NEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS

Transcription

1 Proceedngs of ACS 000, Szczecn, pp NEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS ANNA ZUGAJ, KAROL GÓRSKI, ZBIGNIEW KOTULSKI, ANDRZEJ PASZKIEWICZ 3, JANUSZ SZCZEPAŃSKI ENIGMA Informaton Securty Systems Sp. z o.o., Cryptography Dept., ul. Orla /5, Warsaw, POLAND, ph./fax: (+48 ) , emal: {ana, karol}@engma.com.pl Insttute of Fundamental Technologcal Research, Polsh Academy of Scences, ul. Śwętokrzyska, Warsaw, POLAND, ph.: (+48 ) 86 8, fax: (+48 ) , emal: {zkotulsk, szczepa}@ppt.gov.pl 3 Insttute of Telecommuncatons, Warsaw Unversty of Technology, ul. Nowoweska 5/9, Warsaw, POLAND, ph.: (+48 ) , fax: (+48 ) , emal: anpa@tele.pw.edu.pl Abstract. At the begnnng of the paper we descrbe the state of art n lnear cryptanalyss of block cphers. We present algorthms for fndng best lnear expressons proposed by Matsu [9] and Ohta []. We sketch basc lnear cryptanalyss (0R, R, R attacks) and the known extensons. We explan the advantages and the lmtatons of applyng lnear cryptanalyss and ts extensons to block cphers. In the second part of the paper we descrbe our proposal of a new extenson to lnear attack based on the applcaton of a probablstc countng method. It allows the reducton of two consecutve rounds and form the bass for mountng e.g. 3R attacks. We present expermental results of the mplementaton of ths attack to the Data Encrypton Standard. Keywords: block cpher, lnear cryptanalyss, lnear expresson, probablstc countng method, Data Encrypton Standard. INTRODUCTION Symmetrc block cphers are one of the fundamental tools n modern cryptography. Ther popularty requres a hgh level of trust n ther securty. Unfortunately there are nether any known constructons of block cphers, whch offer uncondtonal securty nor practcal constructons, whch offer provable computatonal securty. So n practce evaluatons of the securty of these cphers s heurstc based on the consderaton of the resstance of the cpher to known attacks. The effectveness of attacks s measured by comparson of ther complexty (tme and memory) wth the exhaustve search attack. Durng ths evaluaton only those attacks are taken nto account, whch are known at the tme. One of the most mportant attacks consdered s lnear cryptanalyss. In 993 t was successfully used by Matsu to cryptanalyse DES. It needed 43 known plantext/cphertext pars to derve 6 bts of the key. The purpose of ths paper s to descrbe the man ssues of lnear cryptanalyss begnnng from algorthms for fndng best lnear expressons [9,] through descrpton of basc attack (0R) and lnear attacks wth round reductons (R, R) to varous extensons of lnear cryptanalyss (analyss wth multple expressons [5], lnear-dfferental cryptanalyss [7], lnear cryptanalyss wth non-lnear approxmatons n outer rounds [6], the use of quadratc relatons n S-box [3] and the probablstc countng method []) and the lmtatons of ther use. We also propose the applcaton of probablstc countng method for reducton of two consecutve rounds whch forms the bass for mountng e.g. 3R attacks (whch n some applcatons are more effectve requre less texts than R attacks - even though they are based on probablstc assumptons). We descrbe the mplementaton of ths attack to Data Encrypton Standard. The results should be treated as announcements only, because the experments are stll under development.. Notaton and Defntons Throughout ths paper we use Matsu s [8] numberng of DES bts. The nput bts, key bts and output bts of F-functons, S-boxes, etc. are Ths work has been supported by grant No 8 TD 00 9 of the Polsh Scentfc Research Commttee.

