530 likes | 1.28k Views
Differential Cryptanalysis. DC(Differential Cryptanalysis). Introduction Biham and Shamir : CR90, CR92 Efficient than Key Exhaustive Search Chosen Plaintext Attack O(Breaking DES 16 ) ~ 2 47 Utilize the probabilistic distribution between input XOR and output XOR values Iteratively
E N D
DC(Differential Cryptanalysis) • Introduction • Biham and Shamir : CR90, CR92 • Efficient than Key Exhaustive Search • Chosen Plaintext Attack • O(Breaking DES16) ~ 247 • Utilize the probabilistic distribution between input XOR and output XOR values Iteratively • Stimulate to announce hidden criteria of DES [Cop92] • Apply to other DES-like Ciphers * E.Biham, A. Shamir,”Differential Cryptanalysis of the Data Encryption Standard”, Springer-Verlag, 1993
Eli Biham • Eli biham (http://www.cs.technion.ac.il/~biham/) is an Israelicryptographer and cryptanalyst, currently a professor at the Technion Israeli Institute of Technology Computer Science department. biham received his Ph.D. for inventing (publicly) differential cryptanalysis, while working under Adi Shamir. It had, it turned out, been invented at least twice before. A team at IBM discovered it during their work on DES, and was requested/required to keep their discovery secret by the NSA, who evidently knew about it as well. • In addition to his many contributions to cryptanalysis, biham has taken part in the design of several new cryptographic primitives: • Serpent (with Ross Anderson and Lars Knudsen), a block cipher which was one of the final five contenders to become the Advanced Encryption Standard • Tiger (with Ross Anderson), a hash function fast on 64-bit machines, and • Py (with Jennifer Seberry), a fast stream cipher which has some cryptanalytic claims against it.
DC of DES • Discard linear components(IP, FP) • Properties of XOR (X’ = X X* ) • {E,P,IP} : (P(X))’=P(X) P(X*)=P(X’) • XOR : (X Y)’=(X Y) (X* Y*)=X’ Y’ • Mixing key : (X K)’=(X K) (X* K)=X’ • Differences(=xor) are linear in linear operation and in particular the result is key independent.
Si-box Si-box XOR Distribution Table(I) X X* X’ XDT Y’ Y Y* • X’ = {0,1,…63}, Y’= {0,1,…15} • For a given S-box, pre-compute the number of count of X’ and Y’ in a table * % of entry in DES S-boxes : 75 ~ 80%
XOR Distribution Table(II) • XDT of S-boxes in DES • At the first row (X’=0), Y’=0 for all 64 pairs • The remaining rows : average= 4, sum 64, range= 0 ~16 (only even entries. Why?) • If the value is “0”, there are no corresponding X’ and Y’ • If the value is “16”, it occurs with probabilty 16/64 • Denoted as X’ --> Y’ with p1 • Use 0--> 0 with 1 or “16” (highest value) for DC • How to design a S-box with “good” XDT?
Differential Characteristic • 2-round characteristic in S1 box (0Cx --> Ex with 14/64) (00 80 82 00 60 00 00 00x) a’=60000000x A’=00808200x =P(E0000000x) p=14/64 F b’=0x B’=0x p=1 F (60 00 00 00 00 00 00 00x) • 0110 0C=001100 E=1110
(40 08 00 00 04 00 00 00x) a’=04000000x A’=40080000x p1=16/64 F b’=0x B’=0x p2=1 F c’=04000000x C’=40080000x p3=16/64 F (40 08 00 00 04 00 00 00x) Holding Probability = p1 p2 p3 = 1/16 3-round characteristic
Searching Way for round keys (1) Choose suitable Plaintext (Pt) XOR. (2) Get 2 Pts for a chosen Pt and obtain the corresponding Ct by encryption (3) From Pt XOR and pair of Ct, get the expected output XOR for the S-boxes of final round. (4) Count the maximum potential key at the final round using the estimated key (5) Right key is a subkey of having large number of pairs of expected output XOR
