Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated Differentials
Lars R. Knudsen
DTU Mathematics
Spring 2011
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Outline
1 Differential cryptanalysis
2 CipherFOUR
3 Truncated differentials
4 Impossible differentials
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Outline
1 Differential cryptanalysis
2 CipherFOUR
3 Truncated differentials
4 Impossible differentials
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Differential cryptanalysis: the idea
Differential cryptanalysis on iterated cipherstrace difference in chosen plaintexts through encryptionprocess;
predict difference in next to last round of encryption;
guess key in last round, compute backwards.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Outline
1 Differential cryptanalysis
2 CipherFOUR
3 Truncated differentials
4 Impossible differentials
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
CIPHERFOUR
k1
????? ???? ???? ????�
���
����
�������
@@@
���
��
���
HH
HHH
@@@
���
PPPPPPP
HH
HHH
@@@
S S S S???? ???? ???? ?????
?- d
mk0
????? ???? ???? ????�
�����
��
�������
@@@
���
�����
HHHHH
@@@
���
PPPPPPP
HHHHH
@@@
S S S S???? ???? ???? ?????
?- d
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
5 rounds of CIPHERFOUR
c
k4
k5 ?
?- d???? ???? ???? ????
S S S S???? ???? ???? ?????
?- d
k3
????? ???? ???? ????�
����
���
�������
@@@
���
���
��
HHH
HH
@@@
���
PPPPPPP
HHH
HH
@@@
S S S S???? ???? ???? ?????
?- d
k2
????? ???? ???? ????�
�����
��
�������
@@@
���
�����
HHHHH
@@@
���
PPPPPPP
HHHHH
@@@
S S S S???? ???? ???? ?????
?- d
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Characteristic
Consider(0, 0, 2, 0)
(S,S,S,S)→ (0, 0, 2, 0)
which has probability 6/16 and note that
(0, 0, 2, 0)P→ (0, 0, 2, 0)
Thus(0, 0, 2, 0)
R→ (0, 0, 2, 0)
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Characteristic
(0, 0, 2, 0)R→ (0, 0, 2, 0)
R→ (0, 0, 2, 0)
with probability(6/16)2
and
(0, 0, 2, 0)R→ (0, 0, 2, 0)
R→ (0, 0, 2, 0)R→ (0, 0, 2, 0)
R→ (0, 0, 2, 0)
with probability(6/16)4 ≈ 0.02.
ExampleAttack 5 rounds by guessing (parts of) the last round key.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Differential Attack of CIPHERFOUR
k4
k5
c0 c1 c2 c3
0 0 2 0
0 0 ? 0?
?
- f???? ???? ???? ????
S S S S???? ???? ???? ????
?
?- f
k30 0 2 0
????? ???? ???? ????�
��
������
���������
@@
@
��
�
������
HHHH
HH
@@
@
��
�
PPPPPPPPP
HHHHHH
@@
@
S S S S???? ???? ???? ????
?
?- f
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Differentials
ObservationWhen using
(0, 0, 2, 0)R→ (0, 0, 2, 0)
R→ (0, 0, 2, 0)R→ (0, 0, 2, 0)
R→ (0, 0, 2, 0)
we do not care about the intermediate differences!
What we are really interested in is
(0, 0, 2, 0)R→?
R→?R→?
R→ (0, 0, 2, 0)
or(0, 0, 2, 0)
4R→ (0, 0, 2, 0).
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Differentials
(0, 0, 2, 0)4R→ (0, 0, 2, 0).
There are at least four characteristics involved
(0, 0, 2, 0)R−→ (0, 0, 2, 0)
R−→ (0, 0, 2, 0)R−→ (0, 0, 2, 0)
R−→ (0, 0, 2, 0),
(0, 0, 2, 0)R−→ (0, 0, 0, 2)
R−→ (0, 0, 0, 1)R−→ (0, 0, 1, 0)
R−→ (0, 0, 2, 0),
(0, 0, 2, 0)R−→ (0, 0, 0, 2)
R−→ (0, 0, 1, 0)R−→ (0, 0, 2, 0)
R−→ (0, 0, 2, 0),
(0, 0, 2, 0)R−→ (0, 0, 2, 0)
R−→ (0, 0, 0, 2)R−→ (0, 0, 1, 0)
R−→ (0, 0, 2, 0).
P((0, 0, 2, 0)4R→ (0, 0, 2, 0)) ≈ 0.081 > 0.02.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Differential Attack of CIPHERFOUR
k4
k5
c0 c1 c2 c3
0 0 2 0
0 0 ? 0?