2 Proceedngs of ACS 000, Szczecn, pp numbered from rght to left startng from 0. We also use Matsu s notaton n whch A[] denotes -th bt of vector A, whle A[,,... n ] denotes exclusve-or of the bts of vector A located n postons,,... n. We also use the notaton of Harpes [4] n whch A ΓA denotes scalar multplcaton of two bnary vectors over GF(), whch s equvalent to exclusveor of the A bts chosen by bnary vector ΓA (e.g. A = 0, ΓA = 000, then A ΓA = = A[ 4 ]). Let P, C, K denote plantext, cphertext and key. We assume that plantexts, cphertexts and keys are unformly dstrbuted n approprate spaces. We also assume that round keys are ndependent. By r we denote the number of rounds, whle by C we denote the cphertext after round, whch means that P = C 0 and C = C r. N denotes the number of analysed pars of texts. A lnear approxmaton s a lnear dependence between bts of the round nput block, bts of the round output block and bts of the round subkey. A lnear expresson s a lnear dependence between bts of the cpher nput, cpher output and bts of all the subkeys. An effectve lnear expresson s an expresson whch holds wth probablty dfferent from /. Probablty of the lnear approxmaton (p) s defned n the probablstc space wth: a set of elementary events Ω, whch s a Cartesan product of the set of all nput blocks to the round and all subkey blocks, σ - feld whch s the set of all subsets of Ω, probablty dstrbuton on the elementary events assgnng to each of them equal probablty. There s a random varable defned n ths space, whch assgns to each elementary event the value 0 or, dependent on whether the approxmaton holds or not. Event X s defned as a sum of the elementary events for whch the random varable s equal to. Probablty of a lnear approxmaton s equal to the probablty of event X n ths probablstc space.. Lnear Cryptanalyss The basc dea of lnear cryptanalyss s to fnd an effectve lnear expresson for an analysed block cpher, s.t.: (P ΓP) (C Γ C) = Σ z (K z ΓK z ). () wth a certan probablty p, measured over all choces of P and K. In the case of teratve block cphers, fndng the lnear expresson has steps. At frst we lnearse one round, lookng for effectve approxmatons of the followng form: (C - ΓC - ) (C Γ C ) = K ΓK () where C - s the nput vector to round, C s the output vector from round and K s the key used n round. A lnear expresson s obtaned by combnng lnear approxmatons n such a way that only bts of plantext, cphertext and subkeys appear n the fnal expresson. For a few rounds of a cpher and for cphers wth a smple structure (e.g. RC5) ths process can be done manually, but n most cases t s easer to use a computer. The algorthms for fndng lnear expressons for DES [3] are descrbed below. Wth an effectve lnear expresson we can start a socalled 0R attack (algorthm ), based on the maxmum lkelhood method. Ths attack determnes wth requred probablty whether the rght sde of equaton s equal to 0 or. The success rate of the attack ncreases wth the number of analysed texts and wth the bas p - /. Algorthm (attack 0R) [8] N known pars of plantext and cphertext, effectve lnear expresson wth probablty p Step : For each par count the value of left sde of equaton. Let N 0 be the number of pars for whch the left sde of the equaton s equal to 0. Step : If N 0 > N/ then set Σ (K ΓK ) = 0, f p>/ and f p</, else set Σ (K ΓK ) =, f p>/ and 0 f p</. the value of Σ (K ΓK ) (correct wth probablty dependent on N and p - / ). In practcal attacks wth smlar complexty we can obtan more subkey bts. For ths purpose attacks wth round reducton are used (R and R). The frst uses an effectve lnear expresson for r- rounds and computes the nverse of the last round of the cpher for each canddate for the last round subkey. For each canddate we count the dfference between the number of tmes when the left sde of the lnear expresson s equal to 0 and when t s equal to. For the correct subkey the bas between ths value and N/ wll be close to the expected bas for the expresson n use. For ncorrect keys t wll be close to 0. In ths way we can determne wth the requred probablty the subkey bts n the last round and the value of the modulo sum of the subkey bts appearng n the lnear expresson. The dea of ths attack s based on a hypothess descrbed by Harpes [4] that the choce of an ncorrect key n the last round s equvalent to addng an addtonal round to the cpher, whch decreases the effectveness of the lnear expresson n use. In practce checkng all the possble values of the subkey n the last round s too complex (requres too much memory). The soluton s to check only a subset of the bts of the last round subkey. In a smlar way the R attack can be used for the reducton of the frst round of the cpher. Algorthm (attack R) [8] N known pars of plantext and cphertext, effectve subset of last round subkey bts beng searched,

