Interpolation attack

Let an iterated cipher be given by

:$c\_i=(c\_\{i-1\}\backslash oplus\; k\_i)^3,$

where $c\_0$ is the plaintext, $c\_i$ the output of the $i^\{th\}$ round, $k\_i$ the secret $i^\{th\}$ round key (derived from the secret key $K$ by some key schedule), and for a $r$-round iterated cipher, $c\_r$ is the ciphertext.

Consider the 2-round cipher. Let $x$ denote the message, and $c$ denote the ciphertext.

Then the output of round 1 becomes

:$c\_1=(x+\; k\_1)^3=(x^2+\; k\_1^2)(x\; +\; k\_1)=x^3+\; k\_1^2x+\; x^2k\_1+\; k\_1^3,$

and the output of round 2 becomes

:$c\_2=c=(c\_1+\; k\_2)^3=(x^3+\; k\_1^2x+\; x^2k\_1+\; k\_1^3+\; k\_2)^3$

:$=x^9+\; x^8k\_1+\; x^6k\_2+\; x^4k\_1^2k\_2+\; x^3k\_2^2+\; x^2(k\_1k\_2^2+k\_1^4k\_2)$

+ x(k_1^2k_2^2+k_1^8)+ k_1^3k_2^2+ k_1^9+ k_2^3,

Expressing the ciphertext as a polynomial of the plaintext yields

:$p(x)=a\_1x^9+\; a\_2x^8+\; a\_3x^6+\; a\_4x^4+\; a\_5x^3+\; a\_6x^2+\; a\_7x+\; a\_8,$

where the $a\_i$'s are key dependent constants.

Using as many plaintext/ciphertext pairs as the number of unknown coefficients in the polynomial $p(x)$, then we can construct the polynomial. This can for example be done by Lagrange Interpolation (see Lagrange polynomial). When the unknown coefficients have been determined, then we have a representation $p(x)$ of the encryption, without knowledge of the secret key $K$.

Considering an $m$-bit block cipher, then there are $2^m$ possible plaintexts, and therefore $2^m$ distinct $p/c$ pairs. Let there be $n$ unknown coefficients in $p(x)$. Since we require as many $p/c$ pairs as the number of unknown coefficients in the polynomial, then an interpolation attack exist only if $n\backslash leq\; 2^m$.

Assume that the time to construct the polynomial $p(x)$ using $p/c$ pairs are small, in comparison to the time to encrypt the required plaintexts. Let there be $n$ unknown coefficients in $p(x)$. Then the time complexity for this attack is $n$, requiring $n$ known distinct $p/c$ pairs.

Often this method is more efficient. Here is how it is done.

Given an $r$ round iterated cipher with block length $m$, let $z$ be the output of the cipher after $s$ rounds with

We will express the value of $z$ as a polynomial of the plaintext $x$, and as a polynomial of the ciphertext $c$. Let $g(x)\backslash in\; GF(2^m)[x]$ be the expression of $z$ via $x$, and let $h(c)\backslash in\; GF(2^m)[c]$ be the expression of $z$ via $c$. The polynomial $g(x)$ is obtain by computing forward using the iterated formula of the cipher until round $s$, and the polynomial $h(c)$ is obtain by computing backwards from the iterated formula of the cipher starting from round $r$ until round $s+1$.

So it should hold that

:$g(x)=h(c),$

and if both $g$ and $h$ are polynomials with a low number of coefficients, then we can solve the equation for the unknown coefficients.

Assume that $g(x)$ can be expressed by $p$ coefficients, and $h(c)$ can be expressed by $q$ coefficients. Then we would need $p+q$ known distinct $p/c$ pairs to solve the equation by setting it up as a matrix equation. However, this matrix equation is solvable up to a multiplication and an addition. So to make sure that we get a unique and non-zero solution, we set the coefficient corresponding to the highest degree to one, and the constant term to zero. Therefore, $p+q-2$ known distinct $p/c$ pairs are required. So the time complexity for this attack is $p+q-2$, requiring $p+q-2$ known distinct $p/c$ pairs.

By the Meet-In-The-Middle approach the total number of coefficients is usually smaller than using the normal method. This makes the method more efficient, since less $p/c$ pairs are required.

We can also use the interpolation attack to recover the secret key $K$.

If we remove the last round of an $r$-round iterated cipher with block length $m$, the output of the cipher becomes $\backslash tilde\{y\}=c\_\{r-1\}$. Call the cipher the reduced cipher. The idea is to make a guess on the last round key $k\_r$, such that we can decrypt one round to obtain the output $\backslash tilde\{y\}$ of the reduced cipher. Then to verify the guess we use the interpolation attack on the reduced cipher either by the normal method or by the Meet-In-The-Middle method. Here is how it is done.

