Block Cipher Cryptanalysis: An Overview

Similar documents
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

DD2448 Foundations of Cryptography Lecture 3

Lecture 12: Block ciphers

MasterMath Cryptology /2 - Cryptanalysis

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Division Property: a New Attack Against Block Ciphers

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Differential-Linear Cryptanalysis of Serpent

Differential Attack on Five Rounds of the SC2000 Block Cipher

Public-key Cryptography: Theory and Practice

New Combined Attacks on Block Ciphers

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Linear Cryptanalysis of Reduced-Round PRESENT

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

jorge 2 LSI-TEC, PKI Certification department

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Towards Provable Security of Substitution-Permutation Encryption Networks

Algebraic Techniques in Differential Cryptanalysis

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Structural Evaluation by Generalized Integral Property

The Hash Function JH 1

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Linear Cryptanalysis of Reduced-Round Speck

Chapter 2 - Differential cryptanalysis.

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Similarities between encryption and decryption: how far can we go?

Chapter 1 - Linear cryptanalysis.

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Specification on a Block Cipher : Hierocrypt L1

Ciphertext-only Cryptanalysis of a Substitution Permutation Network

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Module 2 Advanced Symmetric Ciphers

Linear Cryptanalysis

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

Provable Security Against Differential and Linear Cryptanalysis

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

BLOCK CIPHERS KEY-RECOVERY SECURITY

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Cryptanalysis of the SIMON Family of Block Ciphers

Stream Ciphers: Cryptanalytic Techniques

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

Complementing Feistel Ciphers

Linear Cryptanalysis Using Multiple Approximations

AES side channel attacks protection using random isomorphisms

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Attack on Broadcast RC4

Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Extended Criterion for Absence of Fixed Points

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Akelarre. Akelarre 1

S-box (Substitution box) is a basic component of symmetric

Block Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3

Structural Cryptanalysis of SASAS

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure

of the Data Encryption Standard Fauzan Mirza

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Quantum Differential and Linear Cryptanalysis

Some attacks against block ciphers

Improbable Differential Cryptanalysis and Undisturbed Bits

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Linear and Statistical Independence of Linear Approximations and their Correlations

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Statistical and Linear Independence of Binary Random Variables

Impossible Differential Cryptanalysis of Mini-AES

Introduction to Symmetric Cryptography

FFT-Based Key Recovery for the Integral Attack

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Analysis of SHA-1 in Encryption Mode

On related-key attacks and KASUMI: the case of A5/3

Symmetric Crypto Systems

Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

Thesis Research Notes

Linear Cryptanalysis Using Multiple Linear Approximations

Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

Transcription:

0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017

0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

Iterated Block Cipher 1/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

Iterated Block Cipher Iterated Block Cipher 2/52 Iterated Block Cipher A block cipher is a function E : {0, 1} k {0, 1} n {0, 1} n such that for each K {0, 1} k, the function E K ( ) = E(K, ) is a permutation of {0, 1} n. The n-bit input to the block cipher is called the plaintext; and the n-bit output of the block cipher is called the ciphertext. The k-bit quantity K is called the secret key.

Iterated Block Cipher Iterated Block Cipher (Cont.) 3/52 Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds.

Iterated Block Cipher Iterated Block Cipher (Cont.) 3/52 Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds. The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys.

3/52 Outline Iterated Block Cipher Designs 1 Iterated Block Cipher Designs Attacks 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

4/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN)... P1 Plaintext... P16 Sub-key k (1) Mixing S11 S12 S13 S14 Round 1 Sub-key k (2) Mixing S21 S22 S23 S24 Round 2 Sub-key k (3) Mixing S31 S32 S33 S34 Round 3 Sub-key k (4) Mixing S41 S42 S43 S44 Round 4 Sub-key k (5) Mixing... C1 Ciphertext... C16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys s Tutorial).

5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption.

5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order.

5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar.

5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc.

6/52 Feistel Cipher Iterated Block Cipher Designs Encryption Plaintext Decryption Ciphertext L0 R0 Rr+1 Lr+1 k (0) k (r) F F k (1) k (r 1) F F k (r) k (0) F F Rr+1 Lr+1 L0 R0 Ciphertext Plaintext Figure : Encryption and Decryption Network of a Basic Feistel Cipher (Courtesy: Wikipedia).

