Block Cipher Cryptanalysis: An Overview

Size: px

Start display at page:

Download "Block Cipher Cryptanalysis: An Overview"

Louise Hall
6 years ago
Views:

1 0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017

2 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

3 Iterated Block Cipher 1/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

4 Iterated Block Cipher Iterated Block Cipher 2/52 Iterated Block Cipher A block cipher is a function E : {0, 1} k {0, 1} n {0, 1} n such that for each K {0, 1} k, the function E K ( ) = E(K, ) is a permutation of {0, 1} n. The n-bit input to the block cipher is called the plaintext; and the n-bit output of the block cipher is called the ciphertext. The k-bit quantity K is called the secret key.

5 Iterated Block Cipher Iterated Block Cipher (Cont.) 3/52 Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds.

6 Iterated Block Cipher Iterated Block Cipher (Cont.) 3/52 Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds. The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys.

7 3/52 Outline Iterated Block Cipher Designs 1 Iterated Block Cipher Designs Attacks 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

8 4/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN)... P1 Plaintext... P16 Sub-key k (1) Mixing S11 S12 S13 S14 Round 1 Sub-key k (2) Mixing S21 S22 S23 S24 Round 2 Sub-key k (3) Mixing S31 S32 S33 S34 Round 3 Sub-key k (4) Mixing S41 S42 S43 S44 Round 4 Sub-key k (5) Mixing... C1 Ciphertext... C16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys s Tutorial).

9 5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption.

10 5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order.

11 5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar.

12 5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc.

13 6/52 Feistel Cipher Iterated Block Cipher Designs Encryption Plaintext Decryption Ciphertext L0 R0 Rr+1 Lr+1 k (0) k (r) F F k (1) k (r 1) F F k (r) k (0) F F Rr+1 Lr+1 L0 R0 Ciphertext Plaintext Figure : Encryption and Decryption Network of a Basic Feistel Cipher (Courtesy: Wikipedia).

14 7/52 Feistel Cipher vs. SPN Iterated Block Cipher Designs The main advantage of this type of design is that encryption and decryption are very similar, even identical in some cases, requiring only a reversal of the key schedule. One advantage of the Feistel cipher over an SPN is that unlike SPN, here the round function F need not be invertible.

15 8/52 Iterated Block Cipher Designs Feistel Cipher: Variants and Examples Unbalanced Feistel cipher: Two halves are unequal in length. Generalised Feistel cipher: Plaintext is divided into more than two parts. Examples: RC6, Skipjack, etc. Other Examples: Blowfish, DES, FEAL, RC5, LOKI etc.

16 9/52 Lai Massey Iterated Block Cipher Designs Encryption Plaintext Decryption Ciphertext L0 R0 Lr+1 Rr+1 k (0) H k (r) H 1 F F k (1) H k (r 1) H 1 F F k (r) H k (0) H 1 F H F H 1 Lr Rr L0 R0 Ciphertext Plaintext Figure : Encryption and Decryption Network of a Basic Lai-Massey Scheme (Courtesy: Wikipedia).

17 10/52 Lai Massey (Cont.) Iterated Block Cipher Designs The security properties of the Lai-Massey scheme is similar to those of the Feistel structure. Like the Feistel cipher it also shares the advantage that the round function F need not be invertible. Example: IDEA.

18 Iterated Block Cipher Designs 11/52 We will be considering SPN type block ciphers.

19 11/52 Outline Iterated Block Cipher Attacks 1 Iterated Block Cipher Designs Attacks 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

20 12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks

21 12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm

22 12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique

23 12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique Relinearization Technique

24 12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - extended Linearization)

25 12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - extended Linearization) Slide Attack and Advanced Slide Attack

26 12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - extended Linearization) Slide Attack and Advanced Slide Attack...

27 13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks

28 13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks

29 13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis

30 13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack

31 13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis

32 13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack

33 13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack...

34 13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack...

35 13/52 Outline S-Boxes 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

36 S-Boxes 14/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

37 15/52 S-Boxes S-Boxes Boolean Function An m variable Boolean fuction is a map g : F m 2 F 2.

38 15/52 S-Boxes S-Boxes Boolean Function An m variable Boolean fuction is a map g : F m 2 F 2. S-Boxes An (m, n) S-Box (or vectorial fuction) is a map f : F n 2 Fm 2. An S-Box f : F n 2 Fm 2 has component functions f 1,..., f m, where each f i : F n 2 F 2.