By the normal method we express the output $\backslash tilde\{y\}$ of the reduced cipher as a polynomial of the plaintext $x$. Call the polynomial $p(x)\backslash in\; GF(2^m)[x]$. Then if we can express $p(x)$ with $n$ coefficients, then using $n$ known distinct $p/c$ pairs, we can construct the polynomial. To verify the guess of the last round key, then check with one extra $p/c$ pair if it holds that

:$p(x)=\backslash tilde\{y\}.$

If yes, then with high probability the guess of the last round key was correct. If no, then make another guess of the key.

By the Meet-In-The-Middle method we express the output $z$ from round

:$g(x)=h(\backslash tilde\{y\}).$

If yes, then with high probability the guess of the last round key was correct. If no, then make another guess of the key.

Once we have found the correct last round key, then we can continue in a similar fashion on the remaining round keys.

With a secret round key of length $m$, then there are $2^m$ different keys. Each with probability $1/2^m$ to be correct if chosen at random. Therefore, we will on average have to make $1/2\backslash cdot\; 2^m$ guesses before finding the correct key.

Hence, the normal method have average time complexity $2^\{m-1\}(n+1)$, requiring $n+1$ known distinct $c/p$ pairs, and the Meet-In-The-Middle method have average time complexity $2^\{m-1\}(p+q-1)$, requiring $p+q-1$ known distinct $c/p$ pairs.

The Meet-in-the-middle attack can be used in a variant to attack S-boxes, which uses the inverse function, because with an $m$-bit S-box then $S:\; f(x)=x^\{-1\}=x^\{2^m-2\}$ in $GF(2^m)$.

The block cipher SHARK uses SP-network with S-box $S:f(x)=x^\{-1\}$. The cipher is resistant against differential and linear cryptanalysis after

a small number of rounds. However it was broken in 1996 by Thomas Jakobsen and Lars Knudsen, using interpolation attack. Denote by SHARK$(n,m,r)$ a version of SHARK with block size $nm$ bits using $n$ parallel $m$-bit S-boxes in $r$ rounds. Jakobsen and Knudsen found that there exist an interpolation attack on SHARK$(8,8,4)$ (64-bit block cipher) using about $2^\{21\}$ chosen plaintexts, and an interpolation attack on SHARK$(8,16,7)$ (128-bit block cipher) using about $2^\{61\}$ chosen plaintexts.

Also Thomas Jakobsen introduced a probabilistic version of the interpolation attack using Madhu Sudan's algorithm for improved decoding of Reed-Solomon codes. This attack can work even when an algebraic relationship between plaintexts and ciphertexts holds for only a fraction of values.

• {{cite conference

| author = Thomas Jakobsen, Lars Knudsen

| title = The Interpolation Attack on Block Ciphers

| conference = 4th International Workshop on Fast Software Encryption (FSE '97), LNCS 1267

| pages = 28–40

| publisher = Springer-Verlag

|date=January 1997

| location = Haifa

| url = http://citeseer.ist.psu.edu/jakobsen97interpolation.html

| format = PDF/PostScript

| access-date = 2007-07-03}}

• {{cite conference

| author = Thomas Jakobsen

| title = Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low Degree

| conference = Advances in Cryptology — CRYPTO '98

| pages = 212–222

| publisher = Springer-Verlag

| date = August 25, 1998

| location = Santa Barbara, California

| url = http://citeseer.ist.psu.edu/jakobsen98cryptanalysis.html

| format = PDF/PostScript

| access-date = 2007-07-06 }} ([http://video.google.com/videoplay?docid=-502705185794473481&hl=en Video of presentation] at Google Video—uses Flash)

• {{cite conference |author1=Shiho Moriai |author2=Takeshi Shimoyama |author3=Toshinobu Kaneko |title=Interpolation Attacks of the Block Cipher: SNAKE |conference=FSE '99 |pages=275–289 |publisher=Springer-Verlag |date=March 1999 |location=Rome |doi=10.1007/3-540-48519-8_20 |url=https://link.springer.com/content/pdf/10.1007/3-540-48519-8_20.pdf |access-date=2022-11-06}}
• {{cite conference

|author1=Amr M. Youssef |author2=Guang Gong |author2-link=Guang Gong| title = On the Interpolation Attacks on Block Ciphers

| conference = FSE 2000

| pages = 109–120

| publisher = Springer-Verlag

|date=April 2000

| location = New York City

| url = http://users.encs.concordia.ca/~youssef/fse2000.pdf

| access-date = 2007-07-06 }}

• {{cite conference

|author1=Kaoru Kurosawa |author2=Tetsu Iwata |author3=Viet Duong Quang | title = Root Finding Interpolation Attack

| conference = Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography (SAC 2000)

| pages = 303–314

| publisher = Springer-Verlag

|date=August 2000

| location = Waterloo, Ontario

| url = http://citeseer.ist.psu.edu/kurosawa00root.html

| format = PDF/PostScript

| access-date = 2007-07-06 }}

{{Cryptography navbox | block}}

Category:Cryptographic attacks