?
- f???? ???? ???? ????
S S S S???? ???? ???? ????
?
?- f
k3? ? ? ?
????? ???? ???? ????�
��
������
���������
@@
@
��
�
������
HHHH
HH
@@
@
��
�
PPPPPPPPP
HHHHHH
@@
@
S S S S???? ???? ???? ????
?
?- f
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
CIPHERFOUR: Experimental Results
Differential attack on 5 rounds
Attacker tries to determine four bits of the key
Experiment
Number of texts Differential attack32 64%64 76%128 85%256 96%
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Outline
1 Differential cryptanalysis
2 CipherFOUR
3 Truncated differentials
4 Impossible differentials
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
DefinitionA (differential) characteristic predicts the difference in a pair oftexts after each round of encryption.
DefinitionA differential is a collection of characteristics.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
DefinitionA truncated characteristic predicts only part of the difference ina pair of texts after each round of encryption.
DefinitionA truncated differential is a collection of truncatedcharacteristics.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
S-box from beforeBit notation:
0010 S→ 0010 has probability 616 .
0010 S→ ?0 ? ? has probability 1.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Distribution table
in \out 0 1 2 3 4 5 6 7 8 9 a b c d e f0 16 - - - - - - - - - - - - - - -1 - - 6 - - - - 2 - 2 - - 2 - 4 -2 - 6 6 - - - - - - 2 2 - - - - -3 - - - 6 - 2 - - 2 - - - 4 - 2 -4 - - - 2 - 2 4 - - 2 2 2 - - 2 -5 - 2 2 - 4 - - 4 2 - - 2 - - - -6 - - 2 - 4 - - 2 2 - 2 2 2 - - -7 - - - - - 4 4 - 2 2 2 2 - - - -8 - - - - - 2 - 2 4 - - 4 - 2 - 29 - 2 - - - 2 2 2 - 4 2 - - - - 2a - - - - 2 2 - - - 4 4 - 2 2 - -b - - - 2 2 - 2 2 2 - - 4 - - 2 -c - 4 - 2 - 2 - - 2 - - - - - 6 -d - - - - - - 2 2 - - - - 6 2 - 4e - 2 - 4 2 - - - - - 2 - - - - 6f - - - - 2 - 2 - - - - - - 10 - 2
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
Input difference 2 to S-box lead only to output differences1, 2, 9, and a. So for one round
(0000 0000 0010 0000)R−→
(0000 0000 0010 0000) or(0000 0000 0000 0010) or(0010 0000 0010 0000) or(0010 0000 0000 0010)
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
(0000 0000 0010 0000)R−→ (00?0 0000 00?0 00?0)
(0000 0000 0000 0010)R−→ (000? 0000 000? 000?)
(0010 0000 0010 0000)R−→ (?0?0 0000 ?0?0 ?0?0)
(0010 0000 0000 0010)R−→ (?00? 0000 ?00? ?00?)
(0000 0000 0010 0000)(0000 0000 0000 0010)(0010 0000 0010 0000)(0010 0000 0000 0010)
R−→ (? 0?? 0000 ?0?? ?0??)
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
Leads to a 2-round truncated differential
(0000 0000 0010 0000)R−→ (? 0?? 0000 ? 0?? ? 0??)
Adding another round gives
(? 0?? 0000 ? 0?? ? 0??)R−→ (? 0?? ? 0?? ? 0?? ? 0??).
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
This leads to a 3-round truncated differential
(0000 0000 0010 0000)3R−−→ (? 0?? ? 0?? ? 0?? ? 0??)
of probability 1!
Can we extend this further?
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
Consider the 1-round characteristic(0000 0000 0010 0000)
R−→ (0000 0000 0010 0000).
A pair will follow this characteristic if 2 S−→ 2Choose 16 texts
(t0, t1, i , t2),
where i = 0, . . . , 15 and t0, t1, t2 are arbitrary and fixed.Any two (different) texts lead to a pair of difference
(t0 ⊕ t0 t1 ⊕ t1 i ⊕ j t2 ⊕ t2) =(0000 0000 ???? 0000).
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
How many pairs lead to difference (0000 0000 0010 0000)after the first S-box?
Exactly eight (distinct pairs)!
For these eight pairs one gets
(0000 0000 ???? 0000)R−→ (0000 0000 0010 0000).
With correct guess of four-bit key one can easily identifythese eight.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
Summing up: yields a 4-round truncated differential
(0000 0000 ???? 0000)4R−−→ (? 0?? ? 0?? ? 0?? ? 0??)
which for correct guess of 4-bit key in 1st round, gives 8 rightpairs from pool of 16 texts.
