DIFFERENTIAL CRYPTANALYSIS Chapter 3.4

Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication channels. Known-plaintext attack. The adversary can access not only the communication channels but also parts of plaintext.

Chosen-plaintext attack. This is a known plaintext attack for which the cryptanalyst may choose messages and corresponding cryptograms. Chosen-ciphertext attack. The enemy selects his own cryptogram and corresponding message and then tries to find the secret key of the cryptosystem.

The function to transfer the input string of an S- box. such that and then or where XOR profiles

Define and four-tuples and denote the number of four-tuples in the set. For example, and

The XOR profile of an S-box defined by is a table which has 2 n rows and 2 m columns. Each row and column is indexed by  and  respectively. Each entry ( ,  ) of the table shows the number of elements in the set

The example of an element of XOR profiles If the set is Then the element (19, 1) in the table of XOR profile is

The properties of XOR profiles All entries in the table are zeroes or positive even integers. The row for  = 0 has only one nonzero entry equal to 2 n (n is the number of input bits of the S-box).

The sum of entries in each row is equal to 2 n. An input difference  may cause output difference  with probability. If an entry ( ,  ) is zero, then the input difference  cannot cause the difference  on the output.

What can we say about value of the input? The XOR profile does not depend on the cryptographic key used. What can we say about the key?

Example: Let an input have the output difference. The set

The input is The applied key must be in the set that is The following demonstrate how to calculate the bit-to-bit addition.

If the second input is and Then the set is as following.

The set of input is The key set is Take another observation,

and then and The key must be contained in the three set, so the key is

The XOR profile of an S-box with the secret key XORed with the input is identical to the XOR profile of the S-box without the key. Every input observation (s 1, s 2 ) and the corresponding output difference  enable the cryptanalyst to find the set  of key candidates. The analysis of differences for a single S-box allows one to retrieve the key that is XORed to the input of a S-box.

3.4.2 DES Round Characteristics An m-round characteristic of a Feistel-type cryptosystem is a sequence Where  in and  out are input and output differences. The pairs are consecutive input and output difference for the round f k. Let input sequences be and.

A single round characteristic of DES The first part of difference is  A and the second part is 0.

Our goal is to find a characteristic that feeds a nonzero input difference in to S 1 while other input differences of S 2 … S 8 are set to zero and the characteristic should work with a high probability.

Another single round characteristic of DES

The input difference  in = (  A, x ). The binary string ( x ) obtained by permuting (E x ) using permutation block P For this case, the pair of difference (C x, E x ) happens with probability 14/64. And then we get the output

Any characteristic has a probability attached to it. Let the m-round characteristic be Then its probability where is the probability that input difference  i causes the output difference  i for the function f k in the ith round.

A two-round characteristic of DES The probability of the second round happening is one.

3.4.3 Cryptanalysis of 4-Round DES Our purpose is to recover the key. To concentrate on the last round of the DES. In last figure, we use characteristic  A = ( x ), which works always (p=1). In the last round

Four round DES Input Difference Output Difference

 1 = 0 and  1 = 0. So the input difference becomes (001000) on S 1 and all other 7 S-boxes are zero. Thus 28-bits of  2 are known. From the last equation, 28-bits of  4 are known. Another characteristic  A = ( x ). The the missing part of key is recovered by the differential analysis of S 1.

Finding the partial key k 4. Strip off the last round and find k 3. Then k 2.

Input Difference Output Difference Six-round DES

First 3-Round Characteristic f f f

Second 3-Round Characteristic f f f

3.4.5 The main features of differential analysis The differential analysis can be applied to Feistal cryptosystems with t rounds, where it is possible to use input to the round function and deduce or guess the corresponding output differences Characteristics are useful in guessing the correct output differences of the round function. It is enough to have (t-3)-round characteristic to find out output differences in the t-round Feistel cryptosystem.

As the differential analysis enables to find keys applied in the last round function, it by-passes the key schedule. It works under the assumption that round keys are statistacally independent. Once the key in the last round is found, the last round can be stripped off by applying the extra round.

Feistel cryptosystem immune against the differential analysis: The XOR profile must not have entries with large number. The best (t-3)-round characteristics should work with the probability smaller than the probability of guessing the right key (t is the number of rounds in the cryptosystem). The S-boxes should depend upon the secret key in a nonlinear way. This will cause that XOR profile of S-boxes become more complex. One way of implementation of this idea would be an on-the-fly selection of S-boxes depending on the round key.