Cryptanalysis of Substitution-Permutation Networks Using Key-Dependent Degeneracy *

Transcription

1 Cryptnlysis of Substitution-Permuttion Networks Using Key-Dependent Degenercy * Howrd M. Heys Electricl Engineering, Fculty of Engineering nd Applied Science Memoril University of Newfoundlnd St. John s, Newfoundlnd, Cnd A1B 3X5 Stfford E.Tvres Deprtment of Electricl nd Computer Engineering Queen s University Kingston, Ontrio, Cnd K7L 3N6 * This reserch ws supported by the Nturl Sciences nd Engineering Reserch Council of Cnd nd the Telecommunictions Reserch Institute of Ontrio nd ws completed during the first uthor s doctorl studies t Queen s University.

2 Cryptnlysis of Substitution-Permuttion Networks Using Key-Dependent Degenercy Keywords Cryptnlysis, Substitution-Permuttion Network, S-box Abstrct This pper presents novel cryptnlysis of Substitution- Permuttion Networks using chosen plintext pproch. The ttck is bsed on the highly probble occurrence of key-dependent degenercies within the network nd is pplicble regrdless of the method of S-box keying. It is shown tht lrge number of rounds re required before network is resistnt to the ttck. Experimentl results hve found 64-bit networks to be cryptnlyzble for s mny s 8 to 12 rounds depending on the S-box properties. I. Introduction The concept of Substitution-Permuttion Networks (SPNs) for use in block cryptosystem design origintes from the confusion nd diffusion principles introduced by Shnnon [1]. The SPN rchitecture considered in this pper ws first suggested by Feistel [2] nd consists of rounds of non-liner substitutions (S-boxes) connected by bit permuttions. Such cryptosystem structure, referred 1

3 to s LUCIFER 1 by Feistel, is simple, efficient implementtion of Shnnon s concepts. A generl N-bit SPN is composed of R rounds of n 2 n S-boxes. We shll denote the cryptosystem plintext input s P = P 1 :::P N nd the ciphertext output s C = C 1 :::C N. S-boxes in the network re defined s mpping S rs : X rs! Y rs where X rs = X (rs) 1 :::X (rs) n nd Y rs = Y (rs) 1 :::Y (rs) n. The vlue of s identifies the number of the S-box within round r, 1 r R, nd 1 s N=n. A simple exmple of n SPN is illustrted in Figure 1 with N = 16, R = 4, nd n = 4. We shll consider S-boxes tht re keyed using one of the following methods 2 : 1. selection keying: the key bits my be used to select which S-box mpping from set of mppings will be used for prticulr S-box, nd 2. XOR msk keying: the key bits my be exclusive-ored with the network bits prior to entering n S-box. Recent cryptnlysis techniques hve hd notble effect on the perceived security of SPN cryptosystems. For exmple, in [6] nd [7], Bihm nd Shmir introduce powerful chosen plintext cryptnlysis technique referred to s differentil cryptnlysis. Utilizing highly probbly occurrences of differentil sequences, 1 Another vrint of LUCIFER [3] more closely resembles the network structure of DES [4]. 2 Note tht method 2 my ctully be considered s specil cse of method 1. We distinguish between the two methods for clrity. Using method 2 only is wy of ensuring tht mpping for prticulr S-box is selected from the sme cryptogrphic equivlence clss [5]. 2

4 probbilities cn be ssigned to possible key vlues with the most probble key being selected s correct. As well, in [8], Mtsui introduces the known plintext ttck of liner cryptnlysis which mkes use of the likely stisfction of liner equtions involving the plintext, ciphertext, nd key bits. The pplicbility of differentil nd liner cryptnlysis to SPNs is thoroughly discussed in [9]. The cryptnlysis presented in this pper is n efficient technique for determining the network key bits. It uses divide-nd-conquer pproch by exmining the ciphertexts corresponding to number of chosen plintexts nd counting the number of times prticulr sub-key is consistent with key-dependent degenercy in the observed ciphertext. Depending on the number of rounds in the network, the correct sub-key is consistent with significntly higher probbility thn the incorrect sub-keys. II. Terminology The following terminology is fundmentl to the understnding of the cryptnlysis. Degenerte Function: An m-input boolen function, f(x), X = X 1 :::X m, is degenerte function in input X i if chnging X i only does not chnge the function output for ll possible inputs X 2 f0; 1g m. Degenerte Mpping: A m 2 n mpping is degenerte mpping in input X i if chnging X i only does not chnge the mpping output for ll possible inputs 3

