CS548_ ADVANCED INFORMATION SECURITY

Paper Presentation #1 Improved version of LC in attacking DES CS548_ADVANCED INFORMATION SECURITY 20103272 Jong Heon, Park / 20103616 Hyun Woo, Cho

Contents • Introduction • Before the paper… • Notations • Principle ofthe attack • Success Rate and Complexity • The Computer Experiment • Concluding Remarks

Paper Introduction • Linear Cryptanalysis • Using two linear approximate equations • Known Plaintext attack (KPA) • M. MATSUI. The first experimental cryptanalysis of the data encryption standard. LNCS, 839, 1994, 1-11. CYRPTO '94.

Paper Introduction (Cont’) • Using 12 computer to experiment the attack(HP9735/PA-RISC 99MHz) • Program described in C & assembly languagesto generate plaintexts and ciphertexts • Goal : Finding 56-bit Secret Key • Elapsed Time : 50 days • Generating plaintexts and ciphertexts : 40 days • Searching key : only 10 days

Before the paper… • Hellman • Linearity between input and output of S-box • Shamir & Rueppel • Some S-boxes has linear approximate relation between input and output bits. • M. Matsui • Derive linear approximate equations which consist of P, C, and K bits • Easier search if 247 known plaintext are available than Exhaustive search

Before the paper… (Cont’) • M. Matsui • Improved version of LC in breaking 16-round DES • New linear approximate equations: • Reducing the number of required plaintexts • Candidate key in order of reliability : • Increasing the success rate of attack

Notations • P : plaintext; 64-bit data after the IP • C : ciphertext; 64-bit data before the IP-1 • K : secret key; 56-bit data after the PC-1 • PH, PL : upper/lower 32-bit data of P • CH, CL : upper/lower 32-bit data of C • Kr : r-th round 48-bit subkey • Fr(Xr, Kr) : r-th round F-function output • A[i] : i-th bit of A (A is any binary vector) • A[I,j,...,k] : A[i]A[j]…A[k]

Principle of the attack • We accept new linear approximate equations • Iinear approximate equations based on the best 14-round expression • 2round ~ 15round linear approximate equations • P, C, and K2-15 • Find round key of 1round, 16round • Effects : reduce the number of required plaintexts • What is the linear approximate equation? • Choose P[ia,ib,ic…]  C[ja,jb,jc…] = K[ka,kb,kc…] (probability(p) ≠ ½, randomly given P, C and fixed K) • Best equation is |p-½| is maximal !!

Principle of the attack(Cont’) Two Best 14-round expressions • PL[7,18,24]  CH[7,18,24,29]  CL[15]= K2[22]  K3[44]  K4[22]  K6[22]  K7[44]  K8[22]  K10[22]  K11[44]  K12[22]  K14[22] • CL[7,18,24]  PH[7,18,24,29]  PL[15]= K13[22]  K12[44]  K11[22]  K9[22]  K8[44]  K7[22]  K5[22]  K4[44]  K3[22]  K1[22] …probability : ½-1.19×2-21 (piling-up lemma)

Principle of the attack(Cont’) Applying to F-functions from the 2nd to 15th round • PH[7,18,24]  F1(PL, K1)[7,18,24]  CH[15]  CL[7,18,24,29]  F16(CL ,K16)[15]= K3[22]  K4[44]  K5[22]  K7[22]  K8[44]  K9[22]  K11[22]  K12[44]  K13[22]  K15[22] • CH[7,18,24]  F16(CL ,K16)[7,18,24]  PH[15]  PL[7,18,24,29]  F1(PL ,K1)[15] = K14[22]  K13[44]  K12[22] K10[22]  K9[44]  K8[22]  K6[22]  K5[44]  K4[22]  K2[22]

Principle of the attack(Cont’) • First, we solve these equations to derive some of the secret key bits • Consideration • How much memory is required? • How many secret key bits can be derived? • Effective text/key bits • which affect the left side of each equations

Principle of the attack(Cont’)

Principle of the attack(Cont’) • Each equation, we found 13 secret key bits • 12 effective key bits + one bit of right side • Using just 13 text bits (plaintext + ciphertext) • Total : 26 secret key bits • Using 26 text bits • Substitution of incorrect key value for K1, K16.. • P(the left side = 0) ≒ ½ • So, we count #(left side=0) for each key candidate

Principle of the attack(Cont’) [ Algorithms for breaking 16-round DES ] • Data Counting Phase of first equation • Prepare 213 counters TAa (0 ≤ a < 213) where a corresponds to each value on 13 effective text bits • For each plaintext and corresponding ciphertext, compute the value of effective text bits(=a) and count up the TAa by one.