39 15/52 Outline A Basic Substitution Permutation Network 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

40 A Basic Substitution Permutation Network 16/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

41 17/52 SPN A Basic Substitution Permutation Network... P1 Plaintext... P16 Sub-key k (1) Mixing S11 S12 S13 S14 Round 1 Sub-key k (2) Mixing S21 S22 S23 S24 Round 2 Sub-key k (3) Mixing S31 S32 S33 S34 Round 3 Sub-key k (4) Mixing S41 S42 S43 S44 Round 4 Sub-key k (5) Mixing... C1 Ciphertext... C16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys s Tutorial).

42 A Basic Substitution Permutation Network Substitution 18/52 16-bit data block broken into four 4-bit sub-blocks.

43 A Basic Substitution Permutation Network Substitution 18/52 16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same.

44 A Basic Substitution Permutation Network Substitution 18/52 16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same. Input Output E 4 D 1 2 F B 8 Input 8 9 A B C D E F Output 3 A 6 C

45 A Basic Substitution Permutation Network Permutation 19/52 Input Output Input Output

46 A Basic Substitution Permutation Network Key Mixing & Decryption 20/52 Key Mixing Bit-wise exclusive-or. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA.

47 A Basic Substitution Permutation Network Key Mixing & Decryption 20/52 Key Mixing Bit-wise exclusive-or. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA. Decryption Also an SPN. S-boxes are the inverse of the encryption S-boxes. The sub-keys are applied in the reverse order and is moved around according to the permutation.

48 20/52 Outline Linear Cryptanalysis 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

49 Linear Cryptanalysis 21/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

50 22/52 Goal Linear Cryptanalysis The main aim in linear cryptanalysis is to find linear expressions of the form X i1 X i2 X iu Y j1 Y j2 Y jv = 0, which have a high or low probability of occurrence.

51 22/52 Goal Linear Cryptanalysis The main aim in linear cryptanalysis is to find linear expressions of the form X i1 X i2 X iu Y j1 Y j2 Y jv = 0, which have a high or low probability of occurrence. Let, p L = Pr [X i1 X i2 X iu Y j1 Y j2 Y jv = 0], then linear probability bias b L = p L 1 2.

52 22/52 Goal Linear Cryptanalysis The main aim in linear cryptanalysis is to find linear expressions of the form X i1 X i2 X iu Y j1 Y j2 Y jv = 0, which have a high or low probability of occurrence. Let, p L = Pr [X i1 X i2 X iu Y j1 Y j2 Y jv = 0], then linear probability bias b L = p L 1 2. Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits.

53 22/52 Goal Linear Cryptanalysis The main aim in linear cryptanalysis is to find linear expressions of the form X i1 X i2 X iu Y j1 Y j2 Y jv = 0, which have a high or low probability of occurrence. Let, p L = Pr [X i1 X i2 X iu Y j1 Y j2 Y jv = 0], then linear probability bias b L = p L 1 2. Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. It is a known plaintext attack.

54 23/52 Notations Linear Cryptanalysis P and C denotes the 16-bit plaintext and ciphertext, respectively.

55 23/52 Notations Linear Cryptanalysis P and C denotes the 16-bit plaintext and ciphertext, respectively. X i denotes the i th bit of the input X = [X 1, X 2, X 3, X 4 ] to the S-box. Y i denotes the i th bit of the output Y = [Y 1, Y 2, Y 3, Y 4 ] to the S-box. X 1 X 2 X 3 X 4 S-box Y 1 Y 2 Y 3 Y 4 Figure : S-box Mapping (Courtesy: Heys s Tutorial).

56 Linear Cryptanalysis Notations (Cont.) 24/52 U (i) represents the input to the i th round S-box and U (i) j represents the j th bit of block U (i). V (i) represents the output of the i th round S-box and V (i) j represents the j th bit of block V (i).

57 Linear Cryptanalysis Notations (Cont.) 24/52 U (i) represents the input to the i th round S-box and U (i) j represents the j th bit of block U (i). V (i) represents the output of the i th round S-box and V (i) j represents the j th bit of block V (i). Let, k (i) represent the i th round key.

58 25/52 Piling-Up Lemma Linear Cryptanalysis Piling-Up Lemma (Matsui) For n independent, random binary variables, X 1, X 2,..., X n Pr[X 1 X n = 0] = n 1 or, equivalently, n ε 1,2,...,n = 2 n 1 ε i, i=1 n i=1 where ε 1,2,...,n represents the bias of X 1 X n = 0. ε i

59 Linear Cryptanalysis How to construct such linear expressions? 26/52

60 Linear Cryptanalysis How to construct such linear expressions? 26/52 This is done by considering the cipher s non-linear components.

