Influence of addition modulo 2ⁿ on algebraic attacks

Abstract

Many modern ciphers have a substitution-permutation (SP) network as a main component. This design is well researched in relation to Advanced Encryption Standard (AES). One of the ways to improve the security of cryptographic primitives is the use of additional nonlinear layers. However, this replacement may not have any effect against particular cryptanalytic attacks. In this paper we use algebraic attacks to analyze an SP network with addition modulo 2ⁿ as the key mixing layer. In particular, we show how to reduce the number of intermediate variables in round functions based on SP networks. We also apply the proposed method to the GOST 28147-89 block cipher that allows us to break reduced 8- and 14-round versions with complexity at most 2¹⁵⁵ and 2^215.4, respectively.

Appendix A: Propagation of carry bits in a modular adder

Theorem 1

Let Σ _n be an n-bit length adder implementing addition in the group \(\mathbb {Z}_{2^{n}}\) . The first input to Σ _n is a random uniformly chosen group element, and the second input is a group element with the bit representation I ₀ =i _n i _n−1 …i _s+b+1 00…0i _b i _b−1 …i ₁ , where i _j ∈ {0, 1}. Let S₀ =C ₀ ||E ₀ ||V ₀ ||B ₀ be an output value of the adder with \(S_{0} \in \mathbb {Z}_{2^{n}}\) , \(C_{0} = r_{c}^{(C_{0})} r_{c-1}^{(C_{0})} {\ldots } r_{1}^{(C_{0})}\) , \(E_{0} = r_{e}^{(E_{0})} r_{e-1}^{(E_{0})} {\ldots } r_{1}^{(E_{0})}\) , \(V_{0} = r_{s}^{(V_{0})} r_{s-1}^{(V_{0})} {\ldots } r_{1}^{(V_{0})}\) and \(B_{0} = r_{b}^{(B_{0})}r_{b-1}^{(B_{0})} {\ldots } r_{1}^{(B_{0})}\) , where c>1, e>1,s>1,b>1, and c+e+s+b=n. If values I _J =i _n i _n−1 …i _s+b+1 j _s j _s−1 …j ₁ i _b i _b−1 …i ₁ with j _s j _s−1 …j ₁ =J∈{1,…,2 ^s −1} are sequentially taken as the second adder input, then for the output values S _J =C _J ||E _J ||V _J ||B _J , where B _J =B ₀ (i.e. constant), the probability of the event that C _J =C ₀ for all inputs I _J (J∈{1,…,2 ^s −1}) is equal to \(1 - \frac {2^{s}-1}{2^{se}}\).

Proof

Assume that an output value of the adder Σ _n is divided into the following 4 groups of bits

• B is a constant number;

• V is a variable part of the sum;

• E is a very likely variable part of the sum because of carry bits generated by V when zero input bits are changed to ones;

• C is an unlikely changed part of the sum, since carry bits generated by V is very likely to be stopped at E.

Thus, the output values definitely changes at block V and may affect higher blocks E and C through carry bits from V. It is necessary to estimate the probability of the event that there is no carry bit from V to E, or the propagation of the carry bits will not affect C via E, so C remains constant (C _J = C ₀).

From the theorem description follows that at least one different value C _J ≠C ₀ for any J breaks the theorem conditions. It means that it is sufficient to take into consideration only the value J = 1 _s 1 _s−1…1₂1₁ as long as J (the block of the second input corresponding V) is taking all values from 0 _s 0 _s−1…0₂0₁ till 1 _s 1 _s−1…1₂1₁. If a carry bit appears for any other value of J, it definitely appears for J = 1 _s 1 _s−1…1₂1₁. The probability of the event that a given random block of s bit length with the second input 1 _s 1 _s−1…1₂1₁ of the adder Σ _n will trigger E is equal to \(\frac {2^{s} - 1}{2^{s}}\).

Now it is necessary to estimate the probability of the event that for I ₀ there is no carry bit from E to C, but it appears for I _J ≠I ₀. For this case the corresponding bits of the first and the second input of the adder must form the output value 1 _e 1 _e−1…1₂1₁. The probability of this event is 2^−e (taking into account all pairs of input values given the necessary sum). Since the first argument of the adder is chosen randomly and independently, the propagation probability of carry bits from E to C with the second input I _J , and with absence of carry bits for I ₀, is calculated as the product \(2^{-e} \cdot \frac {2^{s} - 1}{2^{s}}\). Accordingly, the probability of the complement event, that is the block C remains constant, is \(1 - \frac {2^{s}-1}{2^{se}}\).

Finally, to obtain the situation when the block B has influence on the probability the following condition must be satisfied: the carry bits of V ₀ and V _J are different. The case when the carry bit is already presented for V ₀ (due to the carry bit from B) leads to C _J = C ₀ (the carry bit is already presented and cannot change the higher bits). The number of variants when the input value results in the carry bit for C ₀ is equal to number of variants when the carry bit appears only for C _J . Thus, the carry bits from B have no influence on the probability of the event C _J ≠C ₀.

Therefore, the probability of the event that for B _J = B ₀ the bits of C _J and C ₀ are the same for all I _J equals \(1 - \frac {2^{s}-1}{2^{se}}\). □