5 X 2 f0; 1g m. Trget S-box: A trget S-box is the S-box under exmintion within the network. The cryptnlysis trgets one S-box t time in order to find the key bits ssocited with tht S-box. Trget Sub-Key: The key bits ssocited with the trget S-box re referred to s the trget sub-key. Ciphertext Sub-Block: A ciphertext sub-block is block of n ciphertext bits which re ssocited with prticulr S-box in the lst round of the network. These my or my not be contiguous in the output block depending on whether there is finl permuttion fter the lst round of S-boxes. There re N=n sub-blocks in ciphertext block. Sub-Block Mpping: A sub-block mpping is generted by considering mpping from the n output bits of the trget S-box to n n-bit ciphertext sub-block. A prtil sub-block mpping of dimension m 2 n is mpping from subset of m output bits of the trget S-box to n n-bit ciphertext sub-block. III. Key-Dependent Degenercy The cryptnlysis exploits the highly probble occurrence of degenercy in subblock mppings. In generl, if n n 2 n mpping is rndomly selected, there is non-zero probbility tht it is degenerte. It will be shown tht subblock mppings within the network often hve much higher probbility of 4

6 being degenerte thn tht of rndomly selected mpping. In such cses, by mintining count of the occurrence of such degenercies for ech possible trget sub-key, the correct sub-key cn be derived with high probbility. We refer to the consistent occurrence of degenercy for the correct trget sub-key s keydependent degenercy. Key-dependent degenercy is very high in networks with smll number of rounds nd decreses s the number of S-box rounds is incresed. In the most difficult cryptnlysis scenrio, ech S-box in the network hs number of ssocited key bits tht re independent of the other key bits in the network. The cryptnlysis begins by selecting trget S-box in the first round of the network. An pproprite number of chosen plintexts re selected so tht the trget sub-key my be determined with resonble sttisticl confidence. Subsequently, the remining first round S-boxes re trgeted nd the ssocited key bits determined. Once the first round key is known, the pproprite prtil encryption cn be used in trgeting the second round of S-boxes with chosen inputs. The ttck my proceed by stripping off rounds of S-boxes s their key bits re determined. As the unknown portion of the network decreses in size, the number of required chosen plintexts to discover the trget sub-key decreses significntly. Consider the trget S-box to be in the first round. In generl, n SPN my be represented by the first round S-boxes, the lst round S-boxes, nd n inner network, s in Figure 2. The input nd output to the inner network re denoted by 5

7 U = U 1 :::U N nd V = V 1 :::V N, respectively. The ttck to determine the trget sub-key consists of number of trils, ech tril entiling 2 n chosen plintexts. The plintexts in tril re selected such tht the network inputs which re not inputs to the trget S-box re rbitrrily fixed nd the n inputs to the trget S-box re cycled through ll 2 n possibilities. In this scenrio, the output of the trget S- box forms n n-bit input into N boolen functions corresponding to ech output of the inner network. The n-input boolen function, f i, corresponding to output V i, is rbitrrily determined by the N 0 n fixed inputs of U (coming from the outputs of the non-trget S-boxes). For inner networks with smll enough number of rounds, f i hs significnt probbility of being degenerte in one or more bits. If function f i hs high probbility of being degenerte in prticulr input, U j, then there is high probbility tht ll n inputs to lst round S-box re degenerte in U j s well. When this occurs, the input to the lst round S-box is degenerte mpping from the trget S-box output nd the corresponding subblock mpping from the trget S-box output to the ciphertext sub-block will be degenerte. However, since the trget sub-key is unknown, the outputs of the trget S-box nd, hence, the n inputs to the sub-block mpping re not known. Therefore, there is set of K t possible mppings for ech sub-block where K t represents the number of possible trget sub-key vlues. One of these mppings corresponds to the correct sub-key nd is the ctul sub-block mpping. Ech tril, consisting of 2 n chosen plintexts, my be considered conceptully s 6