7/52 Feistel Cipher vs. SPN Iterated Block Cipher Designs The main advantage of this type of design is that encryption and decryption are very similar, even identical in some cases, requiring only a reversal of the key schedule. One advantage of the Feistel cipher over an SPN is that unlike SPN, here the round function F need not be invertible.

8/52 Iterated Block Cipher Designs Feistel Cipher: Variants and Examples Unbalanced Feistel cipher: Two halves are unequal in length. Generalised Feistel cipher: Plaintext is divided into more than two parts. Examples: RC6, Skipjack, etc. Other Examples: Blowfish, DES, FEAL, RC5, LOKI etc.

9/52 Lai Massey Iterated Block Cipher Designs Encryption Plaintext Decryption Ciphertext L0 R0 Lr+1 Rr+1 k (0) H k (r) H 1 F F k (1) H k (r 1) H 1 F F k (r) H k (0) H 1 F H F H 1 Lr Rr L0 R0 Ciphertext Plaintext Figure : Encryption and Decryption Network of a Basic Lai-Massey Scheme (Courtesy: Wikipedia).

10/52 Lai Massey (Cont.) Iterated Block Cipher Designs The security properties of the Lai-Massey scheme is similar to those of the Feistel structure. Like the Feistel cipher it also shares the advantage that the round function F need not be invertible. Example: IDEA.

Iterated Block Cipher Designs 11/52 We will be considering SPN type block ciphers.

11/52 Outline Iterated Block Cipher Attacks 1 Iterated Block Cipher Designs Attacks 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks

12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm

12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique

12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique Relinearization Technique

12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - extended Linearization)

12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - extended Linearization) Slide Attack and Advanced Slide Attack

12/52 Attacks Iterated Block Cipher Attacks Algebraic Attacks Buchberger s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - extended Linearization) Slide Attack and Advanced Slide Attack...

13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks

13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks

13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis

13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack

13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis

13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack

13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack...

13/52 Attacks (Cont.) Iterated Block Cipher Attacks Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack...

13/52 Outline S-Boxes 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

S-Boxes 14/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

15/52 S-Boxes S-Boxes Boolean Function An m variable Boolean fuction is a map g : F m 2 F 2.

15/52 S-Boxes S-Boxes Boolean Function An m variable Boolean fuction is a map g : F m 2 F 2. S-Boxes An (m, n) S-Box (or vectorial fuction) is a map f : F n 2 Fm 2. An S-Box f : F n 2 Fm 2 has component functions f 1,..., f m, where each f i : F n 2 F 2.

15/52 Outline A Basic Substitution Permutation Network 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

A Basic Substitution Permutation Network 16/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

17/52 SPN A Basic Substitution Permutation Network... P1 Plaintext... P16 Sub-key k (1) Mixing S11 S12 S13 S14 Round 1 Sub-key k (2) Mixing S21 S22 S23 S24 Round 2 Sub-key k (3) Mixing S31 S32 S33 S34 Round 3 Sub-key k (4) Mixing S41 S42 S43 S44 Round 4 Sub-key k (5) Mixing... C1 Ciphertext... C16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys s Tutorial).

A Basic Substitution Permutation Network Substitution 18/52 16-bit data block broken into four 4-bit sub-blocks.

A Basic Substitution Permutation Network Substitution 18/52 16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same.

A Basic Substitution Permutation Network Substitution 18/52 16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same. Input 0 1 2 3 4 5 6 7 Output E 4 D 1 2 F B 8 Input 8 9 A B C D E F Output 3 A 6 C 5 9 0 7

A Basic Substitution Permutation Network Permutation 19/52 Input 1 2 3 4 5 6 7 8 Output 1 5 9 13 2 6 10 14 Input 9 10 11 12 13 14 15 16 Output 3 7 11 15 4 8 12 16

A Basic Substitution Permutation Network Key Mixing & Decryption 20/52 Key Mixing Bit-wise exclusive-or. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA.

A Basic Substitution Permutation Network Key Mixing & Decryption 20/52 Key Mixing Bit-wise exclusive-or. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA. Decryption Also an SPN. S-boxes are the inverse of the encryption S-boxes. The sub-keys are applied in the reverse order and is moved around according to the permutation.

20/52 Outline Linear Cryptanalysis 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

Linear Cryptanalysis 21/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

22/52 Goal Linear Cryptanalysis The main aim in linear cryptanalysis is to find linear expressions of the form X i1 X i2 X iu Y j1 Y j2 Y jv = 0, which have a high or low probability of occurrence.