Iterative Characteristic • Self-concatenating probability • Best iterative char. of DES (19 60 00 00 00 00 00 00x) a’=0x A’=0x p1=1 F B’=0x b’=19 60 00 00x E(b)=03 32 2C 00 00 00 00 00x F p2 =14 x 8 x 10 / 643 = 1/234 (00 00 00 00 19 60 00 00x) • Compare with the previous 3 round characteristics
DC of DES16 (I) • 1st round : --> • Till 13 round: using 2-round best iterative characteristics 6.5 times yields prob. =(1/234)6 2-47.2 • Final 2 rounds (2R attack): compute 13 round values from ciphertext in the reverse direction ->no effect to overall prob. • Total complexity : (p)-1 247
DC of DES16 (II) Round # of chosen plaintext 4 24 6 28 8 218 214 10 235 224 12 243 231 14 251 239 15 252 247 16 258 261 * 247 * Assume independent round key 1.“Differential Cryptanalysis of DES-like Cryptosystems”,Proc. of Crypto90, LNCS537, pp.2-21 2.“Differential Cryptanalysis of the full 16-round DES”,Proc. of Crypto’92, LNCS740,pp.487-496 CR901 CR922
Additional result of DES by DC • P Permutation : can’t strengthen DES • Change the order of S-box : can weaken much or strengthen only up to 248 • Replacement XORs by addition : can weaken much in some cases • Modifying S-boxes • random : 218 - 220 • modifying one entry (i.e.,S(0) ->S(4)) : 233 • uniform distribution table : 226
LC(Linear Cryptanalysis) • Introduction • Matsui : EC931, CR942 • Known Plaintext Attack • O(Breaking DES16) ~ 243 • 12 HP W/S, 50-day operation • Utilize the probabilistic distribution between input linear sum and output linear sum values Iteratively • Duality to DC : XOR branch vs.three-forked branch • Apply to other DES-like cryptosytems 1. M.Matsui,”Linear Cryptanalysis Method for DES Cipher”, Proc. Of Eurocrypt’93,LNCS765, pp.386-397 2. M.Matsui,”The First Experimental Cryptanalysis of the Data Encryption Standard”, Proc. Of Crypto’94,LNCS839, pp.1-11.
M. Matsui • Mitsuru Matsui is a Japanesecryptographer and senior researcher for Mitsubishi Electric Company. While researching error-correcting codes in 1990, Matsui was inspired by Biham and Shamir's differential cryptanalysis, and discovered the technique of linear cryptanalysis, published in 1993. Differential and linear cryptanalysis are the two major general techniques known for the cryptanalysis of block ciphers. The following year, Matsui was the first to publicly report an experimental cryptanalysis of DES, using the computing power of twelve workstations over a period of fifty days. He is also the author of the MISTY-1 and MISTY-2block ciphers, and contributed to the design of Camellia and KASUMI.
XOR branch vs. 3-forked branch LC DC X i-1 X i Y i Y i-1 K i K i Y i X i Y i Xi Fi Fi X i-1 Yi Xi Y i Yi-1Xi XOR branch after f-ft. i.e., DC goes downstream through f-ft. Xi = Xi-2 Yi-1 (3 i n) with {i=1}n pi Xi : Xi’s Differential value 3-forked branch before f-ft. i.e., LC goes upstream through f-ft. Yi = Yi-2 Xi-1 (3 i n) with 2n-1{i=1}n |pi -1/2| Xi-1 : Xi-1’s Masking value
Basic principle of LC (Goal) : Find linear approximation P[i1,i2,…,ia] C[j1,j2,…,jb]=K[k1,k2,…,kc] with significant prob. p ( ½) where A[i,j,…,k]=A[i] A[j] … A[k] (Algorithm)MLE(Maximum Likelihood Estimation) (Step 1) For given P and C, compute X=P[i1,i2,…,ia] C[j1,j2,…,jb], let N = # of Pt given, (Step 2) if |X=0| > N/2 K[k1,k2,…,Kc]=0 else 1. if |X=0| < N/2 K[k1,k2,…,kc]=1 else 0.
Linear Distribution Table(I) • For a S-box Sa,(a=1,2,…,8) of DES NSa(,)= #{x | 0 x < 64, parity(x) = parity(S(x))} 1 63 , 1 15, : dot product (bitwise AND) • Ex) NS5(16,15) =12 • The 5-th input bit at S5-box is equal to the linear sum of 4 output bits with probability 12/64. • X[15] F(X,K)[7,18,24,29]=K[22] with 0.19 • X[15] F(X,K)[7,18,24,29]=K[22] 1 with 1-0.19=0.81 (Note) least significant at the right and index 0 at the least significant bit (Little endian)
Linear Distribution Table(II) X • NSa(,) has even values. • If =1,32(20x), 33(21x), NSa(, )=32 • NSa(, ) varies from 0 to 64 Si-box NSa(,) S(X)
3-round DES by LC P PL PH [22] X2[7,18,24,29] PH[7,18,24,29] PL[15] = K1[22] ---------- (1) K1 [15] [7,18,24,29] X1 F1 p1=12/64 K2 F2 X2 [22] X2[7,18,24,29] CH[7,18,24,29] CL[15] = K3[22] ---------- (2) K3 [7,18,24,29] [15] X3 F3 p3=12/64 CL CH C (1) (2) => X2[7,18,24,29] CH[7,18,24,29] CL[15] X2[7,18,24,29] PH[7,18,24,29] PL[15] = K1[22] K3[22] holding prob. = (p1 * p3 ) + (1 - p1) *(1-p3) * Discard IP and FP like DC
Piling-up lemma in LC • If independent prob. value, Xi ‘s ( 1 i n ) have prob pi to value 0, (1-pi)to value 1, p = {prob(X1 X2 … Xn ) = 0} is p = 2n-1i=1n(pi- 1/2) +1/2. • The number of known pt req’d for LC with success prob. 97.7% is |p - 1/2|-2
LC of DES16 (I) • (Preparation) Use the best iterative linear iteration • (Search stage) • Data Counting : count the effective number of pt and ct and derive key : effective keys (13-bit + 13-bit) • Exhaustive Search : the remaining 30 bits of a key
LC of DES16 (II) Round # of Known Plaintext 8 221 12 233 16 247 243 EC93 CR94
Strengthening DES • Key size expansion • Double Encryption • ek:E2(K2,E1(K1,P)), dk:D1(K1,D2(K2,C)) • Meet-in-the-middle attack • No effectiveness • Triple Encryption • ek:E(K1,D(K2,E(K1,P))), dk:D(K1,E(K2,D(K1,C))) • ek:E(K1,D(K2,E(K3,P))), dk:D(K3,E(K2,D(K1,C))) • 112 or 168 bits
Variation of DC/LC • Multiple LC : Kaliski & Robshaw [CR94] • Differential-Linear Cryptanalysis : Langford & Hellman [CR94] • Truncated and Higher order DC : Knudsen [FSE95] • Nonlinear Approximation in LC : Knudsen [EC96] • Partitioning Cryptanalysis : Harpes & Massey [FSE97] • Interpolation Attack : Jakobsen & Knudsen [FSE97] • Differential Attack with Impossible Characteristics : Biham [EC99], etc. • Related-key Attack : Kelsey, Schneier, Wagner [CR96]
Side Channel • Traditional Cryptographic Model vs. Side Channel Power Consumption / Timing / EM Emissions / Acoustic Attacker C=E(P,Ke) P=D(C,Kd) C E() D() P D Insecure channel Kd Ke Secure channel Key Radiation / Temperature / Power Supply / Clock Rate, etc.
Timing Analysis • Paul C. Kocher, “Timing Attacks on Implementations of Diffie—Hellman, RSA, DSS, and Other Systems”, Advances in Cryptology - CRYPTO '96, Springer-Verlag, 1996 , LNCS , Vol. 1109 , pp. 104-113. • Cryptosystems can take different amounts of time to process different inputs. • Performance optimizations in software • Branching/conditional statements • Caching in RAM • Variable length instructions (multiply, divide) • Countermeasures • Make all operations run in same amount of time • Set all operations by the slowest one • Add random delays • Blind signature technique
Fault Analysis • D. Boneh, R. DeMillo, and R. Lipton, “On the importance of checking cryptographic protocols for faults”, Journal of Cryptology, Springer-Verlag, Vol. 14, No. 2, pp. 101--119, 2001 • Aim to cause errors during the processing of a cryptographic device • Simple Fault Analysis • Differential Fault Analysis • Countermeasures • Verify correctness of output before transmitting it to the external • Make devices tamper resistant (strong shielding, detect supply voltages and clock speeds)
Power Analysis • Paul C. Kocher and Joshua Jaffe and Benjamin Jun“Differential Power Analysis”, Advances in Cryptology -CRYPTO '99, Springer-Verlag, 1999 , LNCS , Vol.1666 , pp.388-397 • The power consumed by a cryptographic device was analyzed during the processing of the cryptographic operation • Simple Power Analysis • Differential Power Analysis • Countermeasures • Don’t use secret values in conditionals/loops • Ensure little variation in power consumption between instructions • Reducing power variations (shielding, balancing) • Randomness (power, execution, timing) + counters on card • Algorithm redesign (non-linear key update, blinding) • Hardware redesign (decouple power supply, gate level design)
EM Emissions • D. Agrawal and B. Archambeault and J. R. Rao and P. Rohatgi“The EM Side-Channel(s)”, Cryptographic Hardware and Embedded Systems - CHES 2002, Springer-Verlag, 2003 , LNCS , Vol. 2523 , pp.29-45 • 1950s TEMPEST • EM side channels include a higher variety of information and can be additionally applied from a certain distance. • Countermeasures • Redesign circuits • Shielding • EM noise
Acoustic Analysis • Acoustic Analysis • Keyboard Acoustic Emanations, Dmitri Asonov and Rakesh Agrawal, IBM Almaden Research Center, 2004. • Acoustic cryptanalysis - On noisy people and noisy machines by Adi Shamir and Eran Tromer