8 illustrted in Figure 3. Assume tht the trget sub-key consists of one bit used to select between S-boxes S 0 nd S 00. The output of the trget S-box is mpped to ciphertext sub-block, Z, through S b : Y! Z. There re two possible vlues for S, b denoted S b0 nd S b00, corresponding to S 0 nd S 00 respectively. The ctul mpping of S b corresponding to the correct sub-key is selected rbitrrily for ech tril ccording to the fixed network inputs. The correct sub-key my be deduced by executing severl trils nd counting the number of times S b0 nd S b00 re degenerte. We expect (nd experimentl results confirm) tht the correct subkey will typiclly exhibit mpping degenercies most often. The number of trils (nd hence chosen plintexts) required to determine the sub-key should be enough to llow the degenercy counts to clerly distinguish the correct trget sub-key. Exmple: The trget S-box is selected by key bit to be either S 0 or S 00. The results of one tril re listed in Tble 1: the outputs of one sub-block corresponding to the trget S-box inputs (the remining network inputs hving been rbitrrily fixed) re given long with the possible trget S-box outputs corresponding to S 0 nd S 00. From this informtion, Tble 2 is compiled to conveniently disply sub-block mpping possibilities S b0 nd S b00. It is obvious tht S b0 is degenerte mpping in input Y 3 nd tht S b00 is not degenerte. IV. Enhncement of the Attck Using Prtil Mppings The success of the cryptnlysis cn often be enhnced by considering the 7

9 trget S-box input X 1 X 2 X 3 X 4 S output Y 1 Y 2 Y 3 Y 4 S output Y 1 Y 2 Y 3 Y 4 sub-block output Z 1 Z 2 Z 3 Z Tble 1. Key-Dependent Degenercy Exmple degenercy of prtil outputs of the trget S-box. For exmple, network with S-boxes which displys significnt key-dependent degenercy in the sub-block mpping of the trget S-box output to ciphertext sub-block will lso disply these degenercy trits when considering or sub-block prtil mpping. A prtil mpping is mpping from group of 2 or 3 trget S-box outputs to the ciphertext sub-block. The sme set of chosen plintexts used to 8

10 trget S-box output Y 1 Y 2 Y 3 Y 4 sub-block output for S Z 1 Z 2 Z 3 Z 4 sub-block output for S Z 1 Z 2 Z 3 Z Tble 2. Sub-block Mppings Corresponding to Sub-keys exmine the full sub-block mpping is lso esily nlyzed for degenercies in the prtil mppings. When considering prtil mppings from tril of 16 chosen plintexts, the bits tht re not included s prt of the mpping under exmintion must be fixed. Hence, for ny 3 bits of the trget S-box output, there re two 324 mppings to be exmined: one corresponding to the fourth bit equl to 0 nd one corresponding to 9

11 trget S-box input X 1 X 2 X 3 X 4 S output Y 1 Y 2 Y 3 Y 4 sub-block output Z 1 Z 2 Z 3 Z Tble 3. Prtil Mpping Exmple the fourth bit equl to 1. Since there re four 3 bit groups, over ll 16 trget S-box inputs we hve totl of eight sub-block mppings to consider. Similrly, ech 2 bit combintion of outputs genertes four mppings, corresponding to the four possible vlues of the 3rd nd 4th bits. With six wys of selecting the two outputs to consider from the trget S-box, there re totl of mppings. In generl, for n m-bit prtil output, there re 0 1 n 2 n0m possible m m 2 n mppings to be exmined for degenercy from tril of 2 n plintexts. Exmple: Consider the exmple of Tble 1. A portion of the tble is reproduced in Tble 3 in order to illustrte cse where, if the first 2 inputs to the subblock mpping for S 0 re fixed t Y 1 Y 2 = 10, the sub-block mpping Y 3 Y 4! Z 1 :::Z 4 is degenerte in Y 3. Often, the correct sub-key cn be esily distinguished with fewer plintextciphertext pirs by nlyzing prtil mppings rther thn the full sub-block mpping. Although rndomly selected mppings with fewer inputs hve higher 10

12 probbility of being degenerte, in mny cses the key-dependent degenercy is significnt enough to llow identifiction of the correct key. V. Effectiveness of the Algorithm In generl, it is hrd to derive explicitly the complexity or the probbility of success of the ttck. The effectiveness of the cryptnlysis depends lrgely on the properties of the S-boxes nd the permuttions used. In nlyzing the ttck, it is of interest to determine (1) the likelihood tht different trget sub-keys cnnot be distinguished nd (2) the likelihood of the inner network being degenerte with probbility significntly greter thn is expected for rndomly selected mpping. If we cnnot distinguish between the correct sub-key nd ll incorrect sub-keys or if degenercy occurs with the sme frequency s expected in rndom mpping, then the cryptnlysis will be unsuccessful. Distinguishing Between Keys It is quite possible tht prticulr tril will disply degenercies for the subblock mppings of different sub-keys, one of which my or my not be the correct sub-key. The success of the ttck relies on the correct sub-key displying degenercy more often thn incorrect sub-keys. Assuming tht the probbility of degenercy is lrge nd suitble number of chosen plintexts is vilble, only under exceptionl circumstnces will it be impossible to distinguish between the correct key nd n incorrect key. The reltionship between S-box mppings which 11

