Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

Slides:



Advertisements
Similar presentations
6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Advertisements

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard
Cryptography and Network Security
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
Cryptography and Network Security, resuming some notes Dr. M. Sakalli.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Announcements: Quizzes returned at end of class Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Mon-Thurs: Data Encryption.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
ICS 454: Principles of Cryptography
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
Chapter 3 – Block Ciphers and the Data Encryption Standard
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptanalysis. The Speaker  Chuck Easttom  
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
5.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 5 Introduction to Modern Symmetric-key Ciphers.
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
AES Background and Mathematics CSCI 5857: Encoding and Encryption.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
13. Other Block Ciphers 13.1 LUCIFER 13.2 MADRYGA 13.3 NEWDES 13.4 FEAL 13.5 REDOC 13.6 LOKI.
Cryptographic Attacks on Scrambled LZ-Compression and Arithmetic Coding By: RAJBIR SINGH BIKRAM KAHLON.
Cryptography Team Presentation 2
1 Cryptanalysis Four kinds of attacks (recall) The objective: determine the key ( Herckhoff principle ) Assumption: English plaintext text Basic techniques:
DES Algorithm Data Encryption Standard. DES Features Block cipher, 64 bits per block 64-bit key, with only 56 bits effective ECB mode and CBC mode.
Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Introduction to Modern Symmetric-key Ciphers
Le Trong Ngoc Security Fundamentals (2) Encryption mechanisms 4/2011.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
Block Ciphers and the Advanced Encryption Standard
© Information Security Group, ICU1 Block Cipher- introduction  DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation  AES Description:
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Linear Cryptanalysis of DES
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Block Cipher- introduction
David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took.
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
Lecture 3 Overview. Ciphers The intent of cryptography is to provide secrecy to messages and data Substitutions – ‘hide’ letters of plaintext Transposition.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.
Information and Network Security Lecture 2 Dr. Hadi AL Saadi.
Information and Computer Security CPIS 312 Lab 6 & 7 1 TRIGUI Mohamed Salim Symmetric key cryptography.
6b. Practical Constructions of Symmetric-Key Primitives.
Introduction to Modern Symmetric-key Ciphers
Cryptanalysis of Block Ciphers
Differential Cryptanalysis
Stream Cipher Structure
Presentation transcript:

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z′ and Z′′ is the bitwise XOR of the strings, i.e, M Z = Z′ © Z′′ - why look at the difference? because in an SPN, the key does not influence the value of the difference!

Differential Cryptanalysis In a perfectly randomized cipher, the probability of a given output difference M Y, given an input difference M X, is (½) m, where m is the number of bits. The pair ( M X, M Y) is a differential. We will look for cases where this probability is much larger than (½) m. We will look at pairs of plaintexts that have a certain input difference. This is why differential cryptanalysis is a chosen-plaintext attack. As in the case of linear cryptanalyis, we will first look at the S-boxes.

Differential Characteristics of S-boxes The S-box from the linear cryptanalysis slides (π S ): For M X an input difference and M Y an output difference, we will compute N D ( M X, M Y): the number of pairs with input difference equal to M X and output difference equal to M Y. For example, N D (1011, 0010) = 8 (see Table 6). You can find all values in Table 7. In an ideal S-box, N D ( M X, M Y) = 1. Such an S-box is not mathematically possible ABCDEF E4D12FB83A6C5907

Propagation Ratio From N D ( M X, M Y) we can compute the propagation ratio: R p ( M X, M Y) = N D ( M X, M Y) / 2 m Notice: R p ( M X, M Y) = Pr[ output-difference = M Y | input-difference = M X ] For example, in our S-box, R P (1011,0010) = 1/2.

Differential Characteristics We will combine the differential characteristics of the S-boxes to obtain a differential characteristic of the whole cipher. We will look at the same example SPN as for linear cryptanalysis (Figure 1). We will look at the following S-boxes and difference pairs (Figure 5). S 1,2 : R p (1011, 0010) = 1/2 S 2,3 : R p (0100, 0110) = S 3,2 : R p (0010, 0101) = S 3,3 : R p (0010, 0101) = We assume that these propagation ratios are independent. This assumption works well in practice.

Differential Characteristics All other S-boxes will have all 0s as input difference, and thus all 0s as output difference. Combining the S-boxes, we obtain the following propagation ratio for the first three rounds of the SPN: R p ( , ) = 1/2(3/8) 3 = 27/1024. This implies that the propagation ratio “from the plaintext to U4” is given by R p ( , ) = 27/1024.

Extracting Key Bits We will use the above propagation ratio to determine part of subkey K 5. Suppose we have a large number of plaintext pairs (X′,X′′) such that M X = X′ © X′′ = Let (Y′,Y′′) be the corresponding ciphertexts. We will partially decrypt each pair of ciphertexts and see if the resulting decryptions have difference equal to As in the linear case, we have to go through all (2 8 ) possibilities for the subkey bits K 5,5, K 5,6, K 5,7, K 5,8, K 5,13, K 5,14, K 5,15, K 5,16.

Extracting Key Bits For each candidate subkey, partially decrypt each pair of ciphertexts (by XOR-ing with the candidate subkey and running the data backwards through the S-boxes), and compute the probability that the difference of the decryptions = The idea is that this fraction is largest for the correct 8 key bits. See Table 8. Note: Often, it is not necessary to partially decrypt Y′ and Y′′ to see that they don’t fulfill the required differential. Why not? This observation is useful in speeding up the algorithm.

Extracting Key Bits How many plaintext pairs do we need ? As a rule-of-thumb, if the propagation ratio is equal to ², the number of pairs of plaintexts with the chosen difference value and corresponding ciphertexts needed is c ² −1 for some “small” constant c.

Advanced Issues To strengthen the attacks you could Combine different linear approximations for the cipher. Combine different differential characteristics for the cipher. Combine linear and differential cryptanalysis. Look at something other than XOR in differential cryptanalysis. … We have not discussed how to determine the best linear and differential attack.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.