61 Linear Cryptanalysis How to construct such linear expressions? 26/52 This is done by considering the cipher s non-linear components. In this case, the S-Box.

62 27/52 S-Box Analysis Linear Cryptanalysis X 1 X 2 X 3 X 4 Y 1 Y 2 Y 3 Y 4 X 2 X 3 Y 1 Y 3 Y 4 X 1 X 4 Y 2 X 3 X 4 Y 1 Y Table : Sample Difference Pairs of the S-box.

63 Linear Cryptanalysis S-Box Analysis (cont.) 28/52 Output Mask in Hexadecimal A B C D E F Input Mask in Hexadecimal A B C D E F Table : Linea Approximation Table of the S-box Represented by Table.

64 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher 29/52 Linear approximation of the overall cipher is achieved by concatenating appropiate S-boxes. By constructing a linear approximation involving plaintext bits and the data bits from the output of the second last round, it is possible to attack the cipher by recovering a subset of the subkey bits that follow the last round.

65 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 30/52 P5 P7P8 k (1) 5 k (1) 7 k (1) 8 S11 S12 S13 S14 Round 1 k (2) 6 S21 S22 S23 S24 Round 2 k (3) 6 k (3) 14 S31 S32 S33 S34 Round 3 k (4) 6 k (4) 14 k (4) 6 k (4) 14 U (4) 6 U (4) 8 U (4) 14 U(4) 16 S41 S42 S43 S44 Round 4 k (5) 5... k(5) 8 k (5) 13...k(5) 16 Figure : Sample Linear Approximation (Courtesy: Heys s Tutorial).

66 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 31/52 We use the following approximation of the S-box : S 12 : X 1 X 3 X 4 = Y 2 with probability and bias S 22 : X 2 = Y 2 Y 4 with probability 4 16 and bias 1 4 S 32 : X 2 = Y 2 Y 4 with probability 4 16 and bias 1 4 S 34 : X 2 = Y 2 Y 4 with probability 4 16 and bias 1 4

67 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 32/52 Notice, U (1) = P k (1). For S 12, we have V (1) 6 = U (1) 5 U (1) 7 U (1) 8 = (P 5 K 1,5 ) (P 7 K 1,7 ) (P 8 K 1,8 ). This holds with probability 3 4.

68 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 33/52 Continuing... U 4,6 U 4,8 U 4,14 U 4,16 P 5 P 7 P 8 K = 0, where = K 1,5 K 1,7 K 1,8 K 2,6 K 3,6 K 3,14 K 4,6 K 4,8 K 4,14 K 4,16. K

69 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 34/52 K is fixed to either 0 or 1 depending on the key of the cipher. Using piling-up lemma p L = ( ) ( ) 3 = Therefore, b L = 1 32.

70 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 35/52 Depending on whether K = 0 or 1, the expression U 4,6 U 4,8 U 4,14 U 4,16 P 5 P 7 P 8 holds with either probability p L = or 1 p L =

71 Linear Cryptanalysis Extracting Key Bits 36/52 Once an r 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4.

72 Linear Cryptanalysis Extracting Key Bits 36/52 Once an r 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4. We shall refer to the bits to be recovered from the last sub-key as the target partial sub-key. In our example k (5) 5, k(5) 6, k(5) 7, k(5) 8, k(5) 13, k(5) 14, k(5) 15, k(5) 16.

73 Linear Cryptanalysis Extracting Key Bits: Algorithm 37/52 Generate about 1 b 2 L many known plaintext/ ciphertext pairs.

74 Linear Cryptanalysis Extracting Key Bits: Algorithm 37/52 Generate about 1 many known plaintext/ ciphertext pairs. bl 2 Assume that we have plaintext/ ciphertext pairs encrypted under a particular key.

75 Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following :

76 Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value.

77 Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16.

78 Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation.

79 Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. - Find the bias = count

80 Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. - Find the bias = count Select the guess with the maximum bias as our target sub-key.

81 Linear Cryptanalysis Experimental Results (Partial) 39/52 Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] bias [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] bias 0x1C x2A x1D x2B x1E x2C x1F x2D x x2E x x2F x x x x x x x x x x x x x x x x Table : Experimental Result (Partial) for Linear Attack.

82 Linear Cryptanalysis Experimental Results (Partial) Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] bias [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] bias 0x1C x2A x1D x2B x1E x2C x1F x2D x x2E x x2F x x x x x x x x x x x x x x x x Table : Experimental Result (Partial) for Linear Attack. Note that the experimental bias = is very close to the expected value of 1 32 = /52

83 40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform.

84 40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform. - This is done by careful structural analysis of the block cipher.

