CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk

CS519, © A.SelcukDifferential & Linear Cryptanalysis2 Block Cipher Cryptanalysis Find a property of the cipher that “distinguishes” it from a random function. (“distinguisher”) Such a property is usually constructed beginning from the 1-round cipher, or from the s-boxes. Once such a property is found, extend it to obtain a distinguisher for r-1 (or r-2) rounds of the cipher. Having found such a distinguisher, attack (parts of) the first or the last round key, by exhaustive trial.

CS519, © A.SelcukDifferential & Linear Cryptanalysis3 Differential Cryptanalysis A chosen plaintext attack that exploits the non- uniform difference propagations over rounds. To attack an r-round cipher: –find a “characteristic” (a seq. of differences) which relates an input difference to a (r-1)st round difference with a non-trivial probability. –Assuming the characteristic holds, find the last round key from ∆X r-1 & ∆X r (i.e. ∆C). The remaining key bits can be attacked either by brute force or by DC on r-1 rounds.

CS519, © A.SelcukDifferential & Linear Cryptanalysis4 Differential Cryptanalysis Two questions: How to find such a “characteristic”? (∆L 0, ∆R 0 )  (∆L r-1, ∆R r-1 ) How to obtain K r from here? ∆L 0 ∆R 0... ∆L r-1 ∆R r-1  f ∆L r ∆R r KrKr K r = ?

CS519, © A.SelcukDifferential & Linear Cryptanalysis5 DC of Feistel Ciphers A characteristic of a Feistel cipher must be of the following form: ∆L 0 f   f 11 11 f   f ∆R 0 22  2 33 33 44 44  1 = ∆R 0  2 = ∆L 0   1  3 =  1   2  4 =  2   3...

CS519, © A.SelcukDifferential & Linear Cryptanalysis6 E.g.: 1-round DES A difference of the f function: For inputs X (1) & X (2) with difference we have E.g., for 14 out of the 64 possible inputs, we have S 1 (X  K) = S 1 (X  K  ∆X) for ∆X = on S 1. P(  → 0) = (14 · 8 · 10) / (64 3 )  1 / 234. X (1)  X (2) =  = S1S1 S2S2 S3S3

CS519, © A.SelcukDifferential & Linear Cryptanalysis7 An Iterative DES Characteristic (Biham & Shamir, 1992) This 2-round DES characteristic can be concatenated by itself:  0 f   f  00 0  0 p = 1 p = 1/234

CS519, © A.SelcukDifferential & Linear Cryptanalysis8 16-round DES Attack Start with pairs P (1)  P (2) = ( ,0) Take those pairs with ∆L 16 = . Assuming that ∆R 15 = 0, we have ∆Y 16 = ∆R 16. We know X 16 (1), X 16 (2) from c.t. Take the values of K 16 that can map X 16 (1), X 16 (2) to ∆Y 16 & increment their counters. After all collected pairs are processed, take the K 16 value that is suggested most. ∆L 0 =  f   f 00 f   f ∆R 0 = 0  0 00  0  0 ... 1: 2: 3: 4: f   f 00  ∆Y 16  0 15: 16:... ∆L 16 ∆R 16

CS519, © A.SelcukDifferential & Linear Cryptanalysis9 DC of DES 8 rounds: 2 14 chosen plaintexts 12 rounds: 2 31 chosen plaintexts 16 rounds: 2 47 chosen plaintexts (first cryptanalysis of the 16-round DES faster than exhaustive search) Ordering of the s-boxes turned out to be optimized against DC!

CS519, © A.SelcukDifferential & Linear Cryptanalysis10 Linear Cryptanalysis A statistical known plaintext attack Correlation among pt, ct, key bits are exploited: –Find a binary equation of pt, ct, key bits (“linear approximation”) which shows a non-trivial correlation among them (“bias”). –Collect a large pt-ct sample. –Try all key values with the collected pt-ct in the eq. (hence, relatively few key bits must be involved.) –Take the key that maximizes the bias as the right key. The remaining key bits can be found by brute force or by another LC attack.

CS519, © A.SelcukDifferential & Linear Cryptanalysis11 Linear Approximation A linear approximation of r-1 rounds: P[i 1...i a ]  X r-1 [j 1...j b ] = K[m 1...m c ] with p ≠ ½. (p =1 usually not possible) |p – ½|: the “bias” of the approximation (notation: X i : ciphertext after i rounds; S[...]: xor of the specified bits of the string S.) Expressed in terms of the ciphertext: P[i 1...i a ]  F(C, K r )[j 1...j b ] = K[m 1...m c ] where F is related to the last round’s decryption.

CS519, © A.SelcukDifferential & Linear Cryptanalysis12 LC Attack Approximation: P[i 1...i a ]  F(C, K r )[j 1...j b ] = K[m 1...m c ] (1) Collect a large number (N) of pt-ct blocks For all possible K r values, compute the left side of (1). T (i) denoting the # of zeros for the i th candidate, take the K r value that maximizes the “sample bias” | T (i) – N/2 | as the right key. Another bit of key information (that is, K[m 1...m c ]) can be obtained comparing the signs of (p – ½) and (T (i) – N/2).

CS519, © A.SelcukDifferential & Linear Cryptanalysis13 Linear Approximation of DES’ f Function Shamir’s discovery (1985): P(16·x = 15·S 5 (x)) = 12 / 64 where “·” denotes binary dot product. (Brickell et al.: “Normal”) From s-box to f function: x[15]  f(x,k)[7, 18, 24, 29] = k[22] p = 12/64.

CS519, © A.SelcukDifferential & Linear Cryptanalysis14 Combining Round Approximations When these approximations are combined, we get the 3-round appr.: L 0 [7,18,24,29]  R 0 [15]  L 3 [7,18,24,29]  R 3 [15] = K 1 [22]  K 3 [22] (no intermediate terms are left.) p = p 1 p 3 + (1-p 1 )(1-p 3 ) = ½ + 2(p 1 – ½) (p 3 – ½) assuming the round approximations are independent. L0L0 f   f 7,18,24,29 15 f  R0R0 –– 7,18,24,29 15 L1L1 L2L2 L3L3 R1R1 R2R2 R3R3 L 0 [7,18,24,29]  L 1 [7,18,24,29]  R 0 [15] = K 1 [22] p 1 = 12/64 L 2 [7,18,24,29]  L 3 [7,18,24,29]  R 2 [15] = K 3 [22] p 3 = 12/64

CS519, © A.SelcukDifferential & Linear Cryptanalysis15 Linear Approximations of Feistel Ciphers For the intermediate terms to cancel out, we need:  i+1 =  i   i-1 The probability of the combined approximation is p = ½ +  2 r-1  i (p i – ½ ) assuming round approximations are independent. f   f 11 11 f   f 1  21  2 22  2 33 33 44 44 11 22 33... 33 11 22 44 44 11  f rr rr  r   r-1 rr

CS519, © A.SelcukDifferential & Linear Cryptanalysis16 Best DES Approximation (Matsui, 1993) A: x[15]  f(x,k)[7,18,24,29] = k[22] p = 12/64 C: x[29]  f(x,k)[15] = k[44] p = 30/64 D: x[15]  f(x,k)[7,18,24] = k[22] p = 42/64  f f  7,18,24,2915 f  7,18,  f −−  f f  7,18,2415 f  7,18,24,  f −− f  7,18, D C A — A C D — D

CS519, © A.SelcukDifferential & Linear Cryptanalysis17 LC of DES 8 rounds: 2 21 known plaintexts 12 rounds: 2 33 known plaintexts 16 rounds: 2 43 known plaintexts First experimental cryptanalysis of the 16-round DES (Matsui, 1994). Ordering of the s-boxes was far from optimal against LC.

CS519, © A.SelcukDifferential & Linear Cryptanalysis18 Issues in DC & LC r-1 round relation is found, which is used to attack the last round key K r. (r-2 round attacks are also possible) Assumptions: –key independence of the char./appr. used. –independence of the individual round char./appr.s Helped by: –the invertible key schedule of DES –lack of key mixing after the last round’s substitution

CS519, © A.SelcukDifferential & Linear Cryptanalysis19 Results of DC & LC Discovery of DC & LC attacks motivated: –the theory of functions resistant against differential & linear attacks –new block cipher design techniques (resulting in AES) –development of non-invertible key schedules