Presentation is loading. Please wait.

Presentation is loading. Please wait.

Differential Cryptanalysis

Published byHadian Kurnia Modified over 5 years ago

Similar presentations

Presentation on theme: "Differential Cryptanalysis"— Presentation transcript:

1 Differential Cryptanalysis
Richard Newman

2 Differential Cryptanalysis
Takes inputs with known difference (XOR) Predicts XOR of corresponding outputs, based on structure of cipher When input pair – output pair are found that have the predicted differences, assume internal states follow predictions also Work backwards to find subkeys that would produce observed pairs, each gets a vote Most popular subkeys collected Bits that agree amongst subkeys are “known”

3 Differential Cryptanalysis
A function f is linear if f(x+y) = f(x) + f(y) A cipher is linear if given any two inputs p1 and p2, and their corresponding outputs c1 and c2, we have c1 XOR c2 = p1 XOR p2. Onetime pad is linear: E(p1+p2) = E(p1)+E(p2) DES is not linear (and neither are S-boxes) Non-linearity and effect of (sub-) key on output suggests that information about the (sub-) key can be discovered by examining the relationship between input deltas and output deltas

4 Simple-DES (S-DES) Invented by Shaefer 1996 as tool
Operates on 8-bit blocks Uses 10- bit key Has two rounds Rest is similar to DES: IP, EP, S-boxes, P-box, Feistel structure, sub-key generation

5 Simple-DES (S-DES) IP: [1..8] → [2 6 3 1 4 8 5 7]
EP: [ ] → [ ] 8-bit subkey XORed with EP output First 4 bits to S-box S0, last 4 to S1 First and last bits to S-box pick row (1 of 4) Middle two bits pick column, output is 2 bits P-box: [1..4] → [ ]

6 Simple-DES (S-DES) Key generation: 10-bit key is first permuted
PC-1: [1..10] → [ ] Permuted key split into two 5-bit halves Each half shifted left one bit in first round, shifted twice more for second round PC-2: [1..10] → [ ] (8 bits) Subkey is XORed with EP output in round

7 Simple-DES (S-DES) Input to round Expansion Permutation Round Subkey
1 2 3 4 Expansion Permutation 4 1 2 3 2 3 4 1 6 3 7 4 8 5 A 9 Round Subkey 4 1 2 3 2 3 4 1 S-box0 column S-box1 1 2 3 1 2 3 row Output from round 1 2 3 4

8 S-DES S-box0 deltas input output 0000 01 0001 11 0010 00 0011 0100 10
0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 S-DES S-box0 deltas 1 2 3 4 5 6 7 8 9 A B C D E F S-box0

9 S-DES S-box0 deltas Output deltas Input delta 00 01 10 11 0000 16 0001
0001 4 8 0010 0011 0100 2 6 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 1 2 3 4 5 6 7 8 9 A B C D E F

10 S-DES S-box0 deltas Output deltas Input delta 00 01 10 11 0000 16 0001
0001 4 8 0010 0011 0100 2 6 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 1 2 3 4 5 6 7 8 9 A B C D E F

11 S-DES Round 1 Output delta probs 1010 1011 1100 1101 1110 1111 k1 X=1
Input delta 00 01 10 11 0000 1.0 0001 0.25 0.5 0010 0011 0100 0.125 0.375 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 input IP L0 R0 EP k1 X=1 X=0 S-box0 S-box1 p=0.5 Y=2 Y=0 p=1.0 P-box U=1 p=(0.5)(1.0)=0.5

12 S-DES Round 2 Output delta probs 1010 1011 1100 1101 1110 1111
Input delta 00 01 10 11 0000 1.0 0001 0.25 0.5 0010 0011 0100 0.125 0.375 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 R0 U=1, p=0.5 L1 R1 EP k2 X=4 X=1 S-box0 S-box1 p=.375 Y=1 Y=1 P=0.5 P-box p=(.5)(.375)(.5)=.09375 U=E L2=R1 R2 IP-1 p= output C=0x11

13 Finding the Cipher Key Find round keys from bottom to top (last to first) Have many pairs for last round (known output ciphertext, known ciphertext difference, and assumed input difference) Each pair (all with same differences) produces some candidates for input to S-Boxes (that produce the observed output) S-Box input can be produced from several pairs of key and input to round, but only some of these are consistent Consistent ones suggest subkey candidates

