Cryptanalysis of Elisabeth-4

Abstract

Elisabeth-4 is a stream cipher tailored for usage in hybrid homomorphic encryption applications that has been introduced by Cosseron et al. at ASIACRYPT 2022. In this paper, we present several variants of a key-recovery attack on the full Elisabeth-4 that break the 128-bit security claim of that cipher. Our most optimized attack is a chosen-IV attack with a time complexity of \(2^{88}\) elementary operations, a memory complexity of \(2^{54}\) bits and a data complexity of \(2^{41}\) bits.

Our attack applies the linearization technique to a nonlinear system of equations relating some keystream bits to the key bits and exploits specificities of the cipher to solve the resulting linear system efficiently. First, due to the structure of the cipher, the system to solve happens to be very sparse, which enables to rely on sparse linear algebra and most notably on the Block Wiedemann algorithm. Secondly, the algebraic properties of the two nonlinear ingredients of the filtering function cause rank defects which can be leveraged to solve the linearized system more efficiently with a decreased data and time complexity.

We have implemented our attack on a toy version of Elisabeth-4 to verify its correctness. It uses the efficient implementation of the Block Wiedemann algorithm of cado-nfs for the sparse linear algebra.

Appendices

A Sboxes

See Table 3.

Table 3. Sboxes used in Elisabeth-4 in hexadecimal notations.

B Degree of the Least Significant Bit

In this section, we show that at any iteration j of the keystream generator, the ANF of the Boolean function \(f_j\) that takes as input the key bits and returns the least significant bit of the keystream element is bounded by 12. We remind the reader that this proof uses definitions and propositions introduced in Sect. 4.3.

We showed that at any iteration j, the Boolean function \(f_j\) can be written as the sum of \(t = 12\) Boolean variations of h and the least significant bits of some key elements (see Sect. 3). Thus, the degree of \(f_j\) is bounded by the maximum degree of a variation of h. Further, in Sect. 4.3, we showed that any Boolean variation of h can be written as the sum of four Antler functions. Thus, the maximum degree of any variation of h, and thus the degree of \(f_j\), is bounded by the maximum degree of an Antler function. The following Theorem and its proof thus suffice to upper bound the degree of \(f_j\).

Theorem 1

For any 3 negacyclic look-up tables \(\mathcal {S}_1, \mathcal {S}_2, \mathcal {S}_3\), the ANF of \(H_{\mathcal {S}_1},\)\({\mathcal {S}_2,\mathcal {S}_3}\) has degree at most 12.

Proof of Theorem 1. In order to study \(H_{\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3}\), we introduce the following definitions (see Fig. 6):

$$\begin{aligned} u &{:}{=}\mathcal {S}_1[b] = \mathcal {S}_1[x + y]\\ v &{:}{=}\mathcal {S}_2[b'] = \mathcal {S}_2[y + z]\\ \beta &{:}{=}\mathcal {S}_1[b] + \mathcal {S}_2[b'] + w . \end{aligned}$$

Fig. 6.

The Antler function \(H_{\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3}\).

Each bit of b (resp. \(b'\), \(u+v\)) can be expressed as a polynomial in the sum of the bits of x and y (resp. y and z, u and v) and in the product of the bits of x and y (resp. y and z, u and v). This property reflects the symmetric nature of the modular addition. Thus, for \(0 \le i \le 3\), we also define

$$\begin{aligned} s_i &{:}{=}x_i \oplus y_i, s'_i = y_i \oplus z_i \\ p_i &{:}{=}x_i \cdot y_i, s'_i = y_i \cdot z_i\\ \sigma _i &{:}{=}u_i \oplus v_i\\ \pi _i &{:}{=}u_i \cdot v_i . \end{aligned}$$

For any \(0 \le i \le 3\), the following equations are verified

$$\begin{aligned} p_i s_i &= 0 \\ p'_i s'_i &= 0 \\ \pi _i \sigma _i &= 0 . \end{aligned}$$

As a consequence, by applying the definition of the modular addition to \(b = x+y\), we get

$$\begin{aligned} b_0 &= s_0 \\ b_1 &= p_0 + s_1 \\ b_2 &= p_0s_1 + p_1 + s_2 \\ b_3 &= p_0s_1s_2 + p_1s_2 + p_2 + s_3 . \end{aligned}$$

The exact same equations hold for \(b'\). Similarly, the bits of \(u+v\) can be expressed as polynomials in the \(\sigma _i\)’s and \(\pi _i\)’s.

Going back to the proof, the main idea is to show that the monomials in \(x_i\), \(y_i\), \(z_i\), \(w_i\) for \(0 \le i \le 3\) that can appear in the ANF of \(H_{\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3}(x,y,z,w)\) have their degree bounded by 12. The first property we use is that \(H_{\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3}(x,y,z,t)\) does not depend on \(\beta _3\). This is a direct consequence of Proposition 2. On the other hand, \(H_{\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3}(x,y,z,t)\) can be expressed as a sum of monomials in the \(\beta _i\)’s for \(i = 0,1,2\). In order to prove the theorem, we thus simply need to show that any monomial in \(\beta _0,\beta _1,\beta _2\) can be expressed as a sum of monomials in \(x_i\), \(y_i\), \(z_i\), \(w_i\) for \(0 \le i \le 3\) that all have degree at most 12.

To do so, we first need to express \(\beta _0\), \(\beta _1\), \(\beta _2\) as polynomials in the \(\sigma _i\)’s, \(\pi _i\)’s and the \(w_i\)’s. By applying the modular addition to \(\beta = u+v+w\), we obtain

$$\begin{aligned} \beta _0 &= w_0 + \sigma _0 \\ \beta _1 &= w_1 + w_0\sigma _0 + \pi _0 + \sigma _1 \\ \beta _2 &= w_2 + w_0w_1\sigma _0 + w_1 (\pi _0 + \sigma _1) + w_0 \sigma _0 \sigma _1 + \pi _0\sigma _1 + \pi _1 + \sigma _2 . \end{aligned}$$

Considering monomials in the \(\beta _i\)’s for \(i = 0,1,2\), we study which monomials in the \(\sigma _i\)’s, \(\pi _i\)’s and the \(w_i\)’s can appear in their polynomial expression. For example, the monomial \(\beta _0\beta _1\) can be expressed as

$$\begin{aligned} \beta _0 \beta _1 &= w_0w_1 + w_1\sigma _0 + w_0\pi _0 + w_0\sigma _1 + \sigma _0\sigma _1 \end{aligned}$$

and thus contains the monomials \(w_0w_1\), \(w_1\sigma _0\), \(w_0\pi _0\), \(w_0\sigma _1\) and \(\sigma _0\sigma _1\). We show that the only monomial that can appear in the polynomial expression of a monomial in the \(\beta _i\)’s, \(0 \le i \le 2\) that depends on the three variables \(w_0\), \(w_1\) and \(w_2\) is \(w_0w_1w_2\). \(\beta _2\) is the only variable that depends on \(w_2\), \(\beta _0\) does not depend on \(w_1\) and \(\beta _1\) depends only linearly on \(w_1\). Thus, for a monomial in the three variables \(w_0\), \(w_1\) and \(w_2\) to appear in the expression of a monomial in the \(\beta _i\)’s, one must consider \(\beta _0\beta _1\beta _2\), in which only the monomial \(w_0w_1w_2\) depends on all three variables. Since only \(w_0w_1w_2\) can appear, any monomial that depends on the \(\sigma _i\)’s and \(\pi _i\)’s depends on at most two of the \(w_i\)’s. We will now show that the monomials in the \(\sigma _i\)’s and \(\pi _i\)’s expressed as polynomials in the \(x_i\)’s, \(y_i\)’s and \(z_i\)’s are of degree at most 10, which will conclude the proof of the theorem.