13 will llow this to occur nd the subsequent likelihood of rndomly selected S- boxes being indistinguishble is given in the following theorem nd corollry. Theorem 1: Two n 2 n bijective S-boxes, S 0 nd S 00, will be indistinguishble if, nd only if, ech boolen function of S 0 is identicl to boolen function or the complement of boolen function of S 00. Proof (Sketch): Let two functions of S 0 nd S 00 be defined to be similr if they re identicl or one is the complement of the other. occur for the sme input chnges. Chnges in the output of similr functions Assume tht S 0 nd S 00 re relted s stted in the theorem. Then, for ny subset of the function of S 00, ll functions in the subset re similr to output function of S 00 nd since degenercies re detected bsed on chnges in the cipertext sub-block, ny degenercies which re observed cn be ssocited with both S-boxes nd the S-boxes cnnot be distinguished. Consider the cse now where one of the boolen functions of S 0, f i, is not similr to function from S 00. Then in the scenrio where S 0 is used for the cipher nd the sub-block mpping is degenerte in ll inputs other thn the input corresponding to f i, there is no degenercy of S 00 tht is equivlent to this degenercy of S 0 nd the S-boxes cn be distinguished. Hence, in order for S-boxes to be indistinguishble, they must be of the formt suggested by the theorem. 3 12

14 Corollry 1: The probbility of two rndomly selected n 2 n bijective mppings being indistinguishble is given by 2 n n! 2 n! : (1) Proof: The number of possible mppings for S 00 tht re indistinguishble from S 0 is simply given by the number of wys of selecting, for ll n functions of S 0, either the function or its complement nd permuting the n functions within the mpping. This is divided by the number of possible bijective mppings to give (1) bove.3 From Corollry 1, it is pprent tht, if n S-box is keyed by selecting between two rndomly selected mppings nd ssuming sufficient number of chosen plintexts to llow distinguishing, it is very unlikely tht the two S-boxes will be indistinguishble nd it will only occur for the constrictive reltionship of Theorem 1. For exmple, if n = 4, the probbility of two rndomly selected S-boxes being indistinguishble is 1: Degenercy in Rndom Mppings Success of the cryptnlysis requires tht the probbility of degenercy for the full nd prtil sub-block mppings is significntly different thn the degenercy of rndom mpping so tht the correct sub-key is obvious for the number of chosen plintexts vilble. It is of interest therefore to determine the probbility of rndomly selected m 2 n mpping being degenerte. As the number of rounds in 13

15 the network increse, the probbility of degenercy pproches this vlue nd it becomes infesible to distinguish the correct sub-key from wrong sub-keys. Theorem 2: The probbility of rndomly selected m 2 n mpping being degenerte in one or more inputs is given by: X P deg = m m (01) k+1 k k=1 1 P nk (2) where P nk represents the probbility of the mpping being degenerte in k prticulr inputs nd is given by: Y P nk = k (1=2) n12m0i : (3) i=1 Proof: To see how (2) is derived, consider first the probbility of rndom m-input boolen function, f(x 1 ; :::; X m ), being degenerte. Since ech output of the function is independently selected to be either 0 or 1 with probbility of 1/2, the probbility tht chnge in only input X i not cusing chnge in the output over ll X 2 f0; 1g m is given by P 11 = (1=2) 2m01. This is derived by considering 2 m01 pirs of outputs in the truth tble, ech pir corresponding to vlues of X differing in only Xi. The probbility of the function being degenerte in two inputs, Xi nd Xj, is given by the probbility of being degenerte in Xi multiplied by the probbility 14