Principle of the attack(Cont’) • Key Counting Phase of first equation • Prepare 212 counters KAb (0 ≤ b < 213) where a corresponds to each value on 12 effective key bits. • For each b, KAb is the sum of TAa such that left side of first equation (be uniquely determined by a, b) equal to zero. • Rearrange KAb in order of |KAb – N/2| and rename them KAcb (0 ≤ c < 212) Then, for each c.. • If (KAcb – N/2) ≤ 0, guess that right side of equation is 0. • If (KAcb – N/2) >0, guess that right side of equation is 1. • Second equation can be solved in the same manner.

Principle of the attack(Cont’) • Total of 26 secret key bits (after the PC-1) • K[0], K[1], K[3], K[4], K[8], K[9], K[14], K[15], K[18], K[19], K[24], K[25], K[31], K[32], K[38], K[39], K[41], K[42], K[44], K[45], K[50], K[51], K[54], K[55], K[5]  K[13]  K[17]  K[20]  K[46], K[2]  K[7]  K[11]  K[22]  K[26]  K[37]  K[52] • Exhaustive Search Phase(Finding remaning 30 key bits) • Let Wm (m=0,1,2…) be a series of candidates for the 26 key bits arranged in order of their reliabiity • For each Wm, search for the remaining key bits until the correct value is found

Success Rate and Complexity • DES reduced to 8 rounds • Left side of equation is essentially the same • Best 6-round expression (6) (7)

Success Rate and Complexity(cont’) • Full 16 round DES to 8-round DES • Equation of number of N random plaintext, success rate • Depend on

Success Rate and Complexity(cont’) • Full 16 round DES to 8-round DES • Lemma 1. • Let N be the number of given random plaintexts and p be the probability that the following eq holds. • Assuming |p-1/2| is small

Success Rate and Complexity(cont’) • Full 16 round DES to 8-round DES 8 round DES 16 round DES

Success Rate and Complexity(cont’) • Full 16 round DES to 8-round DES • Lemma 1. • Success rate of our attack on 8-round DES with N8 • Same that on 16round DES with N16 plaintexts • equivalent to

Success Rate and Complexity(cont’) • Computer experiments in Solving eq (6) • 100,000 times to estimate (4)

Success Rate and Complexity(cont’)

The Computer Experiment • First computer experiment in breaking DES • Implemented software only • C and assembly languages 1000 lines • 1Mbyte in running

The Computer Experiment(cont’)

Concluding Remarks • Improvement of linear cryptanalysis • Presented the first successful experimentBreaking full 16-round DES • Remaining 30 Key bits – it also Possible • Result fig.2, fig.3 – Simple function, Formalized - New combination will give more effective

Nowdays. • EFF made DES attack Hardware in 1998 • Decode 56hours (56bit Key) • 22hours in 1999 • More than 128bit Keys Safe in present.

References • National Bureau of Standards: Data Encryption Standard. (1977) • Matsui, M.: Linear Cryptanalysis Method for DES cipher. Matsui M.: On correlation between the order of S-boxes and the strength of DES.(1993) • Matsui, M.: On correlation between the order of S-boxes and the strength of DES.(1994) • Hellman, M., Merkle, R., Schroeppel, R., Washinton, L., Diffie, W., Pohlig, S., Schweizer, P.: Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard. (1976) • Shamir, A: On the security of DES.(1985) • Davies, D., Murphy, S.: Pairs and triplets of DES s-boxes.(preprint) • Ruepple, R.A. ,: Analysis and design of stream ciphers. (1986) • 김광조 : DES의선형 해독법에 관한 해설(3) 한국정보보호학회, 정보보호학회지 通信情報保護學會誌第4卷第1號, 1994. 3, pp. 30 ~ 43 (14pages)

Any Question? Korex527 at gmail.com Betelgs at chol.com

CS548_ ADVANCED INFORMATION SECURITY