370 likes | 536 Views
Session 6: Introduction to cryptanalysis part 2. Symmetric systems. The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example – a 4 4 S-box :. Symmetric systems. The contents of the S-box: We consider the following equations: X 2 X 3 = Y 1 Y 3 Y 4
E N D
Symmetric systems • The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. • Example – a 44 S-box:
Symmetric systems • The contents of the S-box: • We consider the following equations: • X2X3=Y1Y3Y4 • X1X4=Y2 • X3X4=Y1Y4
Symmetric systems • The probability bias: • First equation: 12/16-1/2=1/4 • Second equation: 0 • Third equation: 2/16-1/2=-3/8 • The success of the attack depends on magnitude of the probability bias – the best approximation of the S-box is the third equation.
Symmetric systems • For the attack, we must enumerate all linear approximations of the S-box – linear approximation table: • Each element in the table represents the number of matches between the linear equation in the ”Input sum” column and the sum of the output bits represented in the ”Output sum” row. • Dividing an element by 16 gives the probability bias for the particular linear combination.
Symmetric systems • Linear approximation table (cont.): • The ”Input sum” and the ”Output sum” are given in hexadecimal: • a1X1a2X2a3X3a4X4 • b1Y1b2Y2b3Y3b4Y4 • ai,bi{0,1} • The hexadecimal value represents the binary value a1a2a3a4, resp. b1b2b3b4.
Symmetric systems • Example: • The probability bias of the linear equation X3X4=Y1Y4 (hex input 3 and hex output 9) is -6/16=-3/8. • The probability that this linear equation holds true is 1/2-3/8=1/8.
Symmetric systems • Once the linear approximation information has been compiled for the S-boxes, we proceed by determining linear approximations for the overall cipher (if possible) or for certain number of rounds.
Symmetric systems • Once an R-1 round linear approximation is discovered for a cipher of R rounds with a suitably large overall probability bias, it is possible to recover bits of the last subkey.
Symmetric systems • Complexity of the attack • In the context of linear (and differential) cryptanalysis, this means the number of plaintext-ciphertext pairs necessary to carry out the attack. • Matsui showed that the number of such pairs NL could be given by • NL1/2, where is the overall probability bias for the whole cipher (or the rounds to be cryptanalyzed).
Symmetric systems • Providing security against linear cryptanalysis: • Minimize the largest S-box bias • Find structures to maximize the number of S-boxes involved in the overall cipher approximation. • This approach was used in the design of Rijndael.
Symmetric systems • Differential cryptanalysis • Exploits high probability of certain occurrences of plaintext differences and differences into the last round of a block cipher. • Example: • Input: X=[X1,X2,…,Xn] • Output: Y=[Y1,Y2,…,Yn] • Consider two inputs X ’ and X ’’ with corresponding outputs Y ’ and Y ’’.
Symmetric systems • The input difference: • X=X ’X ’’=[X1,X2,…,Xn] • The output difference: • Y=Y ’Y ’’=[Y1,Y2,…,Yn] • In an ideally randomized cipher, the probability that a particular output difference Y occurs given a particular input difference X is 1/2n.
Symmetric systems • Differential cryptanalysis seeks to exploit a situation in which a particular Y occurs given a particular X with a very high probability pD (>>1/2n). • The pair (X,Y ) is called a differential. • The attacker selects pairs of inputs, X ’ and X ’’ to satisfy a particular X for which a particular Y occurs with high probability.
Symmetric systems • We construct a differential (X,Y) involving: • plaintext bits (as represented by X) • input to the last round (as represented by Y) • This is carried out by examining highly likely differential characteristics.
Symmetric ciphers • Differential characteristic • A sequence of input and output differences to the rounds • Output difference from one round corresponds to the input difference for the next round. • Using the highly likely differential characteristic enables exploiting information coming into the last round.
Symmetric ciphers • To construct highly likely differential characteristics, we examine the properties of individual S-boxes. • We then use these properties to determine the complete differential characteristic.
Symmetric ciphers • We consider the input and output differences of the S-boxes in order to determine a high probability difference pair. • Then we combine S-box difference pairs from round to round so that the non-zero output difference bits from one round correspond to the non-zero input difference bits of the next round.
Symmetric ciphers • This enables finding a high probability differential consisting of the plaintext difference and the difference of the input to the last round. • The subkey bits disappear from the difference expression because they are involved in both data sets.
Symmetric ciphers • Consider the S-box
Symmetric ciphers • The contents of the S-box • Input: X=[X1,X2,X3,X4] • Output: Y=[Y1,Y2,Y3,Y4]
Symmetric systems • All difference pairs of an S-box (X,Y) can be examined and the probability of Y given X can be derived by considering input pairs (X ’,X ’’) such that X ’X ’’=X. • Ordering of the pair is not relevant – for a 44 S-box we need only consider all 16 values for X ’ and derive X ’’=X ’X.
Symmetric ciphers • Example • X=1011 (hex B) • X=1000 (hex 8) • X=0100 (hex 4) • Given X and X and having the S-box truth table, for the pair (X,XX) we get the pair (Y,YY). • Then we easily get Y.
Symmetric systems • Example: • The number of occurrences of Y=0010 for X=1011 is 8 out of 16 possible values (i.e. a probability 1/2). • The number of occurrences of Y=1011 for X=1000 is 4 out of 16 possible values (i.e. a probability 1/4). • The number of occurrences of Y=1010 for X=0100 is 0 out of 16 possible values (i.e. a probability 0).
Symmetric systems • An ”ideal” S-box would have the number of occurrences of difference pair values all 1, to give a probability of 1/16 of the occurrence of a particular Y given X. • It turns out that such an ”ideal” S-box does not exist.
Symmetric systems • Difference distribution table • The rows represent X values (in hex) • The columns represent Y values (in hex). • Each element of the table represents the number of occurrences of the corresponding output difference Y given the input difference X.
Symmetric systems • Once the differential information has been compiled for the S-boxes, we proceed by determining differential characteristic for the overall cipher (if possible) or for certain number of rounds.
Symmetric systems • Once an R-1 round differential characteristic is discovered for a cipher of R rounds with a suitably large overall probability, it is possible to recover bits of the last subkey.
Symmetric systems • Complexity of the attack • This means the number of plaintext-ciphertext pairs necessary to carry out the attack. • The number of such pairs ND could be given by • NDc/pD, where pD is the overall differential characteristic probability for the whole cipher (or the rounds to be cryptanalyzed) and c is a small constant.
Symmetric systems • Providing security against differential cryptanalysis: • Minimize the differential pair probability of an S-box • Find structures to maximize the number of S-boxes with a non-zero differential. • This approach was used in the design of Rijndael.
Asymmetric systems • To attack an asymmetric cryptosystem, we have to attack the underlying mathematical problem • RSA – factorization of a large number • ElGamal – solving the discrete logarithm problem • ...
Asymmetric systems • In general, it is very difficult to find a solution to these problems, provided the corresponding cryptosystems have been implemented well. • Errors of implementation (for example ”small” number to be factorised or low exponent or short plaintext in RSA) can be exploited by a cryptanalyst.
Asymmetric systems • Some theorems that illustrate this: • Theorem 1 • Let n=pq have m digits. If we know the first m/4, or the last m/4, digits of p, we can efficiently factor n. • Theorem 2 • Suppose (n,e) is an RSA public key and n has m digits. Let d be the decryption exponent. If we have at least the last m/4 digits of d, we can efficiently find d in time that is linear in elog2e.