1 / 19

Differential & Linear Cryptanalysis

Differential & Linear Cryptanalysis. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. Block Cipher Cryptanalysis. Find a property of the cipher that “distinguishes” it from a random function. (“distinguisher”)

trula
Download Presentation

Differential & Linear Cryptanalysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Differential & LinearCryptanalysis CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk Differential & Linear Cryptanalysis

  2. Block Cipher Cryptanalysis • Find a property of the cipher that “distinguishes” it from a random function. (“distinguisher”) • Such a property is usually constructed beginning from the 1-round cipher, or from the s-boxes. • Once such a property is found, extend it to obtain a distinguisher for r-1 (or r-2) rounds of the cipher. • Having found such a distinguisher, attack (parts of) the first or the last round key, by exhaustive trial. Differential & Linear Cryptanalysis

  3. Differential Cryptanalysis • A chosen plaintext attack that exploits the non-uniform difference propagations over rounds. • To attack an r-round cipher: • find a “characteristic” (a seq. of differences) which relates an input difference to a (r-1)st round difference with a non-trivial probability. • Assuming the characteristic holds, find the last round key from ∆Xr-1 & ∆Xr (i.e. ∆C). • The remaining key bits can be attacked either by brute force or by DC on r-1 rounds. Differential & Linear Cryptanalysis

  4. f Differential Cryptanalysis Two questions: • How to find such a “characteristic”? (∆L0, ∆R0)  (∆Lr-1, ∆Rr-1) • How to obtain Kr from here? ∆L0 ∆R0 ... ... ∆Rr-1 ∆Lr-1 Kr Kr = ? ∆Lr ∆Rr Differential & Linear Cryptanalysis

  5. ∆L0 ∆R0 1 = ∆R0 1 1  f 2 = ∆L0  1 2  2  f 3 = 1  2 3 3  f 4 = 2  3 4 4  f ... ... DC of Feistel Ciphers A characteristic of a Feistel cipher must be of the following form: Differential & Linear Cryptanalysis

  6. X(1)  X(2) =  = 0001 1001 0110 0000 . . . 0000 S1 S2 S3 E.g.: 1-round DES A difference of the f function: For inputs X(1)& X(2) with difference we have E.g., for 14 out of the 64 possible inputs, we have S1(X  K) = S1(X  K  ∆X) for ∆X = 000011 on S1. P( → 0) = (14 · 8 · 10) / (643)  1 / 234 . Differential & Linear Cryptanalysis

  7. 0 0 0  p = 1 f p = 1/234  0  p = 1/234 f  0 An Iterative DES Characteristic(Biham & Shamir, 1992) This 2-round DES characteristic can be concatenated by itself: Differential & Linear Cryptanalysis

  8. ∆L0 =  ∆R0 = 0 0 0  1: f   0  2: f 0 0 0  3: f   0  f 4: ... ... 0 0  15: f  0  ∆Y16  16: f ∆L16 ∆R16 16-round DES Attack • Start with pairs P(1) P(2) = (,0) • Take those pairs with ∆L16 = . • Assuming that ∆R15 = 0, we have ∆Y16 = ∆R16 . • We know X16(1), X16(2) from c.t.Take the values of K16 that can map X16(1), X16(2) to ∆Y16 & increment their counters. • After all collected pairs are processed, take the K16 value that is suggested most. Differential & Linear Cryptanalysis

  9. DC of DES • 8 rounds: 214 chosen plaintexts12 rounds: 231 chosen plaintexts16 rounds: 247 chosen plaintexts(first cryptanalysis of the 16-round DES faster than exhaustive search) • Ordering of the s-boxes turned out to be optimized against DC! Differential & Linear Cryptanalysis

  10. Linear Cryptanalysis • A statistical known plaintext attack • Correlation among pt, ct, key bits are exploited: • Find a binary equation of pt, ct, key bits (“linear approximation”) which shows a non-trivial correlation among them (“bias”). • Collect a large pt-ct sample. • Try all key values with the collected pt-ct in the eq.(hence, relatively few key bits must be involved.) • Take the key that maximizes the bias as the right key. • The remaining key bits can be found by brute force or by another LC attack. Differential & Linear Cryptanalysis