22/52 Goal Linear Cryptanalysis The main aim in linear cryptanalysis is to find linear expressions of the form X i1 X i2 X iu Y j1 Y j2 Y jv = 0, which have a high or low probability of occurrence. Let, p L = Pr [X i1 X i2 X iu Y j1 Y j2 Y jv = 0], then linear probability bias b L = p L 1 2.

22/52 Goal Linear Cryptanalysis The main aim in linear cryptanalysis is to find linear expressions of the form X i1 X i2 X iu Y j1 Y j2 Y jv = 0, which have a high or low probability of occurrence. Let, p L = Pr [X i1 X i2 X iu Y j1 Y j2 Y jv = 0], then linear probability bias b L = p L 1 2. Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits.

22/52 Goal Linear Cryptanalysis The main aim in linear cryptanalysis is to find linear expressions of the form X i1 X i2 X iu Y j1 Y j2 Y jv = 0, which have a high or low probability of occurrence. Let, p L = Pr [X i1 X i2 X iu Y j1 Y j2 Y jv = 0], then linear probability bias b L = p L 1 2. Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. It is a known plaintext attack.

23/52 Notations Linear Cryptanalysis P and C denotes the 16-bit plaintext and ciphertext, respectively.

23/52 Notations Linear Cryptanalysis P and C denotes the 16-bit plaintext and ciphertext, respectively. X i denotes the i th bit of the input X = [X 1, X 2, X 3, X 4 ] to the S-box. Y i denotes the i th bit of the output Y = [Y 1, Y 2, Y 3, Y 4 ] to the S-box. X 1 X 2 X 3 X 4 S-box Y 1 Y 2 Y 3 Y 4 Figure : S-box Mapping (Courtesy: Heys s Tutorial).

Linear Cryptanalysis Notations (Cont.) 24/52 U (i) represents the input to the i th round S-box and U (i) j represents the j th bit of block U (i). V (i) represents the output of the i th round S-box and V (i) j represents the j th bit of block V (i).

Linear Cryptanalysis Notations (Cont.) 24/52 U (i) represents the input to the i th round S-box and U (i) j represents the j th bit of block U (i). V (i) represents the output of the i th round S-box and V (i) j represents the j th bit of block V (i). Let, k (i) represent the i th round key.

25/52 Piling-Up Lemma Linear Cryptanalysis Piling-Up Lemma (Matsui) For n independent, random binary variables, X 1, X 2,..., X n Pr[X 1 X n = 0] = 1 2 + 2n 1 or, equivalently, n ε 1,2,...,n = 2 n 1 ε i, i=1 n i=1 where ε 1,2,...,n represents the bias of X 1 X n = 0. ε i

Linear Cryptanalysis How to construct such linear expressions? 26/52

Linear Cryptanalysis How to construct such linear expressions? 26/52 This is done by considering the cipher s non-linear components.

Linear Cryptanalysis How to construct such linear expressions? 26/52 This is done by considering the cipher s non-linear components. In this case, the S-Box.

27/52 S-Box Analysis Linear Cryptanalysis X 1 X 2 X 3 X 4 Y 1 Y 2 Y 3 Y 4 X 2 X 3 Y 1 Y 3 Y 4 X 1 X 4 Y 2 X 3 X 4 Y 1 Y 4 0 0 0 0 1 1 1 0 0 0 0 1 0 1 0 0 0 1 0 1 0 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1 1 0 0 1 1 0 0 0 1 1 0 0 0 1 1 1 1 0 0 1 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 1 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 0 0 1 1 1 1 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 1 1 0 0 1 0 0 1 0 0 0 1 1 0 1 0 0 0 0 0 1 1 0 0 1 0 0 1 1 0 1 1 1 1 1 0 0 0 1 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 0 1 0 1 1 1 1 1 0 1 0 1 0 1 1 0 0 1 1 0 0 0 1 0 0 1 1 0 0 0 0 0 0 0 1 0 1 0 0 1 1 1 0 1 1 1 0 0 0 1 0 1 Table : Sample Difference Pairs of the S-box.

Linear Cryptanalysis S-Box Analysis (cont.) 28/52 Output Mask in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F Input Mask in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0-2 -2 0 0-2 +6 +2 +2 0 0 +2 +2 0 0 0 0-2 -2 0 0-2 -2 0 0 +2 +2 0 0-6 +2 0 0 0 0 0 0 0 0 +2-6 -2-2 +2 +2-2 -2 0 +2 0-2 -2-4 -2 0 0-2 0 +2 +2-4 +2 0 0-2 -2 0-2 0 +4 +2-2 0-4 +2 0-2 -2 0 0 +2-2 +4 +2 0 0 +2 0-2 +2 +4-2 0 0-2 0-2 0 +2 +2-4 +2 0-2 0 +2 0 +4 +2 0 +2 0 0 0 0 0 0 0 0-2 +2 +2-2 +2-2 -2-6 0 0-2 -2 0 0-2 -2-4 0-2 +2 0 +4 +2-2 0 +4-2 +2-4 0 +2-2 +2 +2 0 0 +2 +2 0 0 0 +4 0-4 +4 0 +4 0 0 0 0 0 0 0 0 0 0-2 +4-2 -2 0 +2 0 +2 0 +2 +4 0 +2 0-2 0 +2 +2 0-2 +4 0 +2-4 -2 +2 0 +2 0 0 +2 0 +2 +2 0-2 -4 0 +2-2 0 0-2 -4 +2-2 0 0-2 -4-2 -2 0 +2 0 0-2 +4-2 -2 0 +2 0 Table : Linea Approximation Table of the S-box Represented by Table.

Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher 29/52 Linear approximation of the overall cipher is achieved by concatenating appropiate S-boxes. By constructing a linear approximation involving plaintext bits and the data bits from the output of the second last round, it is possible to attack the cipher by recovering a subset of the subkey bits that follow the last round.

Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 30/52 P5 P7P8 k (1) 5 k (1) 7 k (1) 8 S11 S12 S13 S14 Round 1 k (2) 6 S21 S22 S23 S24 Round 2 k (3) 6 k (3) 14 S31 S32 S33 S34 Round 3 k (4) 6 k (4) 14 k (4) 6 k (4) 14 U (4) 6 U (4) 8 U (4) 14 U(4) 16 S41 S42 S43 S44 Round 4 k (5) 5... k(5) 8 k (5) 13...k(5) 16 Figure : Sample Linear Approximation (Courtesy: Heys s Tutorial).

Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 31/52 We use the following approximation of the S-box : S 12 : X 1 X 3 X 4 = Y 2 with probability 12 16 and bias + 1 4 S 22 : X 2 = Y 2 Y 4 with probability 4 16 and bias 1 4 S 32 : X 2 = Y 2 Y 4 with probability 4 16 and bias 1 4 S 34 : X 2 = Y 2 Y 4 with probability 4 16 and bias 1 4

Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 32/52 Notice, U (1) = P k (1). For S 12, we have V (1) 6 = U (1) 5 U (1) 7 U (1) 8 = (P 5 K 1,5 ) (P 7 K 1,7 ) (P 8 K 1,8 ). This holds with probability 3 4.

Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 33/52 Continuing... U 4,6 U 4,8 U 4,14 U 4,16 P 5 P 7 P 8 K = 0, where = K 1,5 K 1,7 K 1,8 K 2,6 K 3,6 K 3,14 K 4,6 K 4,8 K 4,14 K 4,16. K

Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 34/52 K is fixed to either 0 or 1 depending on the key of the cipher. Using piling-up lemma p L = 1 2 + 23 ( 3 4 1 2 ) ( 1 4 1 ) 3 = 15 2 32. Therefore, b L = 1 32.

Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) 35/52 Depending on whether K = 0 or 1, the expression U 4,6 U 4,8 U 4,14 U 4,16 P 5 P 7 P 8 holds with either probability p L = 15 32 or 1 p L = 17 32.

Linear Cryptanalysis Extracting Key Bits 36/52 Once an r 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4.

Linear Cryptanalysis Extracting Key Bits 36/52 Once an r 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4. We shall refer to the bits to be recovered from the last sub-key as the target partial sub-key. In our example k (5) 5, k(5) 6, k(5) 7, k(5) 8, k(5) 13, k(5) 14, k(5) 15, k(5) 16.

Linear Cryptanalysis Extracting Key Bits: Algorithm 37/52 Generate about 1 b 2 L many known plaintext/ ciphertext pairs.

Linear Cryptanalysis Extracting Key Bits: Algorithm 37/52 Generate about 1 many known plaintext/ ciphertext pairs. bl 2 Assume that we have 10000 plaintext/ ciphertext pairs encrypted under a particular key.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following :

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16. - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16. - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. - Find the bias = count 5000 10000.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) 38/52 For each of the of the 256 possible values of K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-or the partial ciphertext [C 5,..., C 8, C 13,..., C 16 ] with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16. - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. - Find the bias = count 5000 10000. Select the guess with the maximum bias as our target sub-key.

