Bayesian System for Differential Cryptanalysis of DES

Transcription

1 Available online at ScienceDirect IERI Procedia 7 (014 ) International Conference on Alied Comuting, Comuter Science, and Comuter Engineering Bayesian System for Differential Crytanalysis of DES A. De Paola a, L. Gagliano, G. Lo Re a a Università degli Studi di Palermo, Viale delle Scienze, ed. 6, Palermo 9018, Italy Abstract This aer rooses a new formalization for the differential crytanalysis of DES (Data Encrytion Standard) based on Bayesian Networks (BN), an artificial intelligence framework used for reasoning on data affected by uncertainty. Through the roosed aroach it is ossible to analyze DES from a novel oint of view, thus aving the way for the develoment of a new class of crytanalysis methods. 014 The Authors. Published by Elsevier B.V. This is an oen access article under the CC BY-NC-ND license 013. Published by Elsevier B.V. (htt://creativecommons.org/licenses/by-nc-nd/3.0/). Selection and eer review under resonsibility of Information Engineering Research Institute Selection and eer review under resonsibility of Information Engineering Research Institute Keywords: Crytograhy; DES; differential crytanalysis; Bayesian Networks; 1. Introduction The DES (Data Encrytion Standard) is a symmetric crytosystem standardized in the 70s for encryting sensitive data. The research about DES led to the modern design of block cihers and the design of several techniques for their crytanalysis. Because of short size DESs key, the algorithm is today considered not adequate for critical alications. However more recent block cihers, like the AES [1], have been designed to make infeasible a brute force attack. Nevertheless, since DES is still used for less sensitive data, and also as building block of Trile DES [], it still very interesting to analyze its vulnerabilities. Several works in the scientific literature have identified and analyzed some of the mains vulnerabilities of the DES. These works Corresonding author. Tel.: ; fax: address: alessandra.deaola@unia.it The Authors. Published by Elsevier B.V. This is an oen access article under the CC BY-NC-ND license (htt://creativecommons.org/licenses/by-nc-nd/3.0/). Selection and eer review under resonsibility of Information Engineering Research Institute doi: /j.ieri

2 16 A. De Paola et al. / IERI Procedia 7 ( 014 ) 15 0 led to the develoment of new crytanalysis techniques; among these, the most romising ones are linear crytanalysis [3] and differential crytanalysis [4]. Although these methods are extremely interesting from a theoretical oint of view, because they contributed to identify serious vulnerabilities of DES, they are not usable in a real attack because of the huge amount of required encrytion oerations, even if it is less than a brute-force attack. This work rooses a feasibility study for the imlementation of the differential crytanalysis [4]. With resect to the classical aroach used for the formalization of such technique, we roose the adotion of Bayesian Networks (BN), an artificial intelligence tool used for dealing with data affected by uncertainty. To the best of our knowledge this aroach is a novelty in the scientific literature. The rest of the aer is structured as follows: Section recalls DES roerties and discusses some related works; Section 3 describes the roosed Bayesian Network for modeling the attack to the S-Box, and then extends the roosed aroach for attacking the whole DES; finally Section 4 states our conclusions and discusses some future works.. DES descrition and related work DES is a symmetric crytosystem that transforms a 64-bit laintext P in a 64-bit cihertext T. A 64-bit key K, actually reduced to a 56-bit key, since 8 bits are used as arity bits, arameterizes the transformation. DES acts on the laintext P through a series of transformations named rounds. The inut to each round is transformed through the alication of the DESs Feistel function, which consists of a sequence of ermutations and substitutions. A 48-bit subkey obtained from K using a scheduling algorithm for subkey generation arameterizes each round. Fig. 1(a) shows the general DES scheme, and Fig. 1(b) shows details of a single round rocessing. (a) (b) (c) Fig. 1. (a) DES general block scheme. (b) Block scheme of the DES s round rocessing. (c) Detailed block diagram of the DES s Feistel Function. For each round =,, 16, the following equations are valid:

3 A. De Paola et al. / IERI Procedia 7 ( 014 ) L R R L 1 1 F( R 1, S K ) (1) namely, P is obtained from P -1 by relacing the left 3-bits half L -1 of P -1 with its right 3-bits half R -1 and by relacing its right half with a nonlinear combination of L -1 and R -1, arameterized by the subkey S K. The core of a round is the Feistel function that contains the only non-linear comonent of DES, the S-Box. In articular, the maing F, exanded in Fig. 1(c), is defined as follows: F ( R 1 1, SK ) P( S( E( R ) SK )) () where E is called exansion function, S is called S-Box, and P is called ermutation. Aroriate tables detailed in [5] define such maings. Domains and codomains of these functions are defined as follows: E : S : P : (3) It is worth noting that E and P are linear maings, while S is the only nonlinear comonent of the algorithm; its goal is erasing the existing relations between the key S K and the laintext. S-Box is the major security comonent of DES and their violation makes the whole encrytion system easily violable. Generally, 6 4 S-Box is not analyzed as a unique block, since it is comosed by eight submas S i :, with i=1,,8. Many works in the literature aim to analyze S-Box. Authors of [6] and [7] roose an analysis of S-Box roerties and consequently some ossible design criteria in block cihers context. On the basis of the roerties discovered, many crytanalysis methods were roosed in the literature to violate the S-Boxes. An algebraic aroach is roosed in [8], which defines the set of criteria for determining the set of non-linear algebraic constraints, which describes the I/O relationshi of the S-Boxes. Exloiting this set of constraints, the whole ciher is described as a system of multivariate non-linear equations. On the contrary, the author of [3] rooses a linear aroximation of S-boxes and of the whole DES, which is valid with some robability; such method is an examle of stochastic attack on the S-Boxes. It has been shown that the distribution of the outut of the S-Box is uniform if the inut is unknown, but exerimentally has been shown that the distribution of I/O differences is not uniform [4]. Taken two different inuts for a given S-Box and assuming that these two inuts are bounded by some known difference, then the robability distribution of the difference between the corresonding outut of the S-Box is not uniform; such imortant roerty reresents a strong system vulnerabilities, and underlies the differential crytanalysis [4]. Authors trace differences through the transformations, discover where the ciher exhibits non-random behavior, and exloit such roerties to recover the secret key. 3. Bayesian networks for differential crytanalysis The Bayesian Networks (BN) [9] are a formalism based on grah theory, exressing relationshis of cause/effect among random variables. In the roosed aroach we model the statistical distribution of I/O differences, discovered in [4], though a BN which allows erforming a diagnostic inference to discover the key. The roosed BN, showed in Fig. (a), uses the original notation reorted in [4]: at round, Si E, Si E indicate the i-th block of six-bits of the outut of the exansion function; Si K is the i-th six-bits block of the

4 18 A. De Paola et al. / IERI Procedia 7 ( 014 ) 15 0 subkey; Si I, Si I are two inuts to i-th S-Box; Si I is the OR between S-Box inuts; while Si O is the OR between S-Box oututs. (a) (b) (c) Fig.. (a) BN for the attack on the i-th S-Box. (b) BN for the attack on the i-th Feistel function. (c) BN for the attack on a 3-round DES. Since the differential crytanalysis is a chosen-laintext attack, it is ossible to assume to know the following evidence: thus, searching the key is equivalent to maximize the following likelihood: Si, (4) E, SiE, SiI, SiO ( ). (5) Through a diagnostic inference it is ossible to evaluate the eq.5. When leading more than one attack, the whole distribution is roortional to the roduct of the single distributions; thus, given the following set of evidences the likelihood can be evaluated as follows: Eq.7 can be solved through a differential aroach. Let us define Si K,,,, (6) 1 M M ( Si ) ( ). (7) K Si K i1 i

5 A. De Paola et al. / IERI Procedia 7 ( 014 ) ,,,, (8) j 1 j then, it follows that ( SiK M ) ( SiK ) ( SiK M 1). (9) The robability density functions of the roosed BN, necessary to erform the robabilistic inference, are exressed as follows: M Si Si Si E 6 1, Si Si, Si Si Si Si I SiI SiE, SiK SiE SiK SiI ; SiI SiI, SiI SiI SiI SiI ; Si Si, Si Si SiSi SiSi O E I E K I K E O K I I ; I ; (10) where is the Kronecker delta and Si(.) is the i-th S-Box. The roosed aroach allows formalizing the attack to the whole Feistel function; nevertheless, since sixbit blocks obtained as outut of the exansion function are not indeendent, it is not ossible to generalize the BN show in Fig. (a). An alternative BN, built following the same method, is shown in Fig. (b), which adots the following notation: Z, Z : inuts to the Feistel function; Z Z Z : difference between inuts; S : 48-bit subkey; K S S : inuts to the S-Box; I, I Y : ermutation of the difference between oututs from the S-Box. Attacking the Feistel function, in a chosen-laintext context imlies that it is ossible to choose two inuts Z and Z, exloiting which it is ossible to comute the inut OR Z, and to observe the difference between oututs Y. Through the diagnostic inference it is ossible to reduce the uncertainty about the 48-bit subkey. The BN can be used also for a forward inference rocess, which extracts samles from the imlicit distribution of Y conditioned to Z. In articular, it is ossible to samle Y, starting from a 48-bit random number for S I, obtained through a random number generator [9], and by alying the following equation: Y S SS EZ P S. (11) The samling technique can be used also for inferring the difference roagation inside the DES, while rocessing two inut P and P. Let P = (L,R) be the OR between inuts P and P, exlicitly decomosed in its left and right arts, T = (l,r) be the OR of ciher outut, I be the OR of inuts to the Feistel function at round -th, O be the OR of oututs from the Feistel function at round -th. The roagation of differences can be modeled through a BN, as shown in Fig(c) for a DES reduced to three round. In order to attack a N-round DES, it is necessary to adot the following algorithm: I I

6 0 A. De Paola et al. / IERI Procedia 7 ( 014 ) 15 0 Get the value I(N-1) by samling successive differences; Get the value IN =r ; Get the value ON l I N 1; Build a subkey histogram by attacking the S-Boxes at last round using the BN in Fig. (a); Once the last round is broken, roceed with the revious one. 4. Conclusions and future work This work demonstrated that the differential crytanalysis of DES can be imlemented through an alternative and novel aroach based on Bayesian Networks. The roosed aroach models a BN for attacking a single S-Box, and it can be extended for attacking the Feistel function, and finally the whole DES. When analyzing the number of airs <laintext, cihertext> required and the comutational comlexity, the roosed aroach is equivalent to the original formulation. Nevertheless the roosed novel oint of view may ave the way for future romising develoments. One of the most romising directions seems to be the exloitation of indeendences among different attack in a arallel imlementation of the robabilistic inference. Moreover, it is ossible to change the method adoted for the samling hase, by erforming an imortance samling that exloits the structure of the BN. Finally, we lan to evaluate alternative methods for erforming efficient inference in Bayesian Networks, such as genetic algorithms [11], even in combination with arallelization [1]. References [1] Daemen J, Rijmen V. The Design of Rijndael. Sringer-Verlag New York, Inc.; 00. [] Coersmith D, Johnson DB, Matyas, SM. A roosed mode for trile-des encrytion. IBM Journal of Research and Develoment. 1996;40():53-6. [3] Matsui M. Linear Crytanalysis Method for DES Ciher. In Advances in Crytology - EUROCRYPT93; Lecture Notes in Comuter Science. 1994; 765: [4] Biham E, Shamir A. Differential crytanalysis of DES-like crytosystems. Journal of Crytology. 1991; 4(1):3-7. [5] National Institute of Standards and Technology. FIPS PUB 46-3: Data Encrytion Standard (DES) [6] Brickell EF, Moore JH, Purtill, MR. Structure in the S-boxes of the DES. In Proceedings on Advances in crytology---crypto 86; Sringer-Verlag; 1987; 3-8. [7] Dawson MH, Tavares SE. An exanded set of S-box design criteria based on information theory and its relation to differential-like attacks. In Proceedings of the 10th annual international conference on Theory and alication of crytograhic techniques - EUROCRYPT91; 1991; Sringer-Verlag; [8] Courtois NT, Bard GV. Algebraic Crytanalysis of the Data Encrytion Standard. Crytograhy and Coding; Lecture Notes in Comuter Science; 007; 4887: [9] Koller D, Friedman N. Probabilistic Grahical Models: Princiles and Techniques Adative Comutation and Machine Learning. The MIT Press; 009. [10] Lo Re G, Milazzo F, Ortolani M. Secure random number generation in wireless sensor networks. 4th International Conference on Security of Information and Networks (SIN 011); 011; [11] Mengshoel OJ. Efficient Bayesian Network Inference: Genetic Algorithms, Stochastic Local Search, and Abstraction Technical Reort. University of Illinois at Urbana-Chamaign, Chamaign, IL, USA. [1] Lo Presti G, Lo Re G, Storniolo P, Urso A. A Grid Enabled Parallel Hybrid Genetic Algorithm for SPN. Comutational Science - ICCS 004; Lecture Notes in Comuter Science. 004; 3036: