MATH 509 Differential Cryptanalysis on DES

Similar documents
Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Lecture 12: Block ciphers

What do DES S-boxes Say to Each Other?

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Lecture 4: DES and block ciphers

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Module 2 Advanced Symmetric Ciphers

Chapter 1 - Linear cryptanalysis.

DD2448 Foundations of Cryptography Lecture 3

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Symmetric key cryptography over non-binary algebraic structures

Algebraic Techniques in Differential Cryptanalysis

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

Cryptography Lecture 4 Block ciphers, DES, breaking DES

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Complementing Feistel Ciphers

Improbable Differential Cryptanalysis and Undisturbed Bits

DES S-box Generator. 2 EPFL, Switzerland

The Artin-Feistel Symmetric Cipher

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

An Analytical Approach to S-Box Generation

An Extended DES. National Chiao Tung University Hsinchu, 300 Taiwan

Linear Cryptanalysis of Reduced-Round Speck

Technion - Computer Science Department - Technical Report CS0816.revised

Menu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Introduction to Symmetric Cryptography

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Block Ciphers and Systems of Quadratic Equations

Statistical and Algebraic Properties of DES

Iterative Characteristics of DES and s -DES

Structural Cryptanalysis of SASAS

MATH3302 Cryptography Problem Set 2

Abstract Differential and linear cryptanalysis, two of the most important techniques in modern block cipher cryptanalysis, still lack a sound, general

On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

A Five-Round Algebraic Property of the Advanced Encryption Standard

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

(Solution to Odd-Numbered Problems) Number of rounds. rounds

New Combined Attacks on Block Ciphers

AES side channel attacks protection using random isomorphisms

Differential-Linear Cryptanalysis of Serpent

Differential Cache Trace Attack Against CLEFIA

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Linear Cryptanalysis of RC5 and RC6

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES

FFT-Based Key Recovery for the Integral Attack

Towards Provable Security of Substitution-Permutation Encryption Networks

How Fast can be Algebraic Attacks on Block Ciphers?

Improved Slide Attacks

Specification on a Block Cipher : Hierocrypt L1

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Multiple Differential Cryptanalysis: Theory and Practice

Block Cipher Cryptanalysis: An Overview

Concurrent Error Detection in S-boxes 1

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Differential Attack on Five Rounds of the SC2000 Block Cipher

Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis

Enhancing the Signal to Noise Ratio

The rest of this paper is organized as follows. In x2 we explain how both detectable and undetectable trapdoors can be built into S-boxes. x3 deals wi

Impossible Differential Cryptanalysis of Mini-AES

Part (02) Modem Encryption techniques

On Pseudo Randomness from Block Ciphers

Revisit and Cryptanalysis of a CAST Cipher

Block Ciphers and Feistel cipher

On Correlation Between the Order of S-boxes and the Strength of DES

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Linear and Differential Cryptanalysis of SHA-256

and Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27

Mixed-integer Programming based Differential and Linear Cryptanalysis

CSEP 590TU Practical Aspects of. University of Washington. Modern Cryptography. Recommended texts: Tuesdays: 6:30-9:30, Allen Center 305

Impossible Differential Attacks on 13-Round CLEFIA-128

Avalanche Characteristics of Substitution- Permutation Encryption Networks

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Linear Cryptanalysis of DES with Asymmetries

New Results on Boomerang and Rectangle Attacks

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony

A Weak Cipher that Generates the Symmetric Group

Subspace Trail Cryptanalysis and its Applications to AES

Revisiting AES Related-Key Differential Attacks with Constraint Programming

Bit-Pattern Based Integral Attack

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

Feistel Schemes and Bi-Linear Cryptanalysis (Long extended version of Crypto 2004 paper) Nicolas T. Courtois

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Data Complexity and Success Probability for Various Cryptanalyses

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Transcription:

MATH 509 on DES Department of Mathematics, Boise State University Spring 2012 MATH 509 on DES

MATH 509 on DES

Feistel Round Function for DES MATH 509 on DES

1977: DES is approved as a standard. 1 1 Designers: H Feistel, W Tuchman, D Coppersmith, A Konheim, E Grossman, B Notz, L Smith and B Tuckerman from IBM MATH 509 on DES