The \(\sigma _i\)’s and \(\pi _i\)’s, as well as any monomial in these variables, can be expressed as a function of b and \(b'\). In turn, b and \(b'\), as well as any monomial in these variables, can be expressed as a sum of monomials in the \(p_i\)’s, \(s_i\)’s, \(p'_i\)’s and \(s'_i\)’s. Since \(p_3\) (resp. \(p'_3\)) does not appear in the expression of \(b_i\) (resp. \(b'_i\)), \(0 \le i \le 3\), the monomials that can appear in the expression of a monomial in the \(\sigma _i\)’s and \(\pi _i\)’s do not depend on \(p_3\). Further, recall that \(p_is_i = p'_i s'_i\). Thus, the monomials cannot depend on both \(p_i\) and \(s_i\) (resp. \(p'_i\) and \(s'_i\)). Last but not least, note that any \(p_ip'_i = x_i y_i z_i \) is of degree 3. At first sight, the monomial of highest degree that can be formed is \(s_3 s'_3 \prod _{i = 0}^2 p_ip'_i \). This monomial has degree 11, and is the only monomial of degree 11 that respects the constraints we have put forward. However, it turns out that this monomial cannot appear. Indeed, only \(b_3\) (resp. \(b'_3\)) is the depends on \(s_3\) and \(p_2\) (resp. \(s'_3\) and \(p'_2\)). Further, in the polynomial expression of \(b_3\) (resp. \(b'_3\)), these variables are added to each other. It comes that in the polynomial expression of any monomial in the \(b_i\)’s, these variables cannot be multiplied with each other. Thus, the monomials of highest degree that can be formed have degree 10. We have thus shown the theorem.

C Proof of Proposition 4

By Lemma 1, we only need showing that the rank of the set of functions \(G_{\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3}\) has its dimension bounded by \(2^{10.43}\). It is straightforward that the vector space spanned by all functions \(G_{\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3}\) is a linear subspace of a vector space of the form \(B_{0} + w_0 B_{1} + w_1 B_{2} + w_2 B_{3} + w_0w_1 B_{4} + w_0w_2 B_{5} + w_1w_2 B_{6} + w_0w_1w_2 B_{7}\) where each \(B_{i}\) is a linear subspace of the linear space of dimension \(2^{8}\) spanned by the monomials in the bits of b and \(b'\). The dimension of this vector space can thus be upper bounded by the sum \(\sum _{i = 0}^{7} \dim (B_{i})\). We provide an upper bound on \(\dim (B_{i})\) for each i. We remind the reader of the following notations (see Fig. 7):

$$\begin{aligned} u &{:}{=}\mathcal {S}_1[b] \\ v &{:}{=}\mathcal {S}_2[b'] \\ \beta &{:}{=}\mathcal {S}_1[b] + \mathcal {S}_2[b'] + w \\ \sigma _i &{:}{=}u_i \oplus v_i\\ \pi _i &{:}{=}u_i \cdot v_i . \end{aligned}$$

Fig. 7.

The function \(G_{\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3}\).

We also remind the reader of the expression of the value of the bits \(\beta _0\), \(\beta _1\) and \(\beta _2\) as polynomials in the \(\sigma _i\)’s, \(\pi _i\)’s and \(w_i\)’s.

$$\begin{aligned} \beta _0 &= w_0 + \sigma _0 \\ \beta _1 &= w_1 + w_0\sigma _0 + \pi _0 + \sigma _1 \\ \beta _2 &= w_2 + w_0w_1\sigma _0 + w_1 (\pi _0 + \sigma _1) + w_0 \sigma _0 \sigma _1 + \pi _0\sigma _1 + \pi _1 + \sigma _2 . \end{aligned}$$