Linear Cryptanalysis Experimental Results (Partial) 39/52 Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] bias [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] bias 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048 Table : Experimental Result (Partial) for Linear Attack.

Linear Cryptanalysis Experimental Results (Partial) Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] bias [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] bias 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048 Table : Experimental Result (Partial) for Linear Attack. Note that the experimental bias = 0.0336 is very close to the expected value of 1 32 = 0.03125. 39/52

40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform.

40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform. - This is done by careful structural analysis of the block cipher.

40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force.

40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention:

40/52 Summary Linear Cryptanalysis Linear Cryptanalysis: Approximate r 1 rounds of a r round block cipher by a linear function, which deviates substantially from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: Wide trail strategy. Stronger S-boxes or non-linear function....

40/52 Outline Differential Cryptanalysis 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

Differential Cryptanalysis 41/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n

42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher.

42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack.

42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys.

42/52 Idea Differential Cryptanalysis In an ideally randomizing cipher, the probability that a particular output difference Y occurs, given a particular input difference X is 1 2 where n is the number of bits. n It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. In order to determine a high probability difference pair, we consider the input-output differences of the S-Boxes.

43/52 Notations Differential Cryptanalysis Let X 1, X 2 {0, 1} n. Define, X = X 1 X 2. Let, X = [ X 1,..., X n ]. A differential ( X, Y ): for a given input difference X, Y is the difference in output. Differential Characteristics: A sequence of input and output differences to the rounds so that the output difference from one round corresponds to the input difference for the next round.

Differential Cryptanalysis Sample Difference Pairs of the S-BOX 44/52 X Y Y X = 1011 X = 1000 X = 0100 0000 1110 0010 1101 1100 0001 0100 0010 1110 1011 0010 1101 0111 0101 0110 0011 0001 0010 1011 1001 0100 0010 0101 0111 1100 0101 1111 1111 0110 1011 0110 1011 0010 1011 0110 0111 1000 1101 1111 1001 0000 0011 0010 1101 0110 0001 1010 0111 1110 0011 0010 0110 0010 0101 0110 0011 1100 0010 1011 1011 0100 0101 1101 0111 0110 0101 1001 0010 0110 0011 0110 0000 1111 1011 0110 0111 0111 0101 1111 1011 Table : Sample Difference Pairs of the S-box.

Differential Cryptanalysis Difference Distribution Table 45/52 Output Difference in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F Input Difference in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 2 0 2 4 0 4 2 0 0 0 0 0 2 0 6 2 2 0 2 0 0 0 0 2 0 0 0 2 0 2 0 0 0 0 4 2 0 2 0 0 4 0 0 0 2 0 0 6 0 0 2 0 4 2 0 0 0 0 4 0 0 0 2 2 0 0 0 4 0 2 0 0 2 0 0 0 4 0 4 0 0 0 0 0 0 2 2 2 2 0 0 2 2 2 0 2 0 0 2 2 0 0 0 0 4 0 0 0 0 0 0 2 2 0 0 0 4 0 4 2 2 0 2 0 0 2 0 0 4 2 0 2 2 2 0 0 0 0 2 2 0 0 0 0 0 6 0 0 2 0 0 4 0 0 0 8 0 0 2 0 2 0 0 0 0 0 2 0 2 0 2 0 0 2 2 2 0 0 0 0 2 0 6 0 0 0 4 0 0 0 0 0 4 2 0 2 0 2 0 2 0 0 0 2 4 2 0 0 0 6 0 0 0 0 0 2 0 0 2 0 0 6 0 0 0 0 4 0 2 0 0 2 0 Table : Difference Distribution Table for the S-box Represented by Table.

46/52 Keyed S-BOX Differential Cryptanalysis W 1 W 2 W 3 W 4 X 1 X 2 X 3 X 4 K 1 K 2 K 3 K 4 S-box Y 1 Y 2 Y 3 Y 4 Figure : Keyed S-box.

Differential Cryptanalysis Sample Differential Cryptanalysis 47/52 P = [0000, 1011, 0000, 0000] S11 S12 S13 S14 Round 1 S21 S22 S23 S24 Round 2 S31 S32 S33 S34 Round 3 U (4) U (4) 5 8 (4)... U 13... U(4) 16 S41 S42 S43 S44 Round 4 k (5) 5... k(5) 8 k (5) 13... k(5) 16 Figure : Sample Differential Characteristic.