1977: DES is approved as a standard. 1 1992: Biham and Shamir reported the differential cryptanalysis. 1 Designers: H Feistel, W Tuchman, D Coppersmith, A Konheim, E Grossman, B Notz, L Smith and B Tuckerman from IBM MATH 509 on DES

1977: DES is approved as a standard. 1 1992: Biham and Shamir reported the differential cryptanalysis. 1994: The first linear cryptanalysis of DES is performed by Matsui. 1 Designers: H Feistel, W Tuchman, D Coppersmith, A Konheim, E Grossman, B Notz, L Smith and B Tuckerman from IBM MATH 509 on DES

1977: DES is approved as a standard. 1 1992: Biham and Shamir reported the differential cryptanalysis. 1994: The first linear cryptanalysis of DES is performed by Matsui. 1999: DES was reaffirmed for the fourth time with the use of Triple DES. 1 Designers: H Feistel, W Tuchman, D Coppersmith, A Konheim, E Grossman, B Notz, L Smith and B Tuckerman from IBM MATH 509 on DES

1977: DES is approved as a standard. 1 1992: Biham and Shamir reported the differential cryptanalysis. 1994: The first linear cryptanalysis of DES is performed by Matsui. 1999: DES was reaffirmed for the fourth time with the use of Triple DES. 2002: The Advanced Encryption Standard (AES) become a standard. 1 Designers: H Feistel, W Tuchman, D Coppersmith, A Konheim, E Grossman, B Notz, L Smith and B Tuckerman from IBM MATH 509 on DES

2 2 Eli Biham and Adi Shamir, of the Data Encryption Standard, (1993) MATH 509 on DES

3 3 Eli Biham and Adi Shamir, of the Data Encryption Standard, (1993) MATH 509 on DES

S-Box Design Criteria 1 bit input difference produces 2 bits output difference. Minimize the difference between the numbers of 1 s and 0 s when any input bit remains the same. 2 input difference bits mapped to 3 by the expansion function. S(X ) S(X 11 00)... MATH 509 on DES

4 4 Eli Biham and Adi Shamir, of the Data Encryption Standard, (1993) MATH 509 on DES

4 Don was wrong!... Ali Biham 4 Eli Biham and Adi Shamir, of the Data Encryption Standard, (1993) MATH 509 on DES

on 3-round B-DES IN CLASS NOTES MATH 509 on DES

on 4-round B-DES Suppose we have an access to a 4-round B-DES device. We know all the inner workings of the encryption algorithm, its standards, S-boxes, but we don t know the key. MATH 509 on DES

on 4-round B-DES Suppose we have an access to a 4-round B-DES device. We know all the inner workings of the encryption algorithm, its standards, S-boxes, but we don t know the key. Using the analysis for 3-rounds and the knowledge that certain plaintext differences occurs with a higher probability than other differences, we can discover the key. MATH 509 on DES

on 4-round B-DES Suppose we have an access to a 4-round B-DES device. We know all the inner workings of the encryption algorithm, its standards, S-boxes, but we don t know the key. Using the analysis for 3-rounds and the knowledge that certain plaintext differences occurs with a higher probability than other differences, we can discover the key. Note that there are 16 2 input pairs (L, L ) in the S-boxes. There are 16 input pairs (L, L ) with fixed XOR. MATH 509 on DES

on 4-round B-DES The following is known about the difference distribution for the box S 1 in B-DES: MATH 509 on DES

on 4-round B-DES The following is known about the difference distribution for the box S 1 in B-DES: There are 12 input pairs (a, a ) such that MATH 509 on DES

on 4-round B-DES The following is known about the difference distribution for the box S 1 in B-DES: There are 12 input pairs (a, a ) such that a a = 0011 and S 1 (a) S 1 (a ) = 011 The following is known about the difference distribution for the box S 2 in B-DES: MATH 509 on DES

on 4-round B-DES The following is known about the difference distribution for the box S 1 in B-DES: There are 12 input pairs (a, a ) such that a a = 0011 and S 1 (a) S 1 (a ) = 011 The following is known about the difference distribution for the box S 2 in B-DES: There are 8 input pairs (a, a ) such that MATH 509 on DES

on 4-round B-DES The following is known about the difference distribution for the box S 1 in B-DES: There are 12 input pairs (a, a ) such that a a = 0011 and S 1 (a) S 1 (a ) = 011 The following is known about the difference distribution for the box S 2 in B-DES: There are 8 input pairs (a, a ) such that a a = 1100 and S 2 (a) S 2 (a ) = 010 MATH 509 on DES

