Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson."— Presentation transcript:

1 Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson

2 Outline Substitution-permutation networks (SPN) Linear cryptanalysis Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN Differential cryptanalysis Differential distribution table of S-boxes

3 Substitution-permutation networks (1) Substitution function (S-box) z0123456789ABCDEF S(z)S(z) E4D12FB83A6C5907 Ex. =4, 4-bit input

4 Substitution-permutation networks (2) Permutation function z 12345678910111213141516 P(z)P(z) 15913261014371115481216 Ex. =m=4, 16-bit input 0 1 0 0 0 1 0 1 1 1 0 1 0 0 0 1 0 0 1 0 1 1 1 0 0 0 0 0 0 1 1 1

5 SPN example Round 1 Round 2 Round 3 Round 4 (no permutation) K i : subkeys XOR with input whitening: Prevent attack

6 Substitution-permutation networks (3) Implementation issues: S-Box: using look-up tables 4-bit input: 2 4  4=2 6 bits memory space 16-bit input: 2 16  16=2 20 bits memory space DES: 6-bits to 4-bits, AES: 8-bits to 8-bits Variations of SPN: Different S-Boxes in each round, ex. DES Include invertible linear transformation in addition to permutation, ex. AES

7 Question about S-box: Are these S-boxes secure? We will try to find some probabilistic relationship between (differential) input and (differential) output to S-boxes

8 Linear approximation table (1) S-box z0123456789ABCDEF S(z)S(z) E4D12FB83A6C5907 Input 4-bits Output 4-bits

9 Linear approximation table (2) consider T=X 1  X 4  Y 2 Input 4-bitsOutput 4-bits Pr[T=0]=1/2 Pr[T=1]=1/2

10 Linear approximation table (3) consider T=X 3  X 4  Y 1  Y 4 Input 4-bitsOutput 4-bits Pr[T=0]=1/8 Pr[T=1]=7/8

11 Linear approximation table (4) XOR of input and output bits can be taken as linear combination T=X 1  X 4  Y 2 a :(1 0 0 1) b :(0 1 0 0) T=X 3  X 4  Y 1  Y 4 a :(0 0 1 1) b :(1 0 0 1) For all a and b, we compute N L (a,b ): number of occurrences such that T=0

12 Linear approximation table (5) Idea: away from 8 means some probabilistic relationship between input and output

13 Outline Substitution-permutation networks (SPN) Linear cryptanalysis Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN Differential cryptanalysis Differential distribution table of S-boxes

14 Bias of a random variable X is a random variable taking on values from {0, 1} Pr[X=0]=p Pr[X=1]=1-p Bias of X is defined to be  =p-1/2 * Bias with high absolute value implies non-randomness Ex. Pr[X=0]=1/2 bias = 0 Ex. Pr[X=0]=1 bias = 1/2

15 Pilling-up lemma Let  T denotes the bias of the random variable T=X 1  X 2...  X k Then Ex. T=X 1  X 2, bias  T = 2  1  2

16 A Linear Attack on an SPN (1) T 1 has bias 1/4 T 2 has bias -1/4 T 3 has bias -1/4 T 4 has bias -1/4 T1T2T3T4T1T2T3T4 has bias

17 A Linear Attack on an SPN (2) T1T2T3T4T1T2T3T4 X1X1 X2X2 X3X3 X1X2X3X1X2X3  (subkey bits) U1U1 U2U2 U3U3 U4U4 =U 1  U 2  U 3  U 4 =T1T2T3T4=T1T2T3T4 X1X2X3X1X2X3  (subkey bits) U1U2U3 U4U1U2U3 U4

18 A Linear Attack on an SPN (3) Previous result: Fix the subkey bits (assume the same key) Thus, =T1T2T3T4=T1T2T3T4 X1X2X3X1X2X3  (subkey bits) U1U2U3 U4U1U2U3 U4 =T1T2T3T4=T1T2T3T4 X1X2X3X1X2X3  (0 or 1) U1U2U3 U4U1U2U3 U4 X1X2X3X1X2X3 U1U2U3 U4U1U2U3 U4 has the same bias as T1T2T3T4T1T2T3T4 (may have different sign, depending on subkey bits)

19 A Linear Attack on an SPN (4) T1T2T3T4T1T2T3T4 has bias X1X1 X2X2 X3X3 U1U1 U2U2 U3U3 U4U4 X1X2X3X1X2X3 U1U2U3 U4U1U2U3 U4

20 Known-plaintext attack Assume 8000 (x, y) pairs are known x y Goal: solve the 8-bit subkey Initialize: Counter[256] For each (x,y) pair For subkey value s=0 to 255 determine U1U1 U2U2 U3U3 U4U4 U 1,U 2,U 3, U 4 If X1X2X3X1X2X3  U 1  U 2  U 3  U 4 =0 X1X1 X2X2 X3X3 Counter[s] ++ Final: Find s, such that Counter[s]/8000

21 Linear cryptanalysis on DES 1994, Matsui (inventor of linear cryptanalysis) Using 2 43 plaintext-ciphertext pairs (generated using the same key) : it takes 40 days Use linear cryptanalysis to find the key: 10 days However, it is unlikely to accumulate such a large number of plaintext-ciphertext pairs

22 Outline Substitution-permutation networks (SPN) Linear cryptanalysis Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN Differential cryptanalysis Differential distribution table of S-boxes

23 Differential cryptanalysis Two binary streams Differential cryptanalysis Find the probabilistic relationship between XOR of two inputs and XOR of two output 0101100 ….01110 1001010 ….01100  1100110 ….00010 Different bits will be labeled as 1 after XOR

24 4  4 S-box : input X =[X 1 X 2 X 3 X 4 ], output Y =[Y 1 Y 2 Y 3 Y 4 ] input pair (X’, X’’), by Analyzing the Cipher Components

25 Given Δx, we want to determine the associated probabilities for each ΔY

26 Difference distribution table = 0010, =1011 (hex B), probability = 8/2 4 = 8/16 = 1011, =1000 (hex 8), probability = 4/16 = 1010, =0100 (hex 4), probability = 0/16

27 ΔX=[0000 1011 0000 0000] ΔU=[xxxx 0110 xxxx 0110] with prob. = 0.0264 5000 chosen plaintext pairs: [0000 1011 0000 0000, 0000 0000 0000 0000] [0000 1011 0000 0001, 0000 0000 0000 0001] [0000 1011 0000 0010, 0000 0000 0000 0010] … 5000 ciphertext pairs: [Y 1, Y ’ 1 ], [Y 2, Y ’ 2 ], [Y 3, Y ’ 3 ], …

28 Differential Cryptanalysis on DES Biham and Shamir, 1993 Complexity: order of 2 47, requiring 2 47 chosen plaintext Recall: brute-force search: 2 55 In fact, the DES designers knew differential cryptanalysis early in 1974 They had strengthened S-boxes

29 Programming project#2 Generate tables for the following DES S-Box linear approximation table difference distribution table Output your results in well-formatted ASCII text file Due date: 11/1

30 Notes for Programming Project#1 You must submit PowerPoint slides, which includes Description of your DES source code, how to use it (write a small sample program to demo how to use it) How do you evaluate the avalanche effects of DES? The results of your experiments All programs

Download ppt "Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson."

Similar presentations

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Cryptography and Network Security

Cryptography and Network Security
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)

Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.

Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.

Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
FEAL FEAL 1.

FEAL FEAL 1.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.

Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google