differential cryptanalysis

DIFFERENTIAL CRYPTANALYSIS

Chapter 3.4

Ciphertext only attack. The cryptanalyst knows the cryptograms.

This happens, if he can eavesdrop the communication channels.

Known-plaintext attack. The adversary can access not only the

communication channels but also parts of plaintext.

Chosen-plaintext attack. This is a known plaintext attack for which the

cryptanalyst may choose messages and corresponding cryptograms.

Chosen-ciphertext attack. The enemy selects his own cryptogram and

corresponding message and then tries to find the secret key of the cryptosystem.

The function to transfer the input string of an S-box.

such that and then or where

mnf :

3.4.1 XOR profiles

nss 21,msfsf )(),( 21

mss *2

*1 ,

).(),( 2*21

*1 sfssfs

Define and four-tuples and denote the number of four-tuples in the

set. For example,

and

*2

*121 , ssss

)},(|),,;,{( *2

*121

*2

*121 ssssssssS

)},,3,3(),,9,17,2()9,,2,17(),,,3,3{(3

2

FDFBBBBDFFS C

.4S

S

kSÅ

1

1S

k1S

*1S

2SkS

Å2

*2S

k2S

f

The XOR profile of an S-box defined by is a table which has 2n rows and 2m

columns. Each row and column is indexed by and respectively. Each entry (, ) of the table shows the number of elements in the set

mnf :

S

The example of an element of XOR profiles If the set is

Then the element (19, 1) in the table of XOR profile is

)}.1,0;22,3(),2,3;2,35(),3,2;35,2(),0,1;3,22(

),4,5;2,1(),5,4;1,2{(191

xxxxxxxx

xxxxxxxx

xxxxxxxx

BCCB

BBS x

x

6S

The properties of XOR profiles All entries in the table are zeroes or positive

even integers. The row for = 0 has only one nonzero entry

equal to 2n (n is the number of input bits of the S-box).

The sum of entries in each row is equal to 2n. An input difference may cause output

difference with probability . If an entry (, ) is zero, then the input

difference cannot cause the difference on the output.

np2

What can we say about value of the input?

The XOR profile does not depend on the cryptographic key used. What can we say about the key?

2121 )()( ssksks

},,{ 111ssssk

jii

Example: Let an input have the output

difference .

The set

)38,21()( 2,1 xxss

x1

)}.1,0;22,3(),2,3;2,35(),3,2;35,2(),0,1;3,22(

),4,5;2,1(),5,4;1,2{(191

xxxxxxxx

xxxxxxxx

xxxxxxxx

BCCB

BBS x

x

19011001111000100001

The input is

The applied key must be in the set

that is

The following demonstrate how to calculate the bit-to-bitaddition.

211 ss

}14,,1,3,3,23{1 xxxxxx DAA

23100011000010100001221

}.35,2,3,22,1,2{ xxxxxx CBB

If the second input is and Then the set is as following.

140101001101011000013521001101101100100001221

1011010111011100001321

DCAB

AB 3111010011011100001121

30000111000101000012221

xxxss 37),23,14()( 2,1

x2 x

xS 37

2

)}8,;,39(),1,3;,38(),5,7;18,2(),9,;19,2(),,8;11,26(),,8;12,25(),,9;2,19(),7,5;2,18(),8,;25,12(),8,;26,11(

),3,1;38,(),,8;39,{(372

xxxxxxxx

xxxxxxxx

xxxxxxxx

xxxxxxxx

xxxxxxxx

xxxxxxxx

AEFFBE

AABEF

AAFAES x

x

The set of input is

The key set is

Take another observation,

}2,19,2,18,25,12,26,11,38,,39,{

xxxx

xxxxxxxx

EFFE

},3,,3,6,31,5,32,1,2,2,1{2

xxxx

xxxxxxxx

DACBBCDA

xxx Css 9),1,14()( 2,1

and then and

The key must be contained in the three set, so the key is

}2,25,28,20,,6{ xxxxxx DE

}39,31,3,34,1,12{3 xxxxxx CA

}1{321 xA

The XOR profile of an S-box with the secret key XORed with the input is identical to the XOR profile of the S-box without the key.