on 4-round B-DES The following is known about the difference distribution for the box S 1 in B-DES: There are 12 input pairs (a, a ) such that a a = 0011 and S 1 (a) S 1 (a ) = 011 The following is known about the difference distribution for the box S 2 in B-DES: There are 8 input pairs (a, a ) such that a a = 1100 and S 2 (a) S 2 (a ) = 010 Therefore, if the S-boxes are independent we have that MATH 509 on DES

on 4-round B-DES The following is known about the difference distribution for the box S 1 in B-DES: There are 12 input pairs (a, a ) such that a a = 0011 and S 1 (a) S 1 (a ) = 011 The following is known about the difference distribution for the box S 2 in B-DES: There are 8 input pairs (a, a ) such that a a = 1100 and S 2 (a) S 2 (a ) = 010 Therefore, if the S-boxes are independent we have that p[s 1 (a) S 1 (a ) = 011, S 2 (a) S 2 (a ) = 010] = 12 16 8 16 Question How can we use this weakness of the S-boxes? MATH 509 on DES

Step-by-Step on 4-round B-DES Step 1: Choose plaintext pairs L 0 R 0 and L 0 R 0 difference with an XOR R 0 = R 0 R 0 = 001100 and L 0 = L 0 L 0 = 011010 MATH 509 on DES

Step-by-Step on 4-round B-DES Step 1: Choose plaintext pairs L 0 R 0 and L 0 R 0 difference with an XOR R 0 = R 0 R 0 = 001100 and L 0 = L 0 L 0 = 011010 Step 2: Using the expansion function in B-DES compute E( R 0 ) = 00111100. MATH 509 on DES

Step-by-Step on 4-round B-DES Step 1: Choose plaintext pairs L 0 R 0 and L 0 R 0 difference with an XOR R 0 = R 0 R 0 = 001100 and L 0 = L 0 L 0 = 011010 Step 2: Using the expansion function in B-DES compute E( R 0 ) = 00111100. The input XOR for S 1 is R 1 0 R 0 1 = 0011 MATH 509 on DES

Step-by-Step on 4-round B-DES Step 1: Choose plaintext pairs L 0 R 0 and L 0 R 0 difference with an XOR R 0 = R 0 R 0 = 001100 and L 0 = L 0 L 0 = 011010 Step 2: Using the expansion function in B-DES compute E( R 0 ) = 00111100. The input XOR for S 1 is and the input XOR for S 2 is R 1 0 R 0 1 = 0011 R 2 0 R 0 2 = 0011 MATH 509 on DES

Step-by-Step on 4-round B-DES Note that in that case we have that R 1 = R 1 R 1 = MATH 509 on DES

Step-by-Step on 4-round B-DES Note that in that case we have that R 1 = R 1 R 1 = L 0 f (R 0, K 1 ) L 0 f (R 0, K 1 ) = MATH 509 on DES

Step-by-Step on 4-round B-DES Note that in that case we have that R 1 = R 1 R 1 = L 0 f (R 0, K 1 ) L 0 f (R 0, K 1 ) = L 0 S 1 (R 0 ) S 1 (R 0 ) = 011010 011010 = 000000 MATH 509 on DES

Step-by-Step on 4-round B-DES Note that in that case we have that R 1 = R 1 R 1 = L 0 f (R 0, K 1 ) L 0 f (R 0, K 1 ) = L 0 S 1 (R 0 ) S 1 (R 0 ) = 011010 011010 = 000000 i.e. R 1 = R 1. Also, note that the probability p[ L 1 R 1 = 001100000000 L 0 R 0 = 011010001100] = 3 8. MATH 509 on DES

Step-by-Step on 4-round B-DES Note that in that case we have that R 1 = R 1 R 1 = L 0 f (R 0, K 1 ) L 0 f (R 0, K 1 ) = L 0 S 1 (R 0 ) S 1 (R 0 ) = 011010 011010 = 000000 i.e. R 1 = R 1. Also, note that the probability p[ L 1 R 1 = 001100000000 L 0 R 0 = 011010001100] = 3 8. Step 2: Apply differential cryptanalysis on 3-round B-DES starting with the pair L 1 R 1 and L 1 R 1 where R 1 = R 1 and L 1 = 001100. MATH 509 on DES

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback