490 likes | 1.37k Views
Differential & Linear Cryptanalysis. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. Block Cipher Cryptanalysis. Find a property of the cipher that “distinguishes” it from a random function. (“distinguisher”)
E N D
Differential & LinearCryptanalysis CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk Differential & Linear Cryptanalysis
Block Cipher Cryptanalysis • Find a property of the cipher that “distinguishes” it from a random function. (“distinguisher”) • Such a property is usually constructed beginning from the 1-round cipher, or from the s-boxes. • Once such a property is found, extend it to obtain a distinguisher for r-1 (or r-2) rounds of the cipher. • Having found such a distinguisher, attack (parts of) the first or the last round key, by exhaustive trial. Differential & Linear Cryptanalysis
Differential Cryptanalysis • A chosen plaintext attack that exploits the non-uniform difference propagations over rounds. • To attack an r-round cipher: • find a “characteristic” (a seq. of differences) which relates an input difference to a (r-1)st round difference with a non-trivial probability. • Assuming the characteristic holds, find the last round key from ∆Xr-1 & ∆Xr (i.e. ∆C). • The remaining key bits can be attacked either by brute force or by DC on r-1 rounds. Differential & Linear Cryptanalysis
f Differential Cryptanalysis Two questions: • How to find such a “characteristic”? (∆L0, ∆R0) (∆Lr-1, ∆Rr-1) • How to obtain Kr from here? ∆L0 ∆R0 ... ... ∆Rr-1 ∆Lr-1 Kr Kr = ? ∆Lr ∆Rr Differential & Linear Cryptanalysis
∆L0 ∆R0 1 = ∆R0 1 1 f 2 = ∆L0 1 2 2 f 3 = 1 2 3 3 f 4 = 2 3 4 4 f ... ... DC of Feistel Ciphers A characteristic of a Feistel cipher must be of the following form: Differential & Linear Cryptanalysis
X(1) X(2) = = 0001 1001 0110 0000 . . . 0000 S1 S2 S3 E.g.: 1-round DES A difference of the f function: For inputs X(1)& X(2) with difference we have E.g., for 14 out of the 64 possible inputs, we have S1(X K) = S1(X K ∆X) for ∆X = 000011 on S1. P( → 0) = (14 · 8 · 10) / (643) 1 / 234 . Differential & Linear Cryptanalysis
0 0 0 p = 1 f p = 1/234 0 p = 1/234 f 0 An Iterative DES Characteristic(Biham & Shamir, 1992) This 2-round DES characteristic can be concatenated by itself: Differential & Linear Cryptanalysis
∆L0 = ∆R0 = 0 0 0 1: f 0 2: f 0 0 0 3: f 0 f 4: ... ... 0 0 15: f 0 ∆Y16 16: f ∆L16 ∆R16 16-round DES Attack • Start with pairs P(1) P(2) = (,0) • Take those pairs with ∆L16 = . • Assuming that ∆R15 = 0, we have ∆Y16 = ∆R16 . • We know X16(1), X16(2) from c.t.Take the values of K16 that can map X16(1), X16(2) to ∆Y16 & increment their counters. • After all collected pairs are processed, take the K16 value that is suggested most. Differential & Linear Cryptanalysis
DC of DES • 8 rounds: 214 chosen plaintexts12 rounds: 231 chosen plaintexts16 rounds: 247 chosen plaintexts(first cryptanalysis of the 16-round DES faster than exhaustive search) • Ordering of the s-boxes turned out to be optimized against DC! Differential & Linear Cryptanalysis
Linear Cryptanalysis • A statistical known plaintext attack • Correlation among pt, ct, key bits are exploited: • Find a binary equation of pt, ct, key bits (“linear approximation”) which shows a non-trivial correlation among them (“bias”). • Collect a large pt-ct sample. • Try all key values with the collected pt-ct in the eq.(hence, relatively few key bits must be involved.) • Take the key that maximizes the bias as the right key. • The remaining key bits can be found by brute force or by another LC attack. Differential & Linear Cryptanalysis
Linear Approximation A linear approximation of r-1 rounds: P[i1...ia] Xr-1[j1...jb] = K[m1...mc] with p ≠ ½. (p =1 usually not possible) • |p – ½|: the “bias” of the approximation • (notation: Xi: ciphertext after i rounds; S[...]: xor of the specified bits of the string S.) Expressed in terms of the ciphertext: P[i1...ia] F(C, Kr)[j1...jb] = K[m1...mc] where F is related to the last round’s decryption. Differential & Linear Cryptanalysis
LC Attack • Approximation: P[i1...ia] F(C, Kr)[j1...jb] = K[m1...mc] (1) • Collect a large number (N) of pt-ct blocks • For all possible Kr values, compute the left side of (1).T(i) denoting the # of zeros for the ith candidate, take the Kr value that maximizes the “sample bias” | T(i) – N/2 | as the right key. • Another bit of key information (that is, K[m1...mc]) can be obtained comparing the signs of (p – ½) and (T(i) – N/2). Differential & Linear Cryptanalysis
Linear Approximation of DES’ f Function Shamir’s discovery (1985): P(16·x = 15·S5(x)) = 12 / 64 where “·” denotes binary dot product. (Brickell et al.: “Normal”) From s-box to f function: x[15] f(x,k)[7, 18, 24, 29] = k[22] p = 12/64. Differential & Linear Cryptanalysis
L0[7,18,24,29] L1[7,18,24,29] R0[15] = K1[22] p1 = 12/64 L0 R0 7,18,24,29 15 f R1 L1 – – L2[7,18,24,29] L3[7,18,24,29] R2[15] = K3[22] p3 = 12/64 f L2 R2 7,18,24,29 15 f L3 R3 Combining Round Approximations When these approximations are combined, we get the 3-round appr.: L0[7,18,24,29] R0[15] L3[7,18,24,29] R3[15] = K1[22] K3[22] (no intermediate terms are left.) p = p1 p3 + (1-p1)(1-p3) = ½ + 2(p1 – ½) (p3 – ½) assuming the round approximations are independent. Differential & Linear Cryptanalysis
1 1 2 1 1 1 f 1 2 2 2 f 2 3 3 3 f 3 4 4 4 f 4 ... r r f r r-1 r Linear Approximations of Feistel Ciphers For the intermediate terms to cancel out, we need: i+1 = i i-1 The probability of the combined approximation is p = ½ + 2r-1i (pi – ½ ) assuming round approximations are independent. Differential & Linear Cryptanalysis
... ... 7,18,24 15 f D 29 15 f C 7,18,24,29 15 f A − − f — 7,18,24,29 15 f A 29 15 f C 7,18,24 15 f D − − f — 7,18,24 15 f D ... ... Best DES Approximation(Matsui, 1993) A: x[15] f(x,k)[7,18,24,29] = k[22] p = 12/64 C: x[29] f(x,k)[15] = k[44] p = 30/64 D: x[15] f(x,k)[7,18,24] = k[22] p = 42/64 Differential & Linear Cryptanalysis
LC of DES • 8 rounds: 221 known plaintexts12 rounds: 233 known plaintexts16 rounds: 243 known plaintexts • First experimental cryptanalysis of the 16-round DES (Matsui, 1994). • Ordering of the s-boxes was far from optimal against LC. Differential & Linear Cryptanalysis
Issues in DC & LC • r-1 round relation is found, which is used to attack the last round key Kr.(r-2 round attacks are also possible) • Assumptions: • key independence of the char./appr. used. • independence of the individual round char./appr.s • Helped by: • the invertible key schedule of DES • lack of key mixing after the last round’s substitution Differential & Linear Cryptanalysis
Results of DC & LC Discovery of DC & LC attacks motivated: • the theory of functions resistant against differential & linear attacks • new block cipher design techniques (resulting in AES) • development of non-invertible key schedules Differential & Linear Cryptanalysis