5-round attack: run attack for all values of 4 bits of k0 and 4times 4 bits of k5.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Differential Attack of CIPHERFOUR
k4
k5
c0 c1 c2 c3
? 0?? ? 0?? ? 0?? ? 0??
?
?
- f???? ???? ???? ????
S S S S???? ???? ???? ????
?
?- f
k3
????? ???? ???? ????�
��
������
���������
@@
@
��
�
������
HHHH
HH
@@
@
��
�
PPPPPPPPP
HHHHHH
@@
@
S S S S???? ???? ???? ????
?
?- f
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials
5-round attack on CIPHERFOUR
Experiment
Number of texts Differentials Truncated differentials16 . 28% (4+4)32 . 78% (4+9)48 . 97% (4+12)64 76% (4)128 85% (4)256 96% (4)
Numbers in brackets denote the number of key bits identified
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Outline
1 Differential cryptanalysis
2 CipherFOUR
3 Truncated differentials
4 Impossible differentials
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Impossible differentials
Traditionally in differential attack, aim is to find differentialof high probability
A differential of low probability can be equally useful
S/N should be different from one:S/N > 1, right value of key suggested the mostS/N < 1, right value of key suggested the least
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials - Feistel network
Consider Feistel network where round function is abijection for any fixed key
Consider a differential (α, 0) such that the difference in theleft halves of the plaintexts is α and where the right halvesare equal
It follows that after 5 rounds of encryption, the difference inthe ciphertexts will never be (0, α)
Can be used in attacks on such ciphers with more than 5rounds by guessing keys and computing backwards
For the correct key guesses the computed difference willnever be (0, α)
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials - Feistel network
f
f
f
�
�
�
�
�
�
⊕
⊕
⊕
(((((((((((
(((((((((((
(((((((((((
hhhhhhhhhhh
hhhhhhhhhhh
hhhhhhhhhhh
βγ
αβ
00
0α α 6= 0
β 6= 0
γ 6= 0
α⊕ γβ
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Truncated differentials - Feistel network
f
f
f
�
�
�
�
�
�
⊕
⊕
⊕
(((((((((((
(((((((((((
hhhhhhhhhhh
hhhhhhhhhhh
α0 α
00
α⊕ γβ
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Skipjack (Biham, Biryukov, Shamir)
Skipjack - a 32-round iterated block cipher by NSA
there exists truncated differentials of Skipjackfor 12 encryption rounds of probability one(0, a, 0, 0)
12r−→ (b, c, d , 0)
for 12 decryption rounds of probability one(f , g, 0, h)
12r←− (e, 0, 0, 0)
for 24 rounds of probability zero (0, a, 0, 0)24r−→ (e, 0, 0, 0)
these can be used to break Skipjack with 31 rounds fasterthan by an exhaustive key search
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Skipjack (continued)
Skipjack is an iterated 64-bit block cipher using an 80-bitkey and running in 32 rounds, see Figure next page.Encryption of a 64-bit plaintext consists of first applyingeight A-rounds, then eight B-rounds, once again eightA-rounds and finally eight B-rounds. A round counter isadded to one of the 16-bit words in each round. The keyschedule is simple but this and the round counter is notimportant for the illustration here.
There is a twelve-round truncated differential of probabilityone through 4 A-rounds and 8 B-rounds.
There is a twelve-round truncated differential of probabilityone through 4 inverse B-rounds and 8 inverse A-rounds.
Lars R. Knudsen Truncated Differentials
Differential cryptanalysisCipherFOUR
Truncated differentialsImpossible differentials
Skipjack graph (G takes 16-bit round key)
A B C D
?
? ? ?
�
Gi+?
pA B C D
Skipjack A-round
A B C D
?
?
?
? ??
G-p i+
A B C D
Skipjack B-round
Lars R. Knudsen Truncated Differentials
Higher order differentials
Higher Order Differentials
Lars R. Knudsen
DTU Mathematics
Spring 2011
Lars R. Knudsen Higher Order Differentials
Higher order differentials
Outline
1 Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Higher order differentials (Lai)
1st-order differentialthe conventional differential where
f (x)⊕ f (x ⊕ α)
where α 6= 0 is well-chosen value.
2nd-order differentialinvolves tuple of 4 texts and difference
f (x)⊕ f (x ⊕ α)⊕ f (x ⊕ β)⊕ f (x ⊕ α⊕ β)
where α, β are distinct, non-zero values.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Higher order differentials
Consider difference α 6= 0 through f .