  11. Linear Approximation A linear approximation of r-1 rounds: P[i1...ia]  Xr-1[j1...jb] = K[m1...mc] with p ≠ ½. (p =1 usually not possible) • |p – ½|: the “bias” of the approximation • (notation: Xi: ciphertext after i rounds; S[...]: xor of the specified bits of the string S.) Expressed in terms of the ciphertext: P[i1...ia]  F(C, Kr)[j1...jb] = K[m1...mc] where F is related to the last round’s decryption. Differential & Linear Cryptanalysis

  12. LC Attack • Approximation: P[i1...ia]  F(C, Kr)[j1...jb] = K[m1...mc] (1) • Collect a large number (N) of pt-ct blocks • For all possible Kr values, compute the left side of (1).T(i) denoting the # of zeros for the ith candidate, take the Kr value that maximizes the “sample bias” | T(i) – N/2 | as the right key. • Another bit of key information (that is, K[m1...mc]) can be obtained comparing the signs of (p – ½) and (T(i) – N/2). Differential & Linear Cryptanalysis

  13. Linear Approximation of DES’ f Function Shamir’s discovery (1985): P(16·x = 15·S5(x)) = 12 / 64 where “·” denotes binary dot product. (Brickell et al.: “Normal”) From s-box to f function: x[15]  f(x,k)[7, 18, 24, 29] = k[22] p = 12/64. Differential & Linear Cryptanalysis

  14. L0[7,18,24,29]  L1[7,18,24,29]  R0[15] = K1[22] p1 = 12/64 L0 R0 7,18,24,29 15  f R1 L1 – – L2[7,18,24,29]  L3[7,18,24,29]  R2[15] = K3[22] p3 = 12/64  f L2 R2 7,18,24,29 15  f L3 R3 Combining Round Approximations When these approximations are combined, we get the 3-round appr.: L0[7,18,24,29] R0[15] L3[7,18,24,29] R3[15] = K1[22] K3[22] (no intermediate terms are left.) p = p1 p3 + (1-p1)(1-p3) = ½ + 2(p1 – ½) (p3 – ½) assuming the round approximations are independent. Differential & Linear Cryptanalysis

  15. 1 1  2 1 1 1  f 1 2 2  2  f 2 3 3 3  f 3 4 4 4  f 4 ... r r  f r  r-1 r Linear Approximations of Feistel Ciphers For the intermediate terms to cancel out, we need: i+1 = i  i-1 The probability of the combined approximation is p = ½ + 2r-1i (pi – ½ ) assuming round approximations are independent. Differential & Linear Cryptanalysis

  16. ... ... 7,18,24 15  f D 29 15  f C 7,18,24,29 15  f A − −  f — 7,18,24,29 15  f A 29 15  f C 7,18,24 15  f D − −  f — 7,18,24 15  f D ... ... Best DES Approximation(Matsui, 1993) A: x[15]  f(x,k)[7,18,24,29] = k[22] p = 12/64 C: x[29]  f(x,k)[15] = k[44] p = 30/64 D: x[15]  f(x,k)[7,18,24] = k[22] p = 42/64 Differential & Linear Cryptanalysis

  17. LC of DES • 8 rounds: 221 known plaintexts12 rounds: 233 known plaintexts16 rounds: 243 known plaintexts • First experimental cryptanalysis of the 16-round DES (Matsui, 1994). • Ordering of the s-boxes was far from optimal against LC. Differential & Linear Cryptanalysis

  18. Issues in DC & LC • r-1 round relation is found, which is used to attack the last round key Kr.(r-2 round attacks are also possible) • Assumptions: • key independence of the char./appr. used. • independence of the individual round char./appr.s • Helped by: • the invertible key schedule of DES • lack of key mixing after the last round’s substitution Differential & Linear Cryptanalysis

  19. Results of DC & LC Discovery of DC & LC attacks motivated: • the theory of functions resistant against differential & linear attacks • new block cipher design techniques (resulting in AES) • development of non-invertible key schedules Differential & Linear Cryptanalysis

More Related