16 mpping size probbility of degenercy 2x E-03 3x E-05 4x E-10 Tble 4. Probbility of Degenercy for Rndom Mppings of being degenerte in Xj given degenercy in Xi. Given tht the function is degenerte in Xi, since there is no chnge in the output when only Xi chnges, we need only consider hlf the function output vlues (for exmple, when Xi = 0). Hence, if the function is to be degenerte in Xj given tht it is lredy degenerte in Xi, there re only 2 m01 =2 cses for which chnge in only input Xj must not chnge the output. Therefore, the probbility of the function being degenerte in two prticulr input bits is given by P12 = (1=2) 2m01 1 (1=2) 2m02. The remining cses for degenercy in more thn two inputs cn be derived similrly nd in generl Y P1k = k (1=2) 2m0i : i=1 Considering now the rndom m 2 n mpping, since ll output functions of the mpping re independent, the probbility of ll n outputs being degenerte in k prticulr inputs is given by (3). Using the principle of inclusion-exclusion from set theory [10] nd noting the symmetric nture of the degenercy, the probbility of the m2n mpping being degenerte in one or more inputs is simply given by (2). 3 15

17 stge r stge r stge r stge r stge r stge r stge r stge r Tble 5. Permuttion Used in 64x64 SPN Experiments The probbility of degenercy for different size mppings is given in Tble 4. VI. Experimentl Results This section highlights some of the results of the cryptnlysis pplied to different SPNs. We nlyzed network comprised of S-boxes nd permuttion, listed in Tble 5, selected from the clss of permuttions suggested by Ayoub [11]. Two types of networks were nlyzed: one using S-boxes rbitrrily selected from the rows of the Dt Encryption Stndrd (DES) S-boxes [4] nd one using rndomly selected bijective, non-degenerte S-boxes. A set of 16 S- boxes ws selected for ech network nd used in ll rounds. XOR msk keying ws used for ech round with the key bits rndomly selected. Experimentl results were compiled for nd sub-block mppings. A lrge number of trils ws executed for ech network nd the probbility of degenercy, P deg, ws determined s function of the number of rounds for SPNs 16

18 4 x 4 Sub-block Mpping 2 x 4 Sub-block Mpping DES Rndom DES Rndom Round Boxes S-boxes S-boxes S-boxes x x < 6.25 x x x < 6.25 x x x x < 6.25 x x x x < 6.25 x x < 6.25 x x < 6.25 x x < 6.25 x x 10-3 Tble 6. Experimentl Degenercy Probbilities with DES S-boxes nd rndom S-boxes. In Figure 4 the mesured degenercy probbilities for the full nd the prtil mppings of vrious size networks re compred to the vlues expected for rndom mpping from Tble 4. As well, the experimentl vlues re tbulted in Tble 6. The generl trend of convergence towrds the rndom mpping vlues is evident in both network types. However, it is lso cler tht the network utilizing DES S-boxes pproches the desired symptote much more quickly thn the rndomly selected S-boxes. Intuitively, this is likely due to the strong diffusion properties of the DES S-boxes. In prticulr, the property tht, for single input bit chnge, t lest two output 17

19 bits chnge is very useful in diffusing chnges through the network nd thereby minimizing degenercies. This property is unlikely to occur in rndomly selected S-boxes nd, therefore, it is not surprising tht the frequency of key-dependent degenercy is higher in networks where the S-boxes re simply rndomly selected. Consider the number of chosen plintexts required to determine first round trget sub-key using the full n 2 n sub-block mpping. We cn expect the number of sub-block mppings which must be nlyzed before observing degenercy to be given by 1=P deg. In cses where degenercy occurs with much higher probbility thn expected for rndom mppings, it will typiclly tke only few occurrences of degenercy to estblish the correct key. Considering tht nlyzing sub-block mpping requires 2 n chosen plintexts nd tht there re N=n subblocks to be exmined for every ciphertext block, we cn determine the number of plintexts required to revel first round trget sub-key to be on the order of the nerest multiple of N=n bove 8 2 n = 2 P deg 1 (N=n) 39. (Rounding up to the multiple of N=n is necessry since we cnnot consider only prt of ciphertext block.) For exmple, bsed on n nlysis of the full sub-block mppings nd the experimentlly determined P deg, 6 round network with DES S-boxes requires on the order of 784 plintexts nd n 8 round network with rndom S-boxes requires on the order of 384 plintexts. Networks with DES S-boxes composed of 5 or less rounds nd networks with rndom S-boxes composed of 6 or less rounds only require on the order of 16 chosen plintexts to determine 18

20 the trget sub-key. In prctice, using prtil mppings often requires fewer chosen plintexts, prticulrly when P deg becomes smll. Figure 5 illustrtes typicl key counts for n 6 round DES network nd n 8 round rndom S-box network bsed on 224 prtil mpping key-dependent degenercy. In both cses, it is pprent tht, with 160 chosen plintexts, the correct trget sub-key is clerly distinguishble. If the probbility of degenercy pproches the probbilities listed in Tble 4, it might tke mny times more thn one degenercy occurrence to clerly distinguish the correct key. For exmple, nlyzing prtil mppings, it ws found tht the correct trget sub-key ws determined in 7 of 8 experiments, ech experiment using 1.6 million chosen plintexts, for the 8 round network using DES S-boxes. Similrly, it tkes on the order of 1.6 million chosen plintexts to distinguish the correct trget sub-key for the 12 round network with rndom S-boxes. VII. Applicbility of the Attck Thwrting the Attck There re number of wys to minimize the impct of the ttck. The rpid diffusion or vlnche of bit chnges is effective in decresing the probbility of degenercies occurring. There re severl techniques tht cn be used to improve the diffusion in n SPN. These include: (1) using lrger S-boxes 19

21 (2) using S-boxes with good diffusion, nd (3) using diffusive liner trnsformtion (LT) s the interconnection between rounds of S-boxes. The effect on the degenercy probbility s function of the number of rounds in the network is illustrted in Figure 6. Experimentl results re presented for rndomly selected nd S-boxes, s well s for S-boxes with good diffusion nd diffusive liner trnsformtion (LT). Note, in prticulr, the drmtic effect of the diffusive liner trnsformtion. S-boxes which hve good diffusion re cpble of tking smll input chnges nd converting these to lrger number of output chnges. The S-boxes used in Figure 6 gurntee tht one bit input chnge will result in n output chnge of t lest two bits. A diffusive liner trnsformtion cn be generted by hving ech input to round of S-boxes be determined by the sum of number of output bits from the previous round output. For exmple, the liner trnsformtion used in Figure 6 is derived by dding prity bit to ech bit fter pplying the permuttion of Tble 5 where the prity bit consists of the XOR sum of ll bits. It should lso be noted tht compring the degenercy probbilities of the networks bsed on nd S-boxes is somewht misleding since the expected degenercy probbilities for rndom nd mppings re different 0 7: nd 1: ; respectively 1. However, for networks with 20

22 smll number of rounds, both rndom degenercy probbilities re much smller thn the experimentl probbilities nd, hence, my be considered to be negligible. In this cse, it is cler tht the degenercy probbilities for the SPN using S-boxes re much smller nd therefore more chosen plintexts re required to successfully cryptnlyze by exploiting key-dependent degenercy. Appliction of Attck to DES In n ttempt to determine the effectiveness of the ttck on the Dt Encryption Stndrd, we rn extensive simultions of the ttck on DES. It ws found tht no degenercy could be detected beyond 4 or 5 rounds, suggesting tht DES is very resistnt to this form of cryptnlysis. Other cryptnlysis techniques, such s differentil or liner cryptnlysis, hve been much more successful ginst DES. This result is not surprising in light of the good diffusion chrcteristics of DES. For exmple, DES S-boxes hve good diffusion of bit chnges (since one bit input chnge must result in t lest two bit output chnge) nd the effects of bit chnges re spred to lrge number of S-boxes in the next round due to the expnsion opertion nd the symmetric S-boxes. Comprison to Differentil Cryptnlysis Cryptnlysis of SPNs using key-dependent degenercies tkes dvntge of the 21

23 weknesses in the dynmic properties of ciphers. These weknesses cn lso be typiclly exploited by differentil cryptnlysis. It is difficult to directly compre the effectiveness of the two ttcks since the exct complexity of both ttcks is difficult to determine. Differentil cryptnlysis, for exmple, requires knowledge of highly probble chrcteristic in order to estimte the complexity of the ttck. We hve found, however, tht cryptnlysis using key-dependent degenercy cn be successful on networks of mny rounds nd the pproch is very systemtic nd involves no detiled nlysis of the SPN before execution. Conversely, while it is likely tht differentil cryptnlysis could be successful on SPNs of mny rounds, performing the ttck requires creful nlysis of the difference distributions of the S-boxes in order to determine the most probble chrcteristics tht my be used in executing the ttck. This is not necessrily simple process nd it is conceivble tht it could mke differentil cryptnlysis much more difficult to implement. VIII. Conclusion We hve presented novel cryptnlysis of n importnt clss of privte key block cryptosystems referred to s Substitution-Permuttion Networks. The ttck exploits the likely occurrence of key-dependent degenercy within the network to determine trget sub-keys ssocited with individul S-boxes. Experimentl 22

