomial). When the unknown coefficients have been determined, then we have a representation   of the encryption, without knowledge of the secret key  .

Existence

edit

Considering an  -bit block cipher, then there are   possible plaintexts, and therefore   distinct   pairs. Let there be   unknown coefficients in  . Since we require as many   pairs as the number of unknown coefficients in the polynomial, then an interpolation attack exist only if  .

Time complexity

edit

Assume that the time to construct the polynomial   using   pairs are small, in comparison to the time to encrypt the required plaintexts. Let there be   unknown coefficients in  . Then the time complexity for this attack is  , requiring   known distinct   pairs.

Interpolation attack by Meet-In-The-Middle

edit

Often this method is more efficient. Here is how it is done.

Given an   round iterated cipher with block length  , let   be the output of the cipher after   rounds with  . We will express the value of   as a polynomial of the plaintext  , and as a polynomial of the ciphertext  . Let   be the expression of   via  , and let   be the expression of   via  . The polynomial   is obtain by computing forward using the iterated formula of the cipher until round  , and the polynomial   is obtain by computing backwards from the iterated formula of the cipher starting from round   until round  .

So it should hold that

 

and if both   and   are polynomials with a low number of coefficients, then we can solve the equation for the unknown coefficients.

Time complexity

edit

Assume that   can be expressed by   coefficients, and   can be expressed by   coefficients. Then we would need   known distinct   pairs to solve the equation by setting it up as a matrix equation. However, this matrix equation is solvable up to a multiplication and an addition. So to make sure that we get a unique and non-zero solution, we set the coefficient corresponding to the highest degree to one, and the constant term to zero. Therefore,   known distinct   pairs are required. So the time complexity for this attack is  , requiring   known distinct   pairs.

By the Meet-In-The-Middle approach the total number of coefficients is usually smaller than using the normal method. This makes the method more efficient, since less   pairs are required.

Key-recovery

edit

We can also use the interpolation attack to recover the secret key  .

If we remove the last round of an  -round iterated cipher with block length  , the output of the cipher becomes  . Call the cipher the reduced cipher. The idea is to make a guess on the last round key  , such that we can decrypt one round to obtain the output   of the reduced cipher. Then to verify the guess we use the interpolation attack on the reduced cipher either by the normal method or by the Meet-In-The-Middle method. Here is how it is done.

By the normal method we express the output   of the reduced cipher as a polynomial of the plaintext  . Call the polynomial  . Then if we can express   with   coefficients, then using   known distinct   pairs, we can construct the polynomial. To verify the guess of the last round key, then check with one extra   pair if it holds that

 

If yes, then with high probability the guess of the last round key was correct. If no, then make another guess of the key.

By the Meet-In-The-Middle method we express the output   from round   as a polynomial of the plaintext   and as a polynomial of the output of the reduced cipher  . Call the polynomials   and  , and let them be expressed by   and   coefficients, respectively. Then with   known distinct   pairs we can find the coefficients. To verify the guess of the last round key, then check with one extra   pair if it holds that

 

If yes, then with high probability the guess of the last round key was correct. If no, then make another guess of the key.

Once we have found the correct last round key, then we can continue in a similar fashion on the remaining round keys.

Time complexity

edit

With a secret round key of length  , then there are   different keys. Each with probability   to be correct if chosen at random. Therefore, we will on average have to make   guesses before finding the correct key.

Hence, the normal method have average time complexity  , requiring   known distinct   pairs, and the Meet-In-The-Middle method have average time complexity  , requiring   known distinct   pairs.

Real world application

edit

The Meet-in-the-middle attack can be used in a variant to attack S-boxes, which uses the inverse function, because with an  -bit S-box then   in  .

The block cipher SHARK uses SP-network with S-box  . The cipher is resistant against differential and linear cryptanalysis after a small number of rounds. However it was broken in 1996 by Thomas Jakobsen and Lars Knudsen, using interpolation attack. Denote by SHARK  a version of SHARK with block size   bits using   parallel  -bit S-boxes in   rounds. Jakobsen and Knudsen found that there exist an interpolation attack on SHARK  (64-bit block cipher) using about   chosen plaintexts, and an interpolation attack on SHARK  (128-bit block cipher) using about   chosen plaintexts.

Also Thomas Jakobsen introduced a probabilistic version of the interpolation attack using Madhu Sudan's algorithm for improved decoding of Reed-Solomon codes. This attack can work even when an algebraic relationship between plaintexts and ciphertexts holds for only a fraction of values.

References

edit
  • Thomas Jakobsen, Lars Knudsen (January 1997). The Interpolation Attack on Block Ciphers (PDF/PostScript). 4th International Workshop on Fast Software Encryption (FSE '97), LNCS 1267. Haifa: Springer-Verlag. pp. 28–40. Retrieved 2007-07-03.
  • Thomas Jakobsen (August 25, 1998). Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low Degree (PDF/PostScript). Advances in Cryptology — CRYPTO '98. Santa Barbara, California: Springer-Verlag. pp. 212–222. Retrieved 2007-07-06. (Video of presentation at Google Video—uses Flash)
  • Shiho Moriai; Takeshi Shimoyama; Toshinobu Kaneko (March 1999). Interpolation Attacks of the Block Cipher: SNAKE (PDF). FSE '99. Rome: Springer-Verlag. pp. 275–289. doi:10.1007/3-540-48519-8_20. Retrieved 2022-11-06.
  • Amr M. Youssef; Guang Gong (April 2000). On the Interpolation Attacks on Block Ciphers (PDF). FSE 2000. New York City: Springer-Verlag. pp. 109–120. Retrieved 2007-07-06.
  • Kaoru Kurosawa; Tetsu Iwata; Viet Duong Quang (August 2000). Root Finding Interpolation Attack (PDF/PostScript). Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography (SAC 2000). Waterloo, Ontario: Springer-Verlag. pp. 303–314. Retrieved 2007-07-06.