14 Finding the Cipher Key Example (smaller S-box): S-Box: C X X 000 001
010 011 100 101 110 111 Y 11 00 10 01 C 00 01 10 11 000 8 001 2 4 010 011 100 101 110 111 6 X

15 Finding the Cipher Key Example (smaller S-box): S-Box: C X X 000 001
010 011 100 101 110 111 Y 11 00 10 01 C 00 01 10 11 000 1.0 001 .25 .5 010 011 100 101 110 111 .75 X

16 Finding the Cipher Key Since X depends only on P, we do NOT have to know the key K ahead of time! Get a bunch of inputs with a known X Find those whose C is the high probability value (e.g., X is 111 and C is 11) Note that this actually has to be for as many rounds as the cipher uses, but here we will just illustrate with a single round

17 Finding the Cipher Key Example (smaller S-box): S-Box: C
000 001 010 011 100 101 110 111 Y 11 00 10 01 C 00 01 10 11 000 1.0 001 .25 .5 010 011 100 101 110 111 .75 P = 001, then C = 11 with p=0.5 Try some known plaintext: Try P1 = 010 and get C1 = 00. Try P2 = 011 and get C2 = 11. P

18 Finding the Cipher Key From the plaintext-ciphertext pairs, and the known (and desired) deltas, Figure which inputs after XORing with key produce desired output Then for each of these, determine what the key would have to be for that plaintext

19 Finding the Cipher Key Example (smaller S-box): S-Box:
000 001 010 011 100 101 110 111 Y 11 00 10 01 C1 = 00 and P1 = 010. C2 = 11 and P2 = 011. So C1 -> X1 = 001 or X1 = 111 So K = 011 or 101 C2 = 11 -> X2 = 000 or X2 = 110 Tests agree! Know K = xx1 C 00 01 10 11 000 1.0 001 .25 .5 010 011 100 101 110 111 .75 P

20 Finding the Cipher Key From the plaintext-ciphertext pairs, and the known (and desired) deltas, From all the pairs, get the most popular key or keys, assume the actual key is one of these If only one very popular, assume that is the key and try to confirm it on other plaintext-ciphertext pairs If multiple popular keys, look for the bits they have in common, and assume that these are correct Then brute force the rest

21 Differential Cryptanalysis Summary
Compute Prob(Y | X) for each S-box Compute Prob(Li, Ri | Li-1, Ri-1) for a round (all rounds are the same; key independent!) Compute Prob(C | P) for whole cipher Pick the input deltas for which there are output deltas with high conditional probability For a given input delta, generate many plaintext pairs with with that difference and get corresponding ciphertext pairs and difference

22 Differential Cryptanalysis Summary
For each plaintext pair whose ciphertext pair produces the highest probability ciphertext difference, assume internal states are as computed (maximum likelihood) For a given “good” ciphertext pair, run the invertable computations backwards to get the outputs of the last set of S-boxes, Yi, Yi' For each of these output pairs, find the set of inputs that will produce that pair (there may be many of these)

23 Differential Cryptanalysis Summary
Save each pair of possible inputs that can produce the known outputs For each of these saved pairs, determine the subkey that will produce the assumed difference for each input pair Take the most popular keys and determine bits where the keys agree in all sets Assume these bits are known, guess the rest

Download ppt "Differential Cryptanalysis"

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
FEAL FEAL 1.

FEAL FEAL 1.
Chapter 3 – Block Ciphers and the Data Encryption Standard

Chapter 3 – Block Ciphers and the Data Encryption Standard
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
The Digital Encryption Standard CSCI 5857: Encoding and Encryption.

The Digital Encryption Standard CSCI 5857: Encoding and Encryption.
Cryptanalysis. The Speaker  Chuck Easttom  

Cryptanalysis. The Speaker  Chuck Easttom  
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
CSCI 5857: Encoding and Encryption

CSCI 5857: Encoding and Encryption
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.

Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.

TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.
Feistel Cipher Structure

Feistel Cipher Structure
13. Other Block Ciphers 13.1 LUCIFER 13.2 MADRYGA 13.3 NEWDES 13.4 FEAL 13.5 REDOC 13.6 LOKI.

13. Other Block Ciphers 13.1 LUCIFER 13.2 MADRYGA 13.3 NEWDES 13.4 FEAL 13.5 REDOC 13.6 LOKI.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.

DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.

Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.
TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.

TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.
Computer and Network Security Rabie A. Ramadan Lecture 3.

Computer and Network Security Rabie A. Ramadan Lecture 3.

Similar presentations

Ads by Google