24 results indicte tht the cryptnlysis is very effective on networks up to lrge number of rounds. As well, it is noted tht strong S-box diffusion, s in the DES S-boxes, hs significnt effect on minimizing the success of the ttck s the number of rounds in the network is incresed. 23

25 References 1. C.E. Shnnon, Communiction theory of secrecy systems, Bell System Technicl Journl, vol. 28, pp , H. Feistel, Cryptogrphy nd computer privcy, Scientific Americn, vol. 228, no.5, pp , A. Sorkin, Lucifer: A cryptogrphic lgorithm, Cryptologi, vol. 8, no. 1, pp , Ntionl Bureu of Stndrds, Dt Encryption Stndrd (DES), Federl Informtion Processing Stndrd Publiction 46, M. Sivbln, S.E. Tvres, nd L. E. Pepprd, On the design of SP networks from n informtion theoretic point of view, Advnces in Cryptology: Proceedings of CRYPTO 92, Springer-Verlg, Berlin, pp , E. Bihm nd A. Shmir, Differentil cryptnlysis of DES-like cryptosystems, Journl of Cryptology, vol. 4, no. 1, pp. 3 72, E. Bihm nd A. Shmir, Differentil cryptnlysis of Snefru, Khfre, REDOC-II, LOKI, nd Lucifer, Advnces in Cryptology: Proceedings of CRYPTO 91, Springer-Verlg, Berlin, pp , M. Mtsui, Liner cryptnlysis method for DES cipher, Advnces in Cryptology: Proceedings of EUROCRYPT 93, Springer-Verlg, Berlin, pp ,

26 9. H. M. Heys nd S. E. Tvres, Substitution-Permuttion Networks Resistnt to Differentil nd Liner Cryptnlysis, to pper in Journl of Cryptology, L. J. O Connor, The Inclusion-Exclusion Principle nd Its Applictions to Cryptogrphy Cryptologi, vol. 17, no. 1, pp , F. Ayoub, The design of complete encryption networks using cryptogrphiclly equivlent permuttions, Computers nd Security, vol. 2, pp ,

27 input P... P 1 16 S 11 S 12 S 13 S 14 S 21 S 22 S 23 S 24 S 31 S 32 S 33 S 34 S 41 S 42 S 43 S 44 C... C 1 16 output Figure 1. SPN with N = 16, R = 4, nd n = 4 X 1 X n S / S Trget S-box Y 1 Y n S Sub-block Mpping Z 1 Z n Figure 2. SPN Model Used in Attck 26

28 X 1 X n S / S Trget S-box Y 1 Y n S Sub-block Mpping Z 1 Z n Figure 3. Sub-block Mpping Model X 1 X n S / S Trget S-box Y 1 Y n S Sub-block Mpping Z 1 Z n Figure 4. Experimentl Degenercy Probbilities 27

29 Count 6 Round SPN with DES S-boxes 2x4 Mpping, 160 Chosen Plintexts Key = A A B C D E F Trget Sub-Key Count Round SPN with Rndom S-boxes 2x4 Mpping, 160 Chosen Plintexts Key = A A B C D E F Trget Sub-Key Figure 5. Typicl Key Counts 28

30 References [1] C. E. Shnnon, Communiction theory of secrecy systems, Bell System Technicl Journl, vol. 28, pp , [2] H. Feistel, Cryptogrphy nd computer privcy, Scientific Americn, vol. 228, no. 5, pp , [3] A. Sorkin, Lucifer: A cryptogrphic lgorithm, Cryptologi, vol. 8, no. 1, pp , [4] Ntionl_Bureu_of_Stndrds, Dt Encryption Stndrd (DES), Federl Informtion Processing Stndrd Publiction 46, [5] M. Sivbln, S. E. Tvres, nd L. E. Pepprd, On the design of SP networks from n informtion theoretic point of view, Advnces in Cryptology: Proceedings of CRYPTO 92, Springer-Verlg, Berlin, pp ,