85 40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force.

86 40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention:

87 40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: Wide trail strategy. Stronger S-boxes or non-linear function....

88 40/52 Outline Differential Cryptanalysis 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

89 Differential Cryptanalysis 41/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

90 42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n

91 42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher.

92 42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack.

93 42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys.

94 42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. In order to determine a high probability difference pair, we consider the input-output differences of the S-Boxes.

95 43/52 Notations Differential Cryptanalysis Let X 1, X 2 {0, 1} n. Define, X = X 1 X 2. Let, X = [ X 1,..., X n ]. A differential ( X, Y ): for a given input difference X, Y is the difference in output. Differential Characteristics: A sequence of input and output differences to the rounds so that the output difference from one round corresponds to the input difference for the next round.

96 Differential Cryptanalysis Sample Difference Pairs of the S-BOX 44/52 X Y Y X = 1011 X = 1000 X = Table : Sample Difference Pairs of the S-box.

97 Differential Cryptanalysis Difference Distribution Table 45/52 Output Difference in Hexadecimal A B C D E F Input Difference in Hexadecimal A B C D E F Table : Difference Distribution Table for the S-box Represented by Table.

98 46/52 Keyed S-BOX Differential Cryptanalysis W 1 W 2 W 3 W 4 X 1 X 2 X 3 X 4 K 1 K 2 K 3 K 4 S-box Y 1 Y 2 Y 3 Y 4 Figure : Keyed S-box.

99 Differential Cryptanalysis Sample Differential Cryptanalysis 47/52 P = [0000, 1011, 0000, 0000] S11 S12 S13 S14 Round 1 S21 S22 S23 S24 Round 2 S31 S32 S33 S34 Round 3 U (4) U (4) 5 8 (4)... U U(4) 16 S41 S42 S43 S44 Round 4 k (5) 5... k(5) 8 k (5) k(5) 16 Figure : Sample Differential Characteristic.

100 Differential Cryptanalysis Probability of the Differential Characteristics 48/52 Active S-Boxes: S 12 : X = B Y = 2 with probability 8/16. S 23 : X = 4 Y = 6 with probability 6/16 S 32 : X = 2 Y = 5 with probability 6/16 S 33 : X = 2 Y = 5 with probability 6/16

101 Differential Cryptanalysis Probability of the Differential Characteristics 48/52 Active S-Boxes: S 12 : X = B Y = 2 with probability 8/16. S 23 : X = 4 Y = 6 with probability 6/16 S 32 : X = 2 Y = 5 with probability 6/16 S 33 : X = 2 Y = 5 with probability 6/16 Probability of the Differential Characteristics: p D = product of the differentials of the active S-Boxes = (8/16) (1/16) 3 = 27/1024.

102 Differential Cryptanalysis Extracting Key Bits : Algorithm 49/52 Generate about 1 p D many chosen plaintext/ ciphertext pairs satisfying the input difference. Assume that we have 5000 such pairs.

103 Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following :

104 Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-or the partial ciphertext (C 5,..., C 8, C 13,..., C 16 ) with the guessed key value.

105 Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-or the partial ciphertext (C 5,..., C 8, C 13,..., C 16 ) with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16.

106 Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-or the partial ciphertext (C 5,..., C 8, C 13,..., C 16 ) with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) Count the number of pairs of plaintext/ ciphertext pairs that satisfy our differential characteristics and then find the prob = count/5000.

107 Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-or the partial ciphertext (C 5,..., C 8, C 13,..., C 16 ) with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) Count the number of pairs of plaintext/ ciphertext pairs that satisfy our differential characteristics and then find the prob = count/5000. Select the one which has the maximum prob as our target partial key.

108 Differential Cryptanalysis Experimental Results (Partial) 51/52 Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] Empirical Probability Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] Empirical Probability 0x1C x2A x1D x2B x1E x2C x1F x2D x x2E x x2F x x x x x x x x x x x x x x x x Table : Experimental Result (Partial) for Differential Attack.

109 Differential Cryptanalysis Experimental Results (Partial) Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] Empirical Probability Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] Empirical Probability 0x1C x2A x1D x2B x1E x2C x1F x2D x x2E x x2F x x x x x x x x x x x x x x x x Table : Experimental Result (Partial) for Differential Attack. Note that the experimatal value of the probability, = is very close to the expected value of = /52

110 51/52 Outline Appendix 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

111 Appendix 52/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

112 52/52 References Appendix 1 A Tutorial on Linear and Differential Cryptanalysis by Howard M. Heys. 2 Wikipedia.

113 Appendix 52/52 Thank you for your kind attention!

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation