180 Views

Download Presentation
## DIFFERENTIAL CRYPTANALYSIS

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**DIFFERENTIAL CRYPTANALYSIS**Chapter 3.4**Ciphertext only attack.**• The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication channels. • Known-plaintext attack. • The adversary can access not only the communication channels but also parts of plaintext.**Chosen-plaintext attack.**• This is a known plaintext attack for which the cryptanalyst may choose messages and corresponding cryptograms. • Chosen-ciphertext attack. • The enemy selects his own cryptogram and corresponding message and then tries to find the secret key of the cryptosystem.**3.4.1 XOR profiles**• The function to transfer the input string of an S-box. such that and then or where**Define and four-tuples**and denote the number of four-tuples in the set. • For example, and**The XOR profile of an S-box defined by**is a table which has 2n rows and 2m columns. Each row and column is indexed by and respectively. Each entry (, ) of the table shows the number of elements in the set**The example of an element of XOR profiles**If the set is Then the element (19, 1) in the table of XOR profile is**The properties of XOR profiles**• All entries in the table are zeroes or positive even integers. • The row for = 0 has only one nonzero entry equal to 2n (n is the number of input bits of the S-box).**The sum of entries in each row is equal to 2n.**• An input difference may cause output difference with probability . • If an entry (, ) is zero, then the input difference cannot cause the difference on the output.**What can we say about value of the input?**The XOR profile does not depend on the cryptographic key used. • What can we say about the key?**Example:**• Let an input have the output difference . The set**The input is**The applied key must be in the set that is The following demonstrate how to calculate the bit-to-bit addition.**If the second input is**and Then the set is as following.**The set of input is**The key set is Take another observation,**and then**and The key must be contained in the three set, so the key is**The XOR profile of an S-box with the secret key XORed with**the input is identical to the XOR profile of the S-box without the key. • Every input observation (s1, s2) and the corresponding output difference enable the cryptanalyst to find the set of key candidates. • The analysis of differences for a single S-box allows one to retrieve the key that is XORed to the input of a S-box.**3.4.2 DES Round Characteristics**• An m-round characteristic of a Feistel-type cryptosystem is a sequence Where in and out are input and output differences. The pairs are consecutive input and output difference for the round fk. • Let input sequences be and .**A single round characteristic of DES**The first part of difference is A and the second part is 0.**Our goal is to find a characteristic that feeds a nonzero**input difference in to S1 while other input differences of S2 … S8 are set to zero and • the characteristic should work with a high probability.**The input difference in = (A, 60 00 00 00x).**• The binary string (00 80 82 00x) obtained by permuting (E0 00 00 00x) using permutation block P • For this case, the pair of difference (Cx, Ex) happens with probability 14/64. • And then we get the output**Any characteristic has a probability attached to it. Let the**m-round characteristic be Then its probability where is the probability that input difference i causes the output difference i for the function fkin the ith round.**A two-round characteristic of DES**The probability of the second round happening is one.**3.4.3 Cryptanalysis of 4-Round DES**• Our purpose is to recover the key. • To concentrate on the last round of the DES. • In last figure, we use characteristic A= (20 00 00 00x), which works always (p=1). • In the last round**Four round DES**Input Difference Output Difference**1 = 0 and 1 = 0.**• So the input difference becomes (001000) on S1 • and all other 7 S-boxes are zero. • Thus 28-bits of 2 are known. • From the last equation, 28-bits of 4 are known. • Another characteristic A = (04 44 44 44x). • The the missing part of key is recovered by the differential analysis of S1.**Finding the partial key k4.**• Strip off the last round and find k3. • Then k2.**Six-round DES**Input Difference Output Difference**3.4.5 The main features of differential analysis**• The differential analysis can be applied to Feistal cryptosystems with t rounds, where it is possible to use input to the round function and deduce or guess the corresponding output differences • Characteristics are useful in guessing the correct output differences of the round function. It is enough to have (t-3)-round characteristic to find out output differences in the t-round Feistel cryptosystem.**As the differential analysis enables to find keys applied in**the last round function, it by-passes the key schedule. It works under the assumption that round keys are statistacally independent. • Once the key in the last round is found, the last round can be stripped off by applying the extra round.**Feistel cryptosystem immune against the differential**analysis: • The XOR profile must not have entries with large number. • The best (t-3)-round characteristics should work with the probability smaller than the probability of guessing the right key (t is the number of rounds in the cryptosystem). • The S-boxes should depend upon the secret key in a nonlinear way. This will cause that XOR profile of S-boxes become more complex. One way of implementation of this idea would be an on-the-fly selection of S-boxes depending on the round key.