3 Proceedngs of ACS 000, Szczecn, pp effectve lnear expresson for r- rounds wth probablty p, whch uses only these bts of C r- whch can be computed from the effectve subset of subkey bts Step : For value of K r effectve bts of subkey K r, let N 0 denote the number of pars of texts for whch the left sde of the (r-) - round lnear expresson s equal to 0. Step : Let N 0max = max (N 0 ) and N 0mn = mn (N 0 ). Step 3: If N 0max - N/ > N 0mn - N/ then set the value of effectve subkey bts K r correspondng to N 0max, set Σ (K ΓK ) = 0, f p>/ and f p</, If N 0max - N/ < N 0mn - N/ then set the value of effectve subkey bts K r correspondng to N 0mn, set Σ (K ΓK ) =, f p>/ and 0 f p</, effectve subkey bts n last round, the value of Σ (K ΓK ) for rounds to r-, both results returned wth probablty dependent on N and p-/. The R attack allows further ncrease of the effectveness of the analyss. The dea s smlar to the R attack: we use an expresson for r- rounds of the cpher and nvert the frst and the last round. To gve a sketch of probablstc fundamentals we recall here the Plng Up Lemma, whch s used to calculate probablty p of the lnear expresson, when the probabltes p ( r) of all lnear round approxmatons are known: Lemma (Plng-Up) [8] Let Appr ( r) be ndependent, random varables, whch are equal to 0 wth probablty p and are equal to wth probablty - p. Then the probablty that Appr Appr... Appr r = 0 (3) s equal to: r p = / + r- ( / ). (4) Then the probablty of proper choce of key bts xor n 0R attack s equal to: Pr(N 0 > N/) = π e t / N ( p / ) dt. (5) Ths equaton descrbes the success rate (Table ) for some probablty p of a lnear expresson. Ths probablty ncreases when the number of analysed texts ncreases and when bas p-/ ncreases. Table. Success rate of 0R attack N ¼ p-½ - ½ p-½ - p-½ - p-½ - probablty of success 84,% 9,% 97,7% 99,8% In lnear cryptanalyss wth round reducton the probablty of the correct choce of subkey bts s equal to: Pr(K r max = k r ) = π ( N ( p / ) Kr kr x+ 4 x 4 N ( p / )( q ) N ( p / ) q y / x / e dy) e dx π The above equaton descrbes the success rate (Table ) of the R attack. Table. Success rate of R attack N p-½ - 4 p-½ - 8 p-½ - 6 p-½ - probablty of success 48,6% 78,5% 96,7% 99,9% For further detals of the probablstc fundamentals of lnear cryptanalyss see [7].. EXPRESSION SEARCH ALGORITHM As we mentoned above the frst step n a lnear attack s to fnd an effectve lnear expresson for the cpher. Ths should be done by lnearsng the nonlnear elements and extendng ths lnearsaton to the begnnng and end of the round functon. Now the propagaton of the maskng values should be consdered. We gve an example on DES: ΓC H 0 ΓC H ΓC H ΓC H 0 F F F 3 ΓX 0 Followng dependency holds: ΓC H = ΓX - ΓC H -, and ΓC L = ΓC H -. ΓC L 0 ΓC L ΓK 0 ΓX ΓK ΓC L ΓX ΓK Fg.. Propagaton of maskng values n DES. It s very mportant to notce that propagaton of maskng values (Fg. ) s dfferent from the operatons n the cpher, e.g. when we consder a mask as a set of bts, we wll see that an exclusve-or operaton on a mask wll work as a tee, whle a tee operaton wll work lke an exclusve-or. At the begnnng of expresson search algorthm we set a boundary value of the expresson bas. We also set a value of the best one round bas. Durng the analyss, we wll compare the bas of the current

4 Proceedngs of ACS 000, Szczecn, pp expresson concatenated wth the best possble expresson wth the boundary bas. If our current expresson would not be better that the bound, we wll dscard t. In the frst round we choose ΓC H 0 n such a way as to determne the approxmaton of the round wth the largest bas p - /. In other words we choose ΓC H 0, and we try to fnd such ΓX 0 that the bas s large. If the chosen approxmaton concatenated to the best r- round expresson would have better bas than the bound we can start lookng for the approxmaton of the second round. Otherwse we have to try fnd a better approxmaton for the frst round. In the second round we have a smlar stuaton, we control the maskng value ΓC H (through maskng value ΓC L 0) n such a way as to fnd the approxmaton of the second round whch concatenated to the expresson of (r-) rounds would gve better bas than the bound. In the followng rounds we have ΓC H fxed, we can only choose ΓX to mprove the bas. At the end of the algorthm we get one or more lnear expressons and we can start analyss. The algorthm sketched above was presented by Matsu [9]. Ohta [] optmsed ths algorthm by dscardng some expressons durng precomputaton phase. He obtaned a sgnfcant mprovement n the expresson search of FEAL. The comparson of the effectveness of these algorthms for searchng for lnear expressons for DES can be found n [4]. 3. EXTENSIONS OF LINEAR CRYPTANALYSIS Several extensons to lnear cryptanalyss were proposed, whch mprove the effectveness of the attack, e.g. use of non-lnear approxmatons n outer rounds reduces the number of analysed texts by a factor of /. Dfferental-lnear cryptanalyss s a very powerful attack on DES wth a reduced number of rounds. The uses only 5 chosen plantexts n comparson to lnear cryptanalyss whch needs to analyse 500,000 of known plantexts and to dfferental cryptanalyss whch needs to analyse 5,000 chosen plantexts to obtan the same success probablty. Multple expresson attack reduces the number of p / analysed texts by a factor of, where ( p / ) p s the probablty of the best lnear expresson n use, and p are the probabltes of each of the expressons. The latest extenson proposed by Shmoyama [3] reduces the number of plantexts by the factor 5/34. In ths secton we sketch all these attacks. called multple approxmaton n [5]. 