cs519, © a.selcukdifferential & linear cryptanalysis1 cs 519 cryptography and network security...
DESCRIPTION
CS519, © A.SelcukDifferential & Linear Cryptanalysis3 Differential Cryptanalysis A chosen plaintext attack that exploits the non- uniform difference propagations over rounds. To attack an r-round cipher: –find a “characteristic” (a seq. of differences) which relates an input difference to a (r-1)st round difference with a non-trivial probability. –Assuming the characteristic holds, find the last round key from ∆X r-1 & ∆X r (i.e. ∆C). The remaining key bits can be attacked either by brute force or by DC on r-1 rounds.TRANSCRIPT
CS519, © A.Selcuk Differential & Linear Cryptanalysis 1
Differential & LinearCryptanalysis
CS 519Cryptography and Network Security
Instructor: Ali Aydin Selcuk
CS519, © A.Selcuk Differential & Linear Cryptanalysis 2
Block Cipher Cryptanalysis
• Find a property of the cipher that “distinguishes” it from a random function. (“distinguisher”)
• Such a property is usually constructed beginning from the 1-round cipher, or from the s-boxes.
• Once such a property is found, extend it to obtain a distinguisher for r-1 (or r-2) rounds of the cipher.
• Having found such a distinguisher, attack (parts of) the first or the last round key, by exhaustive trial.
CS519, © A.Selcuk Differential & Linear Cryptanalysis 3
Differential Cryptanalysis
• A chosen plaintext attack that exploits the non-uniform difference propagations over rounds.
• To attack an r-round cipher:– find a “characteristic” (a seq. of differences) which
relates an input difference to a (r-1)st round difference with a non-trivial probability.
– Assuming the characteristic holds, find the last round key from ∆Xr-1 & ∆Xr (i.e. ∆C).
• The remaining key bits can be attacked either by brute force or by DC on r-1 rounds.
CS519, © A.Selcuk Differential & Linear Cryptanalysis 4
Differential CryptanalysisTwo questions:
• How to find such a “characteristic”?
(∆L0, ∆R0) (∆Lr-1, ∆Rr-1)
• How to obtain Kr from here?
∆L0 ∆R0
... ...
∆Lr-1∆Rr-1
f
∆Lr ∆Rr
Kr
Kr = ?
CS519, © A.Selcuk Differential & Linear Cryptanalysis 5
DC of Feistel Ciphers
A characteristic of a Feistel cipher must be of the following form:
∆L0
f
f
1 1
f
f
∆R0
2 2
3 3
4 4
1 = ∆R0
2 = ∆L0 1
3 = 1 2
4 = 2 3
... ...
CS519, © A.Selcuk Differential & Linear Cryptanalysis 6
E.g.: 1-round DES
A difference of the f function: For inputs X(1) & X(2) with difference
we have
E.g., for 14 out of the 64 possible inputs, we haveS1(X K) = S1(X K ∆X)
for ∆X = 000011 on S1.
P( → 0) = (14 · 8 · 10) / (643) 1 / 234 .
X(1) X(2) = = 0001 1001 0110 0000 . . . 0000
S1 S2 S3
CS519, © A.Selcuk Differential & Linear Cryptanalysis 7
An Iterative DES Characteristic(Biham & Shamir, 1992)
This 2-round DES characteristic can be concatenated by itself:
0
f
f
0 0
0
0
p = 1
p = 1/234p = 1/234
CS519, © A.Selcuk Differential & Linear Cryptanalysis 8
16-round DES Attack• Start with pairs
P(1) P(2) = (,0)• Take those pairs with ∆L16 = .
• Assuming that ∆R15 = 0, we have ∆Y16 = ∆R16 .
• We know X16(1), X16
(2) from c.t.Take the values of K16 that can map X16
(1), X16(2) to ∆Y16 &
increment their counters. • After all collected pairs are
processed, take the K16 value that is suggested most.
∆L0 =
f
f
0 0
f
f
∆R0 = 0
0
0 0
0
0
...
1:
2:
3:
4:
f
f
0 0
∆Y16
015:
16:
...
∆L16 ∆R16
CS519, © A.Selcuk Differential & Linear Cryptanalysis 9
DC of DES
• 8 rounds: 214 chosen plaintexts12 rounds: 231 chosen plaintexts16 rounds: 247 chosen plaintexts(first cryptanalysis of the 16-round DES faster than exhaustive search)
• Ordering of the s-boxes turned out to be optimized against DC!
CS519, © A.Selcuk Differential & Linear Cryptanalysis 10
Linear Cryptanalysis
• A statistical known plaintext attack• Correlation among pt, ct, key bits are exploited:
– Find a binary equation of pt, ct, key bits (“linear approximation”) which shows a non-trivial correlation among them (“bias”).
– Collect a large pt-ct sample.– Try all key values with the collected pt-ct in the eq.
(hence, relatively few key bits must be involved.)– Take the key that maximizes the bias as the right key.
• The remaining key bits can be found by brute force or by another LC attack.
CS519, © A.Selcuk Differential & Linear Cryptanalysis 11
Linear Approximation
A linear approximation of r-1 rounds:P[i1...ia] Xr-1[j1...jb] = K[m1...mc]
with p ≠ ½. (p =1 usually not possible)• |p – ½|: the “bias” of the approximation• (notation: Xi: ciphertext after i rounds;
S[...]: xor of the specified bits of the string S.)
Expressed in terms of the ciphertext:P[i1...ia] F(C, Kr)[j1...jb] = K[m1...mc]
where F is related to the last round’s decryption.
CS519, © A.Selcuk Differential & Linear Cryptanalysis 12
LC Attack
• Approximation: P[i1...ia] F(C, Kr)[j1...jb] = K[m1...mc] (1)
• Collect a large number (N) of pt-ct blocks • For all possible Kr values, compute the left side of (1).
T(i) denoting the # of zeros for the ith candidate, take the Kr value that maximizes the “sample bias”
| T(i) – N/2 |as the right key.
• Another bit of key information (that is, K[m1...mc]) can be obtained comparing the signs of (p – ½) and (T(i) – N/2).
CS519, © A.Selcuk Differential & Linear Cryptanalysis 13
Linear Approximation of DES’ f Function
Shamir’s discovery (1985):P(16·x = 15·S5(x)) = 12 / 64
where “·” denotes binary dot product.(Brickell et al.: “Normal”)
From s-box to f function:x[15] f(x,k)[7, 18, 24, 29] = k[22] p = 12/64.
CS519, © A.Selcuk Differential & Linear Cryptanalysis 14
Combining Round Approximations
When these approximations are combined, we get the 3-round appr.:L0[7,18,24,29] R0[15] L3[7,18,24,29] R3[15]
= K1[22] K3[22]
(no intermediate terms are left.)p = p1 p3 + (1-p1)(1-p3) = ½ + 2(p1 – ½) (p3 – ½)
assuming the round approximations are independent.
L0
f
f
7,18,24,29 15
f
R0
– –
7,18,24,29 15
L1
L2
L3
R1
R2
R3
L0[7,18,24,29] L1[7,18,24,29] R0[15] = K1[22]
p1 = 12/64
L2[7,18,24,29] L3[7,18,24,29] R2[15] = K3[22]
p3 = 12/64
CS519, © A.Selcuk Differential & Linear Cryptanalysis 15
Linear Approximations of Feistel Ciphers
For the intermediate terms to cancel out, we need:
i+1 = i i-1
The probability of the combined approximation is
p = ½ + 2r-1i (pi – ½ )
assuming round approximations are independent.
f
f
1 1
f
f
1 2
2 2
3 3
4 4
1
2
3
...
3
1
2
4
4
1
fr r
r r-1 r
CS519, © A.Selcuk Differential & Linear Cryptanalysis 16
Best DES Approximation(Matsui, 1993)
A: x[15] f(x,k)[7,18,24,29] = k[22] p = 12/64
C: x[29] f(x,k)[15] = k[44] p = 30/64
D: x[15] f(x,k)[7,18,24] = k[22] p = 42/64
ff
7,18,24,29 15
f7,18,24 15
29 15
f− −
ff
7,18,24 15
f7,18,24,29 15
29 15
f− −
f7,18,24 15
... .........
DCA—ACD—D
CS519, © A.Selcuk Differential & Linear Cryptanalysis 17
LC of DES
• 8 rounds: 221 known plaintexts12 rounds: 233 known plaintexts16 rounds: 243 known plaintexts
• First experimental cryptanalysis of the 16-round DES (Matsui, 1994).
• Ordering of the s-boxes was far from optimal against LC.
CS519, © A.Selcuk Differential & Linear Cryptanalysis 18
Issues in DC & LC
• r-1 round relation is found, which is used to attack the last round key Kr.(r-2 round attacks are also possible)
• Assumptions:– key independence of the char./appr. used.– independence of the individual round char./appr.s
• Helped by:– the invertible key schedule of DES– lack of key mixing after the last round’s substitution
CS519, © A.Selcuk Differential & Linear Cryptanalysis 19
Results of DC & LC
Discovery of DC & LC attacks motivated:
– the theory of functions resistant against differential & linear attacks
– new block cipher design techniques (resulting in AES)
– development of non-invertible key schedules