Differential Cryptanalysis Richard Newman

Differential Cryptanalysis Takes inputs with known difference (XOR) Predicts XOR of corresponding outputs, based on structure of cipher When input pair – output pair are found that have the predicted differences, assume internal states follow predictions also Work backwards to find subkeys that would produce observed pairs, each gets a vote Most popular subkeys collected Bits that agree amongst subkeys are “known”

Differential Cryptanalysis A function f is linear if f(x+y) = f(x) + f(y) A cipher is linear if given any two inputs p1 and p2, and their corresponding outputs c1 and c2, we have c1 XOR c2 = p1 XOR p2. Onetime pad is linear: E(p1+p2) = E(p1)+E(p2) DES is not linear (and neither are S-boxes) Non-linearity and effect of (sub-) key on output suggests that information about the (sub-) key can be discovered by examining the relationship between input deltas and output deltas

Simple-DES (S-DES) Invented by Shaefer 1996 as tool Operates on 8-bit blocks Uses 10- bit key Has two rounds Rest is similar to DES: IP, EP, S-boxes, P-box, Feistel structure, sub-key generation

Simple-DES (S-DES) IP: [1..8] → [2 6 3 1 4 8 5 7] EP: [1 2 3 4] → [4 1 2 3 2 3 4 1] 8-bit subkey XORed with EP output First 4 bits to S-box S0, last 4 to S1 First and last bits to S-box pick row (1 of 4) Middle two bits pick column, output is 2 bits P-box: [1..4] → [2 4 3 1]

Simple-DES (S-DES) Key generation: 10-bit key is first permuted PC-1: [1..10] → [3 5 2 7 4 10 1 9 8 6] Permuted key split into two 5-bit halves Each half shifted left one bit in first round, shifted twice more for second round PC-2: [1..10] → [6 3 7 4 8 5 10 9] (8 bits) Subkey is XORed with EP output in round

Simple-DES (S-DES) Input to round Expansion Permutation Round Subkey 1 2 3 4 Expansion Permutation 4 1 2 3 2 3 4 1 6 3 7 4 8 5 A 9 Round Subkey 4 1 2 3 2 3 4 1 S-box0 column S-box1 1 2 3 1 2 3 row Output from round 1 2 3 4

S-DES S-box0 deltas input output 0000 01 0001 11 0010 00 0011 0100 10 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 S-DES S-box0 deltas 1 2 3 4 5 6 7 8 9 A B C D E F S-box0

S-DES S-box0 deltas Output deltas Input delta 00 01 10 11 0000 16 0001 0001 4 8 0010 0011 0100 2 6 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 1 2 3 4 5 6 7 8 9 A B C D E F

S-DES S-box0 deltas Output deltas Input delta 00 01 10 11 0000 16 0001 0001 4 8 0010 0011 0100 2 6 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 1 2 3 4 5 6 7 8 9 A B C D E F

S-DES Round 1 Output delta probs 1010 1011 1100 1101 1110 1111 k1 X=1 Input delta 00 01 10 11 0000 1.0 0001 0.25 0.5 0010 0011 0100 0.125 0.375 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 input IP L0 R0 EP k1 X=1 X=0 S-box0 S-box1 p=0.5 Y=2 Y=0 p=1.0 P-box U=1 p=(0.5)(1.0)=0.5

S-DES Round 2 Output delta probs 1010 1011 1100 1101 1110 1111 Input delta 00 01 10 11 0000 1.0 0001 0.25 0.5 0010 0011 0100 0.125 0.375 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 R0 U=1, p=0.5 L1 R1 EP k2 X=4 X=1 S-box0 S-box1 p=.375 Y=1 Y=1 P=0.5 P-box p=(.5)(.375)(.5)=.09375 U=E L2=R1 R2 IP-1 p=0.09375 output C=0x11

Finding the Cipher Key Find round keys from bottom to top (last to first) Have many pairs for last round (known output ciphertext, known ciphertext difference, and assumed input difference) Each pair (all with same differences) produces some candidates for input to S-Boxes (that produce the observed output) S-Box input can be produced from several pairs of key and input to round, but only some of these are consistent Consistent ones suggest subkey candidates

Finding the Cipher Key Example (smaller S-box): S-Box: C X X 000 001 010 011 100 101 110 111 Y 11 00 10 01 C 00 01 10 11 000 8 001 2 4 010 011 100 101 110 111 6 X

Finding the Cipher Key Example (smaller S-box): S-Box: C X X 000 001 010 011 100 101 110 111 Y 11 00 10 01 C 00 01 10 11 000 1.0 001 .25 .5 010 011 100 101 110 111 .75 X

Finding the Cipher Key Since X depends only on P, we do NOT have to know the key K ahead of time! Get a bunch of inputs with a known X Find those whose C is the high probability value (e.g., X is 111 and C is 11) Note that this actually has to be for as many rounds as the cipher uses, but here we will just illustrate with a single round

Finding the Cipher Key Example (smaller S-box): S-Box: C 000 001 010 011 100 101 110 111 Y 11 00 10 01 C 00 01 10 11 000 1.0 001 .25 .5 010 011 100 101 110 111 .75 P = 001, then C = 11 with p=0.5 Try some known plaintext: Try P1 = 010 and get C1 = 00. Try P2 = 011 and get C2 = 11. P

Finding the Cipher Key From the plaintext-ciphertext pairs, and the known (and desired) deltas, Figure which inputs after XORing with key produce desired output Then for each of these, determine what the key would have to be for that plaintext

Finding the Cipher Key Example (smaller S-box): S-Box: 000 001 010 011 100 101 110 111 Y 11 00 10 01 C1 = 00 and P1 = 010. C2 = 11 and P2 = 011. So C1 -> X1 = 001 or X1 = 111 So K = 011 or 101 C2 = 11 -> X2 = 000 or X2 = 110 Tests agree! Know K = xx1 C 00 01 10 11 000 1.0 001 .25 .5 010 011 100 101 110 111 .75 P

Finding the Cipher Key From the plaintext-ciphertext pairs, and the known (and desired) deltas, From all the pairs, get the most popular key or keys, assume the actual key is one of these If only one very popular, assume that is the key and try to confirm it on other plaintext-ciphertext pairs If multiple popular keys, look for the bits they have in common, and assume that these are correct Then brute force the rest

Differential Cryptanalysis Summary Compute Prob(Y | X) for each S-box Compute Prob(Li, Ri | Li-1, Ri-1) for a round (all rounds are the same; key independent!) Compute Prob(C | P) for whole cipher Pick the input deltas for which there are output deltas with high conditional probability For a given input delta, generate many plaintext pairs with with that difference and get corresponding ciphertext pairs and difference

Differential Cryptanalysis Summary For each plaintext pair whose ciphertext pair produces the highest probability ciphertext difference, assume internal states are as computed (maximum likelihood) For a given “good” ciphertext pair, run the invertable computations backwards to get the outputs of the last set of S-boxes, Yi, Yi' For each of these output pairs, find the set of inputs that will produce that pair (there may be many of these)

Differential Cryptanalysis Summary Save each pair of possible inputs that can produce the known outputs For each of these saved pairs, determine the subkey that will produce the assumed difference for each input pair Take the most popular keys and determine bits where the keys agree in all sets Assume these bits are known, guess the rest