The least significant bit of h is a linear combination of monomials in \(\beta _i\) for \(i = 0,1,2\). First, we consider \(B_{7}\), which corresponds to \(w_0w_1w_2\). The only monomial in the \(\beta _i\)’s that contains a monomial dividable by \(w_0w_1w_2\) is \(\beta _0 \beta _1 \beta _2\). Further, the only monomial that can appear is \(w_0w_1w_2\). Thus, \(B_{7}\) has dimension 1. Next, we consider \(B_{6}\), which corresponds to \(w_1w_2\). The only two monomials in the \(\beta _i\)’s that contain monomials dividable by \(w_1w_2\) are \(\beta _1 \beta _2\) and \(\beta _0 \beta _1 \beta _2\). We now consider the monomials dividable by \(w_1w_2\) but not dividable by \(w_0\) that appear in \(\beta _1 \beta _2\) and \(\beta _0 \beta _1 \beta _2\). We obtain the set \(\{w_1w_2,w_1w_2\sigma _0\}\). By Proposition 2, \(\sigma _0\) is the sum of two bits that depend on 3 bits each and thus the rank of the set of \(\sigma _0\) has rank \(2^3 + 2^3 = 2^4\). It comes that \(B_{6}\) has dimension at most \(2^4\). Lastly, we consider \(B_{5}\), which corresponds to \(w_0w_2\). Three monomials in the \(\beta _i\)’s contain monomials dividable by \(w_0w_2\), namely \(\beta _0 \beta _2\), \(\beta _1 \beta _2\) and \(\beta _0 \beta _1 \beta _2\). We now consider the monomials dividable by \(w_0w_2\) but not dividable by \(w_1\) that appear in these three monomials. We obtain the set \(\{w_0w_2, w_0w_2\sigma _0,w_0w_2 \pi _0, w_0w_2\sigma _1\}\). By Proposition 2, the set of \(\pi _0\) functions has rank at most \(2^{3}\times 2^{3} = 2^{6}\). Further, it contains the linear subspace spanned by the \(\sigma _0\) functions. The set of \(\sigma _1\) functions has dimension \(2^{4} + 2^{4} = 2^5\) and also contains the linear subspace spanned by the \(\sigma _0\) functions. Thus, \(B_5\) has dimension at most \(2^{6} + 2^{5} - 2^{4}\). It comes that a bound on the rank of the LSB of h is \(\sum _{i = 0}^{7} \dim (B_{i}) \le 5\times 2^{8} + 2^{6} + 2^{5} - 2^{4} + 2^4 + 1 \approx 2^{10.43}\).

D On the Dimension of the Affine Space of Solutions

In this section, we discuss the dimension of the affine space of solutions to the matrix equation \(\textbf{A}\textbf{x} = \textbf{z}\) for a matrix \(\textbf{A}\) constructed as described in Sect. 4 and Sect. 6. In particular, \(\textbf{A}\) is a matrix of size \(\delta \times \left( {\begin{array}{c}N'\\ 4\end{array}}\right) \rho \) where \(\delta \gtrapprox \left( {\begin{array}{c}N'\\ 4\end{array}}\right) \rho \) and where \(N' = N\) in Section Sect. 4 and \(N' < N\) in Section Sect. 6. Ignoring a few lone nonzero bits from the final linear contribution to g, each row of \(\textbf{A}\) has less than \(t \cdot \rho \) active bits, organized into \(t = 12\) sets of \(\rho \) active bits. A necessary condition for the affine space of solutions to have dimension 1 is that each of the \(\left( {\begin{array}{c}N'\\ 4\end{array}}\right) \) submatrices of size \(\delta \times \rho \) of \(\textbf{A}\), constructed by extracting the \(\rho \) columns corresponding to an unordered quartet of key element positions, is non-singular.

The concern that the matrix equation \(\textbf{A}\textbf{x} = \textbf{z}\) could have an affine space of solutions with a problematically large dimension, which would be highly unlikely for a random matrix, stems from the fact that \(\textbf{A}\) has the following structure: each row is nonzero in only t distinct sets of columns. If t was ‘too’ small, e.g. \(t = 1\), then this necessary condition might not have been fulfilled: each submatrix would have on average just about \(\rho \) nonzero rows, and thus, the probability that all \(\left( {\begin{array}{c}N'\\ 4\end{array}}\right) \) submatrices have full rank would be rather low. For \(t = 12\), on the other hand, we provide a proof that this necessary condition is satisfied with overwhelming probability for the values \(N'\) we consider in our attacks. In other words, the structure of \(\textbf{A}\) produces no oblivious rank deficiency as compared with the behaviour of a random matrix.

We consider a submatrix of size \(\delta \times \rho \) extracted from \(\textbf{A}\) as described above. We let \(p_1\) be the probability that after gathering \(\delta \) equations, this submatrix has less than \(2\cdot \rho \) nonzero rows. This probability is strictly smaller than the probability that after gathering \(\left( {\begin{array}{c}N'\\ 4\end{array}}\right) \rho =_{def} \delta _1 < \delta \) equations, this submatrix has less than \(2\cdot \rho \) nonzero rows. We compute this latter probability. For a fixed submatrice, we can view the construction of \(\textbf{A}\) as drawing \( \delta _1 = \left( {\begin{array}{c}N'\\ 4\end{array}}\right) \rho \) rows such that for each row, the probability that this row is nonzero is \(p_t = t/\left( {\begin{array}{c}N'\\ 4\end{array}}\right) \). The number X of nonzero rows thus follows a binomial law with parameters \(\delta _1 = \left( {\begin{array}{c}N'\\ 4\end{array}}\right) \cdot \rho \) and \(p_t\), \(X \sim B(\delta _1,p_t)\). Thus, the probability that after \(\left( {\begin{array}{c}N'\\ 4\end{array}}\right) \cdot \rho \) equations, the submatrix has less than \(2\cdot \rho \) nonzero rows is \(\mathbb {P}(X \le 2\cdot \rho )\). Since \(\delta _1 \cdot p_t \cdot (1-p_t) \gg 10\), we use the approximation of the binomial distribution by the normal distribution given by the Moivre-Laplace theorem:

$$\begin{aligned} \mathbb {P}(X \le 2\cdot \rho ) &\approx \mathbb {P}\left( Y \le \frac{2\cdot \rho - \delta _1 \cdot p_t}{\sqrt{\delta _1 \cdot p_t \cdot (1-p_t)}} \right) , \end{aligned}$$

where \(Y \sim \mathcal {N}(0,1)\). For \(N' = N = 256\) and \(N' = 137\), this probability can be shown to be at most \(\frac{e^{-269^2}}{538\sqrt{\pi }}\).

We now compute the probability \(p_2\) that a submatrix containing at least \(2\cdot \rho \) equations does not have full rank \(\rho \). We approximate this probability by the probability that a random \(2\cdot \rho \times \rho \) matrix does not have full rank. It can be shown by induction that the probability that a random \(\mathbb {F}_2\)-matrix of size \(2\cdot \rho \times \rho \) has full rank \(\rho \) is at least \(e^{- \frac{\rho }{2^{\rho + 1}}}\). This implies that \(p_2 \le 1 - e^{- \frac{\rho }{2^{\rho + 1}}}\).

For a fixed submatrice, \(p_1\) is the probability that after gathering \(\delta \) equations, this submatrix has less than \(2\cdot \rho \) nonzero rows whilst \(p_2\) is the probability that a submatrix containing at least \(2\cdot \rho \) equations does not have full rank. Thus, the probability that a fixed submatrix is singular is at most \(p_1 + p_2\). Since there are \(\left( {\begin{array}{c}N'\\ 4\end{array}}\right) \) submatrices, the probability that at least one submatrix is singular is at most \(\left( {\begin{array}{c}N'\\ 4\end{array}}\right) (p_1 + p_2)\). In particular, for \(N' = N = 256\) and \(N' = 137\), each submatrix is non-singular with probability at least \( 1 - \left( {\begin{array}{c}N'\\ 4\end{array}}\right) (p_1 + p_2) > 0.99\).

E Description of the XOF

The XOF state contains an AES key. It is initialized with the IV. During operation, a block of output is produced by encrypting a fixed constant using the key in the XOF state. The updated state is obtained by encrypting another fixed constant using the same XOF state as key. This enables to produce a sequence of bits of arbitrary length. From this sequence we extract bit sequences to generate masking values and integers to generate an ordered arrangement. In order to generate an integer uniformly at random in \(\{0, .., n-1\}\), we apply rejection sampling. We form an integer from k bits of the XOF output, where k is the bitlength of n. While this candidate integer is greater or equal that n, we discard it and take a new candidate. In the other case we use this integer as the output. This defines a procedure \(next\_int(n)\). Note that the state of the XOF is updated as bits of its output sequence are consumed.

Using this building block, we follow exactly Algorithm 2 of [3]. Note that the generation procedure of parameters \(\pi ^i\) and \(m^i\) is stateful: a current permutation of \(\{1, .., N\}\) and an array of N masking values is maintained. At every step, we need to extract \(r \cdot t\) (\(=60\) for Elisabeth-4, \(=10\) in our toy version) key nibbles. We do so by performing an ‘aborted Knuth shuffle’: for i in \(\{1,\cdots ,r\cdot t\}\), we compose the current permutation with the transposition \((i, i + x)\) where x is an output of \(next\_int(N-i)\). At the end of the loop, the \(r\cdot t\) first positions of the current permutation contain an uniformly distributed ordered arrangement of \(\{1, .., N\}\). For every position determined by this arrangement, we add in the array of masking values a fresh group element, generated through \(next\_int(16)\).