Every input observation (s1, s2) and the corresponding output difference enable the cryptanalyst to find the set of key candidates.

The analysis of differences for a single S-box allows one to retrieve the key that is XORed to the input of a S-box.

3.4.2 DES Round Characteristics

An m-round characteristic of a Feistel-type cryptosystem is a sequence

Where in and out are input and output differences. The pairs are consecutive input and output difference for the round fk.

Let input sequences be and .

),,(),,,,,,( 11 outinoutmmin

,,,1);,( miii

)0,( 1A )0,( 2A

A single round characteristic of DES

)0,( Ain

f01 01

)0,( Aout

The first part of difference is A and the second part is 0.

Our goal is to find a characteristic that feeds a nonzero input difference in to S1 while other input differences of S2 … S8 are set to zero and

the characteristic should work with a high probability.

Another single round characteristic of DES

)00000060,( XAin

X008280001 X000000601

f

)00000060,00828000( XXAout

The input difference in = (A, 60 00 00 00x). The binary string (00 80 82 00x) obtained by

permuting (E0 00 00 00x) using permutation block P For this case, the pair of difference (Cx, Ex) happens

with probability 14/64. And then we get the output

)00000060,00828000( XXAout

Any characteristic has a probability attached to it. Let the m-round characteristic be

Then its probability

where is the probability that input difference i

causes the output difference i for the function fk in the ith round.

),,,,,,( 11 outmmin

m

i

i

ipP

1)(

i

ip

A two-round characteristic of DES

)00000060,00828000( XXin

X008280001 X000000601 f

02 02 f

Xout )00000000,00000060(

The probability of the second round happening is one.

3.4.3 Cryptanalysis of 4-Round DES

Our purpose is to recover the key. To concentrate on the last round of the DES.

In last figure, we use characteristic A= (20 00 00 00x), which works always (p=1).

In the last round 124 out

Four round DESInput Difference

f

f

f

f

1

2

3

4

1

2

3

4

),( 4outOutput Difference

1 = 0 and 1 = 0. So the input difference becomes (001000) on S1 and all other 7 S-boxes are zero. Thus 28-bits of 2 are known. From the last equation, 28-bits of 4 are known. Another characteristic A = (04 44 44 44x). The the missing part of key is recovered by the differential

analysis of S1.

Finding the partial key k4.

Strip off the last round and find k3.

Then k2.

Input Difference

Output Difference

Six-round DES

1

5

6

1

5

6

f

f

f

f

First 3-Round Characteristic

f

f

f

xin 00000004000008401

xout 00000004000008401

x00000840 x00000004

x0 x0

x00000840 x00000004

41

41

)1(

Second 3-Round Characteristic

f

f

f

xin 00040000080020002

x08002000 x00040000

x0 x0

41

41

)1(

xout 00040000080020002

x08002000 x00040000

3.4.5 The main features of differential analysis

The differential analysis can be applied to Feistal cryptosystems with t rounds,where it is possible to use input to the round functionand deduce or guess the corresponding outputdifferences

Characteristics are useful in guessing the correct output differences of the round function. It is enough to have (t-3)-round characteristic to find out outputdifferences in the t-round Feistel cryptosystem.

As the differential analysis enables to find keys applied in the last round function, it by-passes the key schedule.It works under the assumption that round keys are statistacallyindependent.

Once the key in the last round is found, the last round can be stripped off by applying the extra round.

Feistel cryptosystem immune against the differential analysis:

The XOR profile must not have entries with large number.

The best (t-3)-round characteristics should work with the probability

smaller than the probability of guessing the right key (t is the number

of rounds in the cryptosystem).

The S-boxes should depend upon the secret key in a nonlinear way.

This will cause that XOR profile of S-boxes become more complex.

One way of implementation of this idea would be an on-the-fly

selection of S-boxes depending on the round key.