Differential Cryptanalysis Probability of the Differential Characteristics 48/52 Active S-Boxes: S 12 : X = B Y = 2 with probability 8/16. S 23 : X = 4 Y = 6 with probability 6/16 S 32 : X = 2 Y = 5 with probability 6/16 S 33 : X = 2 Y = 5 with probability 6/16

Differential Cryptanalysis Probability of the Differential Characteristics 48/52 Active S-Boxes: S 12 : X = B Y = 2 with probability 8/16. S 23 : X = 4 Y = 6 with probability 6/16 S 32 : X = 2 Y = 5 with probability 6/16 S 33 : X = 2 Y = 5 with probability 6/16 Probability of the Differential Characteristics: p D = product of the differentials of the active S-Boxes = (8/16) (1/16) 3 = 27/1024.

Differential Cryptanalysis Extracting Key Bits : Algorithm 49/52 Generate about 1 p D many chosen plaintext/ ciphertext pairs satisfying the input difference. Assume that we have 5000 such pairs.

Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following :

Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-or the partial ciphertext (C 5,..., C 8, C 13,..., C 16 ) with the guessed key value.

Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-or the partial ciphertext (C 5,..., C 8, C 13,..., C 16 ) with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16.

Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-or the partial ciphertext (C 5,..., C 8, C 13,..., C 16 ) with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16. - Count the number of pairs of plaintext/ ciphertext pairs that satisfy our differential characteristics and then find the prob = count/5000.

Differential Cryptanalysis Extracting Key Bits : Algorithm (Cont.) 50/52 For each of the of the 256 possible values of K (5) 5, K (5) 6, K (5) 7, K (5) 8, K (5) 13, K (5) 14, K (5) 15, K (5) 16, we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-or the partial ciphertext (C 5,..., C 8, C 13,..., C 16 ) with the guessed key value. - Do a inverse substitution (S-Box 1 ) to get U (4) 6, U(4) 8, U(4) 14, U(4) 16. - Count the number of pairs of plaintext/ ciphertext pairs that satisfy our differential characteristics and then find the prob = count/5000. Select the one which has the maximum prob as our target partial key.

Differential Cryptanalysis Experimental Results (Partial) 51/52 Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] Empirical Probability Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] Empirical Probability 0x1C 0.0000 0x2A 0.0032 0x1D 0.0000 0x2B 0.0022 0x1E 0.0000 0x2C 0.0000 0x1F 0.0000 0x2D 0.0000 0x20 0.0000 0x2E 0.0000 0x21 0.0136 0x2F 0.0000 0x22 0.0068 0x30 0.0004 0x23 0.0068 0x31 0.0000 0x24 0.0244 0x32 0.0004 0x25 0.0000 0x33 0.0004 0x26 0.0068 0x34 0.0000 0x27 0.0068 0x35 0.0004 0x28 0.0030 0x36 0.0000 0x29 0.0024 0x37 0.0008 Table : Experimental Result (Partial) for Differential Attack.

Differential Cryptanalysis Experimental Results (Partial) Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] Empirical Probability Target Sub-key in Hexadecimal [k (5) 5,..., k(5) 8, k(5) 13,..., k(5) 16 ] Empirical Probability 0x1C 0.0000 0x2A 0.0032 0x1D 0.0000 0x2B 0.0022 0x1E 0.0000 0x2C 0.0000 0x1F 0.0000 0x2D 0.0000 0x20 0.0000 0x2E 0.0000 0x21 0.0136 0x2F 0.0000 0x22 0.0068 0x30 0.0004 0x23 0.0068 0x31 0.0000 0x24 0.0244 0x32 0.0004 0x25 0.0000 0x33 0.0004 0x26 0.0068 0x34 0.0000 0x27 0.0068 0x35 0.0004 0x28 0.0030 0x36 0.0000 0x29 0.0024 0x37 0.0008 Table : Experimental Result (Partial) for Differential Attack. Note that the experimatal value of the probability, = 0.0244 is very close to the expected value of 27 1024 = 0.0264. 51/52

51/52 Outline Appendix 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

Appendix 52/52 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix

52/52 References Appendix 1 A Tutorial on Linear and Differential Cryptanalysis by Howard M. Heys. 2 Wikipedia.

Appendix 52/52 Thank you for your kind attention!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback