Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson

Outline Substitution-permutation networks (SPN) Linear cryptanalysis Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN Differential cryptanalysis Differential distribution table of S-boxes

Substitution-permutation networks (1) Substitution function (S-box) z ABCDEF S(z)S(z) E4D12FB83A6C5907 Ex. =4, 4-bit input

Substitution-permutation networks (2) Permutation function z P(z)P(z) Ex. =m=4, 16-bit input

SPN example Round 1 Round 2 Round 3 Round 4 (no permutation) K i : subkeys XOR with input whitening: Prevent attack

Substitution-permutation networks (3) Implementation issues: S-Box: using look-up tables 4-bit input: 2 4  4=2 6 bits memory space 16-bit input: 2 16  16=2 20 bits memory space DES: 6-bits to 4-bits, AES: 8-bits to 8-bits Variations of SPN: Different S-Boxes in each round, ex. DES Include invertible linear transformation in addition to permutation, ex. AES

Question about S-box: Are these S-boxes secure? We will try to find some probabilistic relationship between (differential) input and (differential) output to S-boxes

Linear approximation table (1) S-box z ABCDEF S(z)S(z) E4D12FB83A6C5907 Input 4-bits Output 4-bits

Linear approximation table (2) consider T=X 1  X 4  Y 2 Input 4-bitsOutput 4-bits Pr[T=0]=1/2 Pr[T=1]=1/2

Linear approximation table (3) consider T=X 3  X 4  Y 1  Y 4 Input 4-bitsOutput 4-bits Pr[T=0]=1/8 Pr[T=1]=7/8

Linear approximation table (4) XOR of input and output bits can be taken as linear combination T=X 1  X 4  Y 2 a :( ) b :( ) T=X 3  X 4  Y 1  Y 4 a :( ) b :( ) For all a and b, we compute N L (a,b ): number of occurrences such that T=0

Linear approximation table (5) Idea: away from 8 means some probabilistic relationship between input and output

Outline Substitution-permutation networks (SPN) Linear cryptanalysis Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN Differential cryptanalysis Differential distribution table of S-boxes

Bias of a random variable X is a random variable taking on values from {0, 1} Pr[X=0]=p Pr[X=1]=1-p Bias of X is defined to be  =p-1/2 * Bias with high absolute value implies non-randomness Ex. Pr[X=0]=1/2 bias = 0 Ex. Pr[X=0]=1 bias = 1/2

Pilling-up lemma Let  T denotes the bias of the random variable T=X 1  X 2...  X k Then Ex. T=X 1  X 2, bias  T = 2  1  2

A Linear Attack on an SPN (1) T 1 has bias 1/4 T 2 has bias -1/4 T 3 has bias -1/4 T 4 has bias -1/4 T1T2T3T4T1T2T3T4 has bias

A Linear Attack on an SPN (2) T1T2T3T4T1T2T3T4 X1X1 X2X2 X3X3 X1X2X3X1X2X3  (subkey bits) U1U1 U2U2 U3U3 U4U4 =U 1  U 2  U 3  U 4 =T1T2T3T4=T1T2T3T4 X1X2X3X1X2X3  (subkey bits) U1U2U3 U4U1U2U3 U4

A Linear Attack on an SPN (3) Previous result: Fix the subkey bits (assume the same key) Thus, =T1T2T3T4=T1T2T3T4 X1X2X3X1X2X3  (subkey bits) U1U2U3 U4U1U2U3 U4 =T1T2T3T4=T1T2T3T4 X1X2X3X1X2X3  (0 or 1) U1U2U3 U4U1U2U3 U4 X1X2X3X1X2X3 U1U2U3 U4U1U2U3 U4 has the same bias as T1T2T3T4T1T2T3T4 (may have different sign, depending on subkey bits)

A Linear Attack on an SPN (4) T1T2T3T4T1T2T3T4 has bias X1X1 X2X2 X3X3 U1U1 U2U2 U3U3 U4U4 X1X2X3X1X2X3 U1U2U3 U4U1U2U3 U4

Known-plaintext attack Assume 8000 (x, y) pairs are known x y Goal: solve the 8-bit subkey Initialize: Counter[256] For each (x,y) pair For subkey value s=0 to 255 determine U1U1 U2U2 U3U3 U4U4 U 1,U 2,U 3, U 4 If X1X2X3X1X2X3  U 1  U 2  U 3  U 4 =0 X1X1 X2X2 X3X3 Counter[s] ++ Final: Find s, such that Counter[s]/8000

Linear cryptanalysis on DES 1994, Matsui (inventor of linear cryptanalysis) Using 2 43 plaintext-ciphertext pairs (generated using the same key) : it takes 40 days Use linear cryptanalysis to find the key: 10 days However, it is unlikely to accumulate such a large number of plaintext-ciphertext pairs

Outline Substitution-permutation networks (SPN) Linear cryptanalysis Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN Differential cryptanalysis Differential distribution table of S-boxes

Differential cryptanalysis Two binary streams Differential cryptanalysis Find the probabilistic relationship between XOR of two inputs and XOR of two output … …  … Different bits will be labeled as 1 after XOR

4  4 S-box ： input X =[X 1 X 2 X 3 X 4 ], output Y =[Y 1 Y 2 Y 3 Y 4 ] input pair (X’, X’’), by Analyzing the Cipher Components

Given Δx, we want to determine the associated probabilities for each ΔY

Difference distribution table = 0010, =1011 (hex B), probability = 8/2 4 = 8/16 = 1011, =1000 (hex 8), probability = 4/16 = 1010, =0100 (hex 4), probability = 0/16

ΔX=[ ] ΔU=[xxxx 0110 xxxx 0110] with prob. = chosen plaintext pairs: [ , ] [ , ] [ , ] … 5000 ciphertext pairs: [Y 1, Y ’ 1 ], [Y 2, Y ’ 2 ], [Y 3, Y ’ 3 ], …

Differential Cryptanalysis on DES Biham and Shamir, 1993 Complexity: order of 2 47, requiring 2 47 chosen plaintext Recall: brute-force search: 2 55 In fact, the DES designers knew differential cryptanalysis early in 1974 They had strengthened S-boxes

Programming project#2 Generate tables for the following DES S-Box linear approximation table difference distribution table Output your results in well-formatted ASCII text file Due date: 11/1

Notes for Programming Project#1 You must submit PowerPoint slides, which includes Description of your DES source code, how to use it (write a small sample program to demo how to use it) How do you evaluate the avalanche effects of DES? The results of your experiments All programs