3. Non-lnear approxmatons n outer rounds It was natural to consder whether lnear approxmatons n lnear cryptanalyss can be replaced by non-lnear ones. There are two advantages whch ths extenson could gve. Frstly, the number of non-lnear approxmatons s much larger than lnear ones, so t may be easer to fnd an approxmaton wth a large bas. Secondly, t would make possble an attack on large S-boxes used n round functons. Unfortunately, Harpes [4] demonstrated problems n general use of non-lnear approxmatons n lnear analyss. Knudsen proposed to use non-lnear approxmatons n outer rounds. He used only approxmatons wth a non-lnear combnaton of the nput bts and a lnear combnaton of the output bts. For an llustraton of the attack we present an example. Consder an approxmaton of DES S-box S 8 whch nvolves bts x 0 x on the S-box nput. Then, dependng on the value of the subkey bts k 0 and k and denotng the approprate text bts after expanson by z 0 and z, we obtan that x 0 x = z 0 z, when (k 0, k ) = (0, 0), x 0 x = z 0 z z 0, when (k 0, k ) = (, 0), x 0 x = z 0 z z, when (k 0, k ) = (0, 0) and x 0 x = z 0 z z 0 z, when (k 0, k ) = (, ). In outer rounds the cryptanalyst knows the value correspondng to bts z 0, z before the transformaton wth the subkey. Smlarly to the R attack, he can try to guess the value of the correct subkey bts. Assume that the probablty of the approxmaton n use s equal to p. When hs guess s correct, he correctly reconstructs x 0 and x and the product x 0 x. When hs guess s ncorrect, e.g. he chooses k 0 and k, then he guesses (x 0 )x and the expresson on nput bts to the S-box wll be equal to the expresson on output bts of the S-box wth some probablty p. If p -/ < p-/ then wth a suffcent number of analysed texts the ncorrect choce can be detected. In the opposte case the ncorrect guess wll domnate, but n a practcal attack the cryptanalyst chooses the approxmaton wth a larger bas anyway. When both bases are equal, they are ndstngushable for the cryptanalyst. Knudsen appled hs attack to DES reduced to fve rounds; the comparson wth the orgnal attack s gven n the followng tables: Table 3. Success rate n 0R Matsu s attack on 5 rounds of DES ((p-½) - = 68,70) N 7,80 34,360 68,70 probablty of success 74% 88% 98% Table 4. Success rate n 0R attack on 5 rounds of DES wth non-lnear approxmaton n outer rounds ((p-½) - = 4,78) N 3,68 7,364 4,78 probablty of success 86% 9% 00%

5 Proceedngs of ACS 000, Szczecn, pp Dfferental-lnear cryptanalyss Dfferental-lnear cryptanalyss was proposed by Langford and Hellman [7]. They notced that three round dfferental characterstcs [] whch hold wth probablty can be effectvely used n lnear cryptanalyss. The man dea of the attack s the observaton that complementng two bts (whch after expanson are the mddle bts of an nput to the S-box) n one of the analysed texts leaves many bts of C 3 unchanged. Among these bts are nput bts to Matsu s best 3- round lnear expresson (bts number 57, 46, 40, 35 and 7). Because the party of these bts never changes, the party of output bts from the lnear expresson s unchanged wth probablty p = p (-p) = 0.576, where p = s the probablty of Matsu s lnear expresson. (Ths result comes drectly from the Plng-Up Lemma.) To attack DES the cryptanalyst for each par of cphertexts nverts the last round, computes the party for both nverted cphertexts and, f the party s equal ncreases N 0 where s the ndex of the analysed canddate for the last round subkey. The largest N 0 ndcates the correct subkey wth a probablty dependng on the probablty of the lnear expresson n use and the number of analysed pars. Further mprovement of ths attack can be acheved by usng structures proposed by [] for packng the analysed plantexts. To sketch the dea of structures we gve an example. When there s a possblty to use more than one dfferental characterstc n an attack e.g. 4-tuples of plantexts: P, P 0x , P 0x , P 0x , nstead of tme-consumng encrypton of all these plantexts, we can encpher only three of them and get the nformaton about the 4-th through analyss, whch s not so tmeconsumng. 3.3 Multple expressons The extenson proposed by Kalsk and Robshaw [5] was based on the observaton that durng the attack, the cryptanalyst dfferentates between the dstrbuton wth an expected value equal to p and varance p and the dstrbuton wth an expected value equal to -p and varance p. Use of multple expressons decreases the varance of the dstrbutons. Modfed equaton assumes the followng form: (P ΓP ) (C ΓC ) = Σ (K ΓK ), (6) where ΓP, ΓC denote bnary maskng vectors of plantext and cphertext used n lnear expresson number ( J). Instead of N 0 n algorthm, Kalsk proposed to use a statstc of the followng form: J U = a N0 (7) where a, a,..., a J, are postve and s.t. For smplcty we assume that p -/ > 0. J a =. Algorthm 3 (attack 0R wth multple expressons) [5] N known pars of texts, effectve lnear expressons wth probablty p. Step : For each lnear expresson let N 0 be the number of pars for whch the left sde of equaton 6 was equal to 0. Step : Count the value U = a N J 0. Step 3: If U > N/ then set Σ (K ΓK ) = 0, f p>/ and f p</, else set Σ (K ΓK ) =, f p>/ and 0 f p</. the value of Σ (K ΓK ) (correct wth probablty dependent on N and p / and weghts a. Kalsk notced that the dstrbuton of statstc U can be modelled usng a normal dstrbuton. He calculated the expected values and the varance. He also ndcated that when the weghts a are proportonal to the bases (p -/) of lnear expressons, the dstance between N/ and E[U] s maxmsed. He calculated the success rate of the modfed algorthm, whch s equal to: Φ( n ( p / ) N ), (8) n 4 ( p / ) where Φ(.) denotes the normal cumulatve J dstrbuton functon. When ( / ) s small, p the success rate can be approxmated as n p Φ( N ( / ) ), whle the success rate of Matsu s algorthm s equal to Φ( N ( p / )). Algorthm 3 can be easly extended to R and R attacks. 3.4 Shmoyama s attack Recently Shmoyama [3] proposed an extenson usng formal codng of DES S-boxes to nvert an outer round wth probablty. He found that there are seven algebrac quadratc relatons of the DES S- boxes. He used one of these relatons nstead of the outer approxmaton n a lnear expresson. Hs approxmaton whch was used to nvert S-box S5 has the followng form: (y y y 3 y 4 x ) *(x x x 5 ) = 0 whch gves on the nput and output to F functon: (F [3,8,5,4,] C [7] K [6] ) *(C [6,7,0] K [5,6,9] ) = 0.

6 Proceedngs of ACS 000, Szczecn, pp Shmoyama used ths relaton nstead of frst round approxmaton n a lnear expresson of DES. He estmated each of the factors ndependently, whch reduced the memory requrements. And fnally he combned the results of both factors usng Kalsk s [5] method. 3.5 Lmtatons of the basc attack and ts extensons The basc attack and ts extenson have the followng lmtatons:. Complexty of the non-lnear approxmaton search algorthms effectve search s feasble only then, when non-lnear operatons are algebracally defned e.g. as an addton n some feld, or when the number of all possble combnaton of nput bts to the operaton s small.. Memory complexty of the attack t s usually mpossble to mount an attack wth two consecutve round reducton (due to mxng property e.g. n DES due to constructon of permutaton P). In attack on DES the cryptoanalyst needs to mplement 6*6+6 = 4 counters for canddates for a subkey n two consecutve rounds. 3. Computatonal complexty O(N). To make an attack more flexble the cryptoanalyst needs to acheve an ndependence between the number of effectve subkey bts and the multple of the number of nputs to the S-box. It can be realsed by use of non-lnear approxmatons (but we have to remember the lmtaton due to complexty of nonlnear approxmaton search algorthms) or by use of probablstc countng method [], whch s descrbed n the followng chapter. 4. NON-DETERMINISTIC APPROACH We descrbe lnear cryptanalyss wth probablstc countng method appled to DES. Use of ths method ncreased the flexblty n the choce of number of effectve key bts (n reduced rounds). We propose the constructon of the attack wth the reducton of two consecutve rounds. Such a constructon can be effectve due to use of the probablstc countng method for an nverson of nner (second or penultmate) round of the cpher. Ths attack wth the reducton of two consecutve rounds form the bass for mountng 3R attack. It makes possble to use the lnear expresson for the smaller number of rounds e.g. for (r-3) rounds, and for the reducton of number of analysed pars of texts. 4. Lnear cryptanalyss wth the probablstc countng method In lnear cryptanalyss wth the probablstc countng method t s presumed that analyst knows only a part of effectve key bts (whch are called vsble bts). Bts unknown for the analyst are called nvsble bts. Durng estmaton of the value of the expresson n whch nvsble effectve key bts appear, nstead of exact value ts approxmaton s used, whch holds wth some probablty. To explan the probablstc countng method we present an example wth R attack. We use (r-)- round effectve lnear expresson and the approxmaton of one S-box n last or frst round. Smlarly to the prevously dscussed attacks (basc lnear cryptanalyss and ts extensons) for each part of subkey (vsble effectve subkey bts) we determne the bas between the number of events (pars of texts) n whch left sde of the (r-)-round lnear expresson s equal to 0 and the number of events when t s equal to. For proper subkey n outer round the bas should be close to the bas expected for the expresson and for the wrong keys t should be close to 0. In ths way we can conclude wth requred probablty about the subkey bts n outer round and about the value of the exclusve-or of subkey bts n remanng (r-) rounds. Let an (r-)-round effectve lnear expresson satsfed wth probablty p 0,5, have the followng form: P ΓP C r- ΓC r- = Σ K ΓK, (9) from whch we can obtan: P ΓP C L r Γ C H r- (F(C L r, K r ) C H r) ΓC L r- = Σ K ΓK. (0) In attack wth probablstc countng method nstead of exact value F(C L r, K r ) ΓC L r- we use ts approxmaton. We denote ths approxmaton as ~(F(C L r, K r ) ΓC L r-), and fnally for an attack wth probablstc countng we obtan the expresson: P ΓP C L r Γ C H r- C H r ΓC L r- ~(F(C L r, K r ) ΓC L r-) = Σ K ΓK. () The probablty of the expresson () depends on probablty p of (r-)-rounds lnear expresson and probablty of probablstc approxmaton of F functon. Let K v r denote the key canddate for effectve vsble subkey bts n round r. Then the algorthm of lnear cryptanalyss wth probablstc countng for DES has the followng form: Algorthm 4 (R attack wth probablstc countng and data countng phase) Data countng phase N known pars of texts, effectve lnear expresson for (r-)-rounds wth probablty p, whch uses only these bts of C r-, In practce ths stuaton can occur, when an analyst has lmted memory resources.

7 Proceedngs of ACS 000, Szczecn, pp whch can be computed from subset of effectve bts k r v. Step : Prepare t counters T (0 < t ) and ntate them wth zero, where denotes value of effectve text bts used n lnear expresson Step : For each plantext and sutable cphertext count t and ncrement value of counter T. Counter table T. Key countng phase table T, choce of effectve subkey bts K r, choce of vsble effectve subkey bts K v r, whch are beng searched, effectve lnear expresson for (r-) rounds wth probablty p whch uses only these bts of C r-, whch can be computed from subset of effectve bts k v r. Step 3: k Prepare v k counters N 0 (0 < v -) and ntate them wth 0. Step 4: For each possble value of effectve subkey bts K v r and for each possble value of effectve text bts count the probablty p that left sde of the lnear expresson assumes value zero averaged over all nvsble effectve key bts. Then set counter N 0 = Σ p * T. Step 5: Set N 0max = max (N 0 ) and N 0mn = mn (N 0 ). Step 6: If N 0max - N/ > N 0mn - N/ then set the value of effectve vsble subkey bts K r correspondng to N 0max, set z (K z ΓK z ) = 0, f p>½ or, f p<½. If N 0max - N/ < N 0mn - N/ then set the value of effectve vsble subkey bts K r correspondng to N 0mn, set z (K z ΓK z ) =, f p>½ or 0, f p<½. effectve vsble subkey bts n last round, the value of ( z (K z ΓK z )) for rounds to r-, both results returned wth probablty dependent on N, p - / and probablty of approxmaton of F functon. Let us now consder the nfluence of bas ε = p ½ resultng from the use of probablstc countng method on the success rate of the attack. A basc constructon element of lnear cryptanalyss wth probablstc countng method s a probablstc approxmaton of non-lnear operatons (n DES: S- boxes). We ntroduce the probablstc approxmaton and we wll defne probablty wth whch the probablstc approxmaton holds. Let α Γα represent a numercal value of the vector obtaned through the selecton of bts from vector α chosen by non-zero postons of maskng vector Γα. Example: α = [0], Γα = [00], then α Γα denotes numercal value whch represents vector []: 3. Defnton Let α Γα denote the value of vsble nput bts to S- box S, α Γα denote the value of nvsble bts. Let β Γβ denote the value of modulo sum of chosen output bts of S. We defne the probablstc approxmaton of S-box S ( 8), as a dependence between vsble bts on the nput to S α Γα and a value of the modulo sum of chosen output bts from S, whch holds wth probablty p. We denote a probablstc approxmaton of S as: ΨS (Γα, Γβ). Defnton For gven S-box S ( =,,.., 8), and non-zero vectors Γα and Γβ ( Γα 63, Γβ 5), wth constant α Γα, we defne probablty of probablstc approxmaton as a proporton of number of events s.t. a value of modulo sum of output bts from S chosen by Γβ assumes value zero, under condton that the vsble nput bts to S-box S ndcated by Γα assume value α Γα, averaged over values of all nvsble nput bts: Pr 0 α Γα (Γα, Γβ) = #{β Γβ = 0 β=s (α)} W ( Γα ) H () Example: Let s consder S-box S 5. Let s assume that there are 4 vsble nput bts to S 5 : Γα = [00], α assumes followng values [000000], [00000], [00000], [0000], and Γβ = [] then computaton process of the value Pr 0 α Γα s llustrated by table 5. A value α Γα s computed as a scalar product of vectors α and Γα, and smlarly wth β Γβ. Then we obtan: Pr 0 α Γα = 0 ([00], []) = 0 (3) as a proporton of number of columns n whch β Γβ = 0, to the number of all columns. Table 5. Computng the value of Pr 0 α Γα ([00], []) α Γα α Γα α Γα 0 3 β=s 5 (α) Γβ β Γβ Pr 0 α Γα = 0 ([00], []) 0 / 4 = 0 We defne an average probablty and an average bas of probablty of probablstc approxmaton Pr 0 α Γα (Γα, Γβ) computed over all possble values of vsble effectve nput bts to the S-box:

8 Proceedngs of ACS 000, Szczecn, pp Defnton 3 For gven S-box S ( =,,.., 8) and non-zero vectors Γα and Γβ ( Γα 63, Γβ 5) we defne average probablty ~ (Γα, Γβ) as a p ΨS proporton of sum of absolute values of bases of condtonal probabltes from ½: Pr 0 α Γα (Γα, Γβ), where the sum s taken over all possble values of vsble nput bts (α Γα), to the number of all possble values of vsble nput bts: ~ p ΨS (Γα, Γβ) = + W ( Γα ) WH ( Γα ) α Γα = 0 Pr ( Γα, Γβ ). (4) 0 α Γα Defnton 4 For gven S-box S ( =,,.., 8) and non-zero vectors Γα and Γβ ( Γα 63, Γβ 5) we defne average bas of probablty ~ p ΨS (Γα, Γβ) from ½ as: ~ ε ΨS (Γα, Γβ) = p ΨS W ( Γα ) = WH ( Γα ) α Γα = 0 ~ (Γα,Γβ)- = Pr ( Γα, Γβ ). (5) 0 α Γα Example Let s consder S-box S 5. Assume that there are 4 vsble bts on the nput to S 5 : Γα = [00], probabltes Pr 0 α Γα (Γα,Γβ) for all values of α Γα are gven n followng table: Table 6. Probablty dstrbuton Pr 0 α Γα (Γα,Γβ) as a functon of values of vsble nput bts to S-box (α Γα) α Γα Pr 0 α Γα (Γα,Γβ) 0 0 ¾ ¼ ¼ ¾ α Γα Pr 0 α Γα (Γα,Γβ) ¼ ¼ 0 0 ¾ ¾ then: ~ ε (Γα, Γβ) = ΨS 4 4 α Γα = 0 Pr ([00],[]) = 0, α Γα (6) In DES maxmum bases can be observed n followng cases: Table 7. Maxmum values of average bas of probablstc approxmatons as a functon of vsble nput bts to a S-box n DES number of vsble bts approx mated S-box nput mask Γα output mask Γβ ~ ε ΨS (Γα, Γβ) S 5 0x0 0x0f 0,35 S 5 0x 0x0f 0,35 S 5 0x 0x0f 0,35 S 5 0x4 0x0f 0,35 S 5 0x8 0x0f 0,35 S 5 0x30 0x0f 0,35 3 S 0 0x6 0x0f 0,375 3 S 7 0x6 0x0f 0,375 4 S 7 0xe 0x0f 0, S 3 0x3e 0x0f 0,5 As we can see maxmum average bas of probablstc approxmaton wth or vsble bts s equal to the bas of best lnear approxmaton. Wth knowledge of probablstc approxmaton we can start to construct a probablstc round approxmaton n smlar way as n determnstc approach and then we can construct the attack on DES. But before we do ths, we sketch the method of estmaton of number of texts needed n analyss. As we mentoned above the number of analysed texts depends on the probablty of lnear expresson and on the probablty of probablstc approxmaton of F functon. Ths probablstc approxmaton can be treated as a random varable, whch s equal to zero wth probablty ~ p ΨS and to wth probablty - ~ p ΨS. Wth the assumpton about ndependence of subkeys we can use Plng-Up lemma to calculate a bas of a new lnear expresson as: ε r = * p ½ * ~ - ½, (7) p ΨS so the number of pars of texts needed n attack s equal to: N = c* ( * p ½ * ~ ε ΨS ) -. (8) Now we can mount an attack on DES reduced to 3 rounds. Best lnear expresson [8] s followng: P L [5] P H [7,8,4,9] C L [5] C H [7,8,4,9] = K [] K 3 []. (9) To mplement an attack wth probablstc countng method on 3-round DES we use two round lnear expresson and nstead of last round approxmaton we use a probablstc approxmaton wth 4 vsble bts on the S-box nput. Average bas of probablstc approxmaton for S 5 wth W H (Γα) = 4 and Γβ = [] s equal to ~ ε ΨS = 0,375. So the number of texts needed n attack s equal to: N = c * ( * 0/64 * 4/64) - = c * 8,. (0) For comparson the number of texts needed n basc attack s equal to: N = c * ( * 0/64 * / * 0/64) - = c * 6,. () Moreover n a frst case we determne 4 subkey bts and K [], and n the second case only K [] K 3 []. In a basc form lnear cryptanalyss wth probablstc countng method s not so effectve as other extensons to lnear cryptanalyss. E.g. Shmoyama s attack on 3-round DES needed only: N = c * ( *0/64 */ */) = c * 0, ()

9 Proceedngs of ACS 000, Szczecn, pp pars of texts. So probablstc countng can be treated only as a component e.g. a component of attack wth addtonal round reducton. We sketch a lnear cryptanalyss wth reducton of two consecutve rounds of 4-round DES. We use - round lnear expresson of the followng form: P H [7,8,4,9] P L [5] C H [7,8,4,9] = Σ z K z ΓK z, (3) and a probablstc approxmaton n r- round of the followng form: ΨS 5 (α, [00],[]), whch holds wth average bas 0,375. Takng nto account an nverson of F functon n round r, we obtan: P H [7,8,4,9] P L [5] C H 4[7,8,4,9] ~F 3 (C L 3, K v 3)[7,8,4,9] F 4 (C L 4,K 4 )[0,,,3,4,5, 6,7,8,9,0,,,3,4,7,8,9,30,3] = Σ z K z ΓK z. (4) Expermentally obtaned success rate s followng: Table 8. Success rate of lnear cryptanalyss wth reducton of two consecutve rounds on 4 round DES. N *(* p SR ½ 4*(* p ε ΨS ) - ½ 8*(* p ε ΨS ) - ½ 6*(* p ε ΨS ) - ½ ε ΨS ) - experment 30% 60% 80% 90% al theoretcal 48,6% 78,5% 96,7% 99,9% 6. CONCLUSIONS We have mplemented a lnear cryptanalyss wth probablstc countng method on DES. We proposed lnear cryptanalyss wth two consecutve round reducton usng the probablstc countng method, whch form the bass for a constructon of 3R attack. The maor lmtaton n use of lnear cryptanalyss wth reducton of addtonal rounds s the memory complexty of an attack. But t s possble to mount 3R attack n whch there are outer rounds reduced and the second or one before last round. The 3R attack can be more effectve that R attack for DES, f n second or n penultmate round the probablstc approxmaton wll be used whch holds wth average bas ε ~ ΨS (Γα, Γβ) bgger than 0/64 (the value of best determnstc approxmaton). It can happen e.g. n followng cases the probablstc approxmaton has W(Γα) = 3 and approxmated s-box s S or S 8, or W(Γα) = 4 and approxmated s-box s S 5. In the frst case mnmum memory requrement s equal to 3*6+6+3 = 8 MB, and n the second case 4*6+4+6 =6 GB. So n the frst case t s possble to attack DES on the PC, whle n the second one a specalsed devce wll be needed. We can theoretcally estmate that n the second case, the number of texts wll be reduced to 69% of texts used n R attack. We can acheve further mprovement by combnng the proposed attack wth other extensons. 7. FURTHER RESEARCH Our further research wll concentrate on combnng extensons of lnear cryptanalyss wth proposed 3R attack. Also our attenton wll be concentrated on explanng the dependence of success rate of attack on the dstrbuton of probabltes n the nverted S- box. REFERENCES Bham, E., A. Shamr, 993. Dfferental Cryptanalyss of Data Encrypton Standard, Sprnger Verlag, 993. U. Blöcher, M. Dchtl, Problems wth the Lnear Cryptanalyss of DES Usng more than one Actve S-Box per Round, Fast Software Encrypton, Sprnger Verlag 994, ISBN Data Encrypton Standard. Federal Informaton Processng Standard (FIPS), Publcaton 46, Natonal Bureau of Standards, U.S., Department of Commerce, Washngton D.C., January C. Harpes, G. G. Kramer, J. L. Massey, 995. A Generalsaton of Lnear Cryptanalyss and Applcablty of Matsu s Plng-Up Lemma, Advances n Cryptology Eurocrypt B. S. Kalsk Jr., M. J. B. Robshaw, Lnear Cryptanalyss Usng Multple Approxmatons, Advances n Cryptology Crypto 94, Sprnger Verlag 994, ISBN L. R. Knudsen, M. J. B. Robshaw, Non-Lnear Approxmatons n Lnear Cryptanalyss, Advances n Cryptology Eurocrypt 96, Sprnger Verlag 996, ISBN X. 7 S. Langford, M. E. Hellman, Dfferental-lnear Cryptanalyss, Advances n Cryptology Crypto 94, Sprnger Verlag 994, ISBN M. Matsu, Lnear Cryptanalyss Method for DES Cpher, Advances n Cryptology Eurocrypt M. Matsu, On Correlaton Between the Order of S-boxes and the Strength of DES, Advances n Cryptology Eurocrypt 94, Sprnger Verlag 994, ISBN M. Matsu, The Frst Expermental cryptanalyss of Data Encrypton Standard, Advances n Cryptology Crypto 94, Sprnger Verlag 994, ISBN K. Ohta, S. Mora, K. Aok, Improvng the Search Algorthm for Best Lnear Expresson, Advances n Cryptology Crypto 95, Sprnger Verlag 995, ISBN K. Sakura, S. Furuya, Improvng lnear cryptanalyss of LOKI9 by probablstc countng method, Fast Software Encrypton Workshop (FSE4), Hafa, Israel, T. Shmoyama, T. Kaneko, Quadratc Relaton of S-Box and Its Applcaton to the Lnear Attack of Full Round DES, Advances n Cryptology, Crypto 98. ISBN A. Zuga, Algorthms for fndng lnear expressons, (n Polsh), IV Polsh Natonal Conference on the Applcatons of Cryptography ENIGMA 000, Ma A. Zuga, K. Górsk, Z. Kotulsk, A. Paszkewcz, J. Szczepańsk, S. Trznadel, Lnear cryptanalyss of DES algorthm, (n Polsh), semnar notes Insttute of Telecommuncatons, Warsaw Unversty of Technology, Aprl A. Zuga, K. Górsk, Z. Kotulsk, A. Paszkewcz, J. Szczepańsk, S. Trznadel, Lnear cryptanalyss, (n Polsh) PWT, December A. Zuga, K. Górsk, Z. Kotulsk, J. Szczepańsk, A. Paszkewcz, Extendng lnear cryptanalyss theory and experments, Regonal Conference on Mltary Communcaton and Informaton Systems, RCMCIS 99, October 6-8, 999.