DefinitionThe (first-order) derivative of f at point α:
∆αf (x) = f (x ⊕ α)⊕ f (x).
Definitiond th order derivative of f at point α1, . . . , αd is defined
∆α1,...,αd f (x) = ∆αd (∆α1,...,αd−1 f (x)).
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Higher order differentials
Consider functions over GF (2).
A d th order derivative involves 2d function values of f .
The points (α1, . . . , αd) must be linearly independent whenviewed as bit-vectors.
The arguments to f form a d th dimensional subspace.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree
Let f : {0, 1}3 → {0, 1} be a Boolean function, s.t.,
f (x) = f (x2, x1, x0) = x2x1x0 + x0 + 1.
The algebraic degree of f is three.
Let g : {0, 1}3 → {0, 1} be a Boolean function, s.t.,
g(x2, x1, x0) = x2x1 + x0x2 + x2 + x1 + 1.
The algebraic degree of g is two.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree and higher order differentials
Let f : {0, 1}3 → {0, 1} be function, s.t.,
f (x2, x1, x0) = x2x1x0 + x0 + 1.
Algebraic degree of f is three.
Consider the first order derivative at the point 1 = (0, 0, 1)
∆1f (x) = x2x1 + 1.
The algebraic degree of ∆1f (x) is two.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree and higher order differentials
Consider the second order derivative of f
∆1,2f (x) = x2.
The algebraic degree of ∆1,2f (x) is one.
Consider the third order derivative of f
∆1,2,4f (x) = 1.
The algebraic degree of ∆1,2,4f (x) is zero.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree and higher order differentials
FactLet f be a Boolean function of algebraic degree d.The algebraic degree of a dth order derivative of f is zero.
ExtensionLet h : {0, 1}n → {0, 1}m be function. h can be described asconcatenation of m Boolean functions hi : {0, 1}n → {0, 1}. Thehis are called coordinate functions of h.
DefinitionLet h : {0, 1}n → {0, 1}m be function. The algebraic degree of his maximum algebraic degree of the coordination functions hi .
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Algebraic degree and higher order differentials
DefinitionLet h : {0, 1}n → {0, 1}m be function. The algebraic degree of his maximum algebraic degree of the coordination functions hi .
FactLet h be a function of algebraic degree d.The algebraic degree of a dth order derivative of h is zero.
FactLet h be a function of algebraic degree d.The value of a (d + 1)st order derivative of h is zero.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Higher order differential attack
Consider the iterated cipher
m −→
k0↓g −→
k1↓g −→
k2↓g −→
k3↓g −→ x −→
k4↓g −→ c
Assume algebraic degree of g is two.Algebraic degree of x (as a function of m) is a most 16.Specify 17th order differential.Guess k4, compute backwards, check if value is zero.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - 2nd order differential (Wagner)
assume encryption process ENCk (m) can be written
m −→
k1↓
E1 −→ x −→
kA↓
Ak −→ y −→
k2↓
E2 −→ c
where Ak is key-dependent affine transformation
suppose there exist differentials of probs p1 and p2
αENC1−−−−→ β and β
DEC1−−−−→ α
suppose there is differential of prob q: γDEC2−−−−→ φ
combine to boomerang of probability p1p2q2
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Boomerang attack - a 2nd order differential
m −→ E1 −→ x1 −→ Ak −→ y1 −→ E2 −→ c
m3 ←− E1 ←− x3 ←− Ak ←− y3 ←− E2 ←− c ⊕ γ
m ⊕ α −→ E1 −→ x2 −→ Ak −→ y2 −→ E2 −→ c2
m4 ←− E1 ←− x4 ←− Ak ←− y4 ←− E2 ←− c2 ⊕ γ
if∑
yi = 0 then∑
xi = 0
if boomerang holds then m3 ⊕m4 = α
four half-cipher differentials, boomerang probability p1p2q2
note that we pass through Ak “for free”.
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
Conclusion from me
modern block ciphers introduced with DES
differential and linear cryptanalysis started new era
many advanced attacks on block ciphers today
many interesting designs, many unbroken proposals
good understanding of block cipher security
latest trend: lightweight block ciphers
Lars R. Knudsen Higher Order Differentials
Higher order differentialsAlgebraic degreeAlgebraic degree and higher order differentialsBoomerang attack
The Block Cipher Companion
By Lars R. Knudsen and Matt Robshaw.
Available in a few weeks from now via Springer and Amazon!Lars R. Knudsen Higher Order Differentials