1 / 36

DIFFERENTIAL CRYPTANALYSIS

DIFFERENTIAL CRYPTANALYSIS. Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication channels. Known-plaintext attack. The adversary can access not only the communication channels but also parts of plaintext.

easter
Download Presentation

DIFFERENTIAL CRYPTANALYSIS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DIFFERENTIAL CRYPTANALYSIS Chapter 3.4

  2. Ciphertext only attack. • The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication channels. • Known-plaintext attack. • The adversary can access not only the communication channels but also parts of plaintext.

  3. Chosen-plaintext attack. • This is a known plaintext attack for which the cryptanalyst may choose messages and corresponding cryptograms. • Chosen-ciphertext attack. • The enemy selects his own cryptogram and corresponding message and then tries to find the secret key of the cryptosystem.

  4. 3.4.1 XOR profiles • The function to transfer the input string of an S-box. such that and then or where

  5. Define and four-tuples and denote the number of four-tuples in the set. • For example, and

  6. The XOR profile of an S-box defined by is a table which has 2n rows and 2m columns. Each row and column is indexed by  and  respectively. Each entry (, ) of the table shows the number of elements in the set

  7. The example of an element of XOR profiles If the set is Then the element (19, 1) in the table of XOR profile is

  8. The properties of XOR profiles • All entries in the table are zeroes or positive even integers. • The row for  = 0 has only one nonzero entry equal to 2n (n is the number of input bits of the S-box).

  9. The sum of entries in each row is equal to 2n. • An input difference  may cause output difference  with probability . • If an entry (, ) is zero, then the input difference  cannot cause the difference  on the output.

  10. What can we say about value of the input? The XOR profile does not depend on the cryptographic key used. • What can we say about the key?

  11. Example: • Let an input have the output difference . The set

  12. The input is The applied key must be in the set that is The following demonstrate how to calculate the bit-to-bit addition.

  13. If the second input is and Then the set is as following.

  14. The set of input is The key set is Take another observation,

  15. and then and The key must be contained in the three set, so the key is

  16. The XOR profile of an S-box with the secret key XORed with the input is identical to the XOR profile of the S-box without the key. • Every input observation (s1, s2) and the corresponding output difference  enable the cryptanalyst to find the set of key candidates. • The analysis of differences for a single S-box allows one to retrieve the key that is XORed to the input of a S-box.

  17. 3.4.2 DES Round Characteristics • An m-round characteristic of a Feistel-type cryptosystem is a sequence Where in and out are input and output differences. The pairs are consecutive input and output difference for the round fk. • Let input sequences be and .

  18. A single round characteristic of DES The first part of difference is A and the second part is 0.

  19. Our goal is to find a characteristic that feeds a nonzero input difference in to S1 while other input differences of S2 … S8 are set to zero and • the characteristic should work with a high probability.

  20. Another single round characteristic of DES

  21. The input difference in = (A, 60 00 00 00x). • The binary string (00 80 82 00x) obtained by permuting (E0 00 00 00x) using permutation block P • For this case, the pair of difference (Cx, Ex) happens with probability 14/64. • And then we get the output

  22. Any characteristic has a probability attached to it. Let the m-round characteristic be Then its probability where is the probability that input difference i causes the output difference i for the function fkin the ith round.

  23. A two-round characteristic of DES The probability of the second round happening is one.

  24. 3.4.3 Cryptanalysis of 4-Round DES • Our purpose is to recover the key. • To concentrate on the last round of the DES. • In last figure, we use characteristic A= (20 00 00 00x), which works always (p=1). • In the last round

  25. Four round DES Input Difference Output Difference

  26. 1 = 0 and 1 = 0. • So the input difference becomes (001000) on S1 • and all other 7 S-boxes are zero. • Thus 28-bits of 2 are known. • From the last equation, 28-bits of 4 are known. • Another characteristic A = (04 44 44 44x). • The the missing part of key is recovered by the differential analysis of S1.

  27. Finding the partial key k4. • Strip off the last round and find k3. • Then k2.

  28. Six-round DES Input Difference Output Difference

  29. First 3-Round Characteristic f f f

  30. Second 3-Round Characteristic f f f

  31. 3.4.5 The main features of differential analysis • The differential analysis can be applied to Feistal cryptosystems with t rounds, where it is possible to use input to the round function and deduce or guess the corresponding output differences • Characteristics are useful in guessing the correct output differences of the round function. It is enough to have (t-3)-round characteristic to find out output differences in the t-round Feistel cryptosystem.

  32. As the differential analysis enables to find keys applied in the last round function, it by-passes the key schedule. It works under the assumption that round keys are statistacally independent. • Once the key in the last round is found, the last round can be stripped off by applying the extra round.

  33. Feistel cryptosystem immune against the differential analysis: • The XOR profile must not have entries with large number. • The best (t-3)-round characteristics should work with the probability smaller than the probability of guessing the right key (t is the number of rounds in the cryptosystem). • The S-boxes should depend upon the secret key in a nonlinear way. This will cause that XOR profile of S-boxes become more complex. One way of implementation of this idea would be an on-the-fly selection of S-boxes depending on the round key.

  34. End

More Related