1. CS548_ ADVANCED INFORMATION SECURITY 20103272 Jong Heon, Park / 20103616 Hyun Woo, Cho Paper Presentation #1 Improved version of LC in attacking DES

2. Contents  Introduction  Before the paper…  Notations  Principle of the attack  Success Rate and Complexity  The Computer Experiment  Concluding Remarks 2 / 30

3. Paper Introduction  Linear Cryptanalysis  Using two linear approximate equations  Known Plaintext attack (KPA)  M. MATSUI. The first experimental cryptanalysis of the data encryption standard. LNCS, 839, 1994, 1-11. CYRPTO '94. 3 / 30

4. Paper Introduction (Cont’)  Using 12 computer to experiment the attack (HP9735/PA-RISC 99MHz)  Program described in C & assembly languages to generate plaintexts and ciphertexts  Goal : Finding 56-bit Secret Key  Elapsed Time : 50 days  Generating plaintexts and ciphertexts : 40 days  Searching key : only 10 days 4 / 30

5. Before the paper…  Hellman  Linearity between input and output of S-box  Shamir & Rueppel  Some S-boxes has linear approximate relation between input and output bits.  M. Matsui  Derive linear approximate equations which consist of P, C, and K bits  Easier search if 2 47 known plaintext are available than Exhaustive search 5 / 30

6. Before the paper… (Cont’)  M. Matsui  Improved version of LC in breaking 16-round DES New linear approximate equations : Reducing the number of required plaintexts Candidate key in order of reliability : Increasing the success rate of attack 6 / 30

7. Notations  P : plaintext; 64-bit data after the IP  C: ciphertext; 64-bit data before the IP -1  K: secret key; 56-bit data after the PC-1  P H, P L : upper/lower 32-bit data of P  C H, C L : upper/lower 32-bit data of C  K r : r-th round 48-bit subkey  Fr(X r, K r ) : r-th round F-function output  A[i]: i-th bit of A (A is any binary vector)  A[I,j,...,k] : A[i]  A[j]  …  A[k] 7 / 30

8. Principle of the attack  We accept new linear approximate equations  Iinear approximate equations based on the best 14-round expression 2round ~ 15round linear approximate equations P, C, and K2-15 Find round key of 1round, 16round Effects : reduce the number of required plaintexts  What is the linear approximate equation?  Choose P[i a,i b,i c …]  C[j a,j b,j c …] = K[k a,k b,k c …] (probability(p) ≠ ½, randomly given P, C and fixed K)  Best equation is |p-½| is maximal !! 8 / 30

9. Principle of the attack (Cont’) Two Best 14-round expressions  P L [7,18,24]  C H [7,18,24,29]  C L [15] = K 2 [22]  K 3 [44]  K 4 [22]  K 6 [22]  K 7 [44]  K 8 [22]  K 10 [22]  K 11 [44]  K 12 [22]  K 14 [22]  C L [7,18,24]  P H [7,18,24,29]  P L [15] = K 13 [22]  K 12 [44]  K 11 [22]  K 9 [22]  K 8 [44]  K 7 [22]  K 5 [22]  K 4 [44]  K 3 [22]  K 1 [22] …probability : ½-1.19×2 -21 (piling-up lemma) 9 / 30

10. Principle of the attack (Cont’) Applying to F-functions from the 2 nd to 15 th round  P H [7,18,24]  F 1 (P L, K 1 )[7,18,24]  C H [15]  C L [7,18,24,29]  F 16 (C L,K 16 )[15] = K 3 [22]  K 4 [44]  K 5 [22]  K 7 [22]  K 8 [44]  K 9 [22]  K 11 [22]  K 12 [44]  K 13 [22]  K 15 [22]  C H [7,18,24]  F 16 (C L,K 16 )[7,18,24]  P H [15]  P L [7,18,24,29]  F 1 (P L,K 1 )[15] = K 14 [22]  K 13 [44]  K 12 [22] K 10 [22]  K 9 [44]  K 8 [22]  K 6 [22]  K 5 [44]  K 4 [22]  K 2 [22] 10 / 30

11. 11 / 30

12. Principle of the attack (Cont’)  First, we solve these equations to derive some of the secret key bits  Consideration  How much memory is required?  How many secret key bits can be derived?  Effective text/key bits  which affect the left side of each equations 12 / 30

13. Principle of the attack (Cont’) 13 / 30

14. Principle of the attack (Cont’)  Each equation, we found 13 secret key bits  12 effective key bits + one bit of right side  Using just 13 text bits (plaintext + ciphertext)  Total : 26 secret key bits  Using 26 text bits  Substitution of incorrect key value for K1, K16..  P(the left side = 0) ≒ ½  So, we count #(left side=0) for each key candidate 14 / 30

15. Principle of the attack (Cont’) [ Algorithms for breaking 16-round DES ]  Data Counting Phase of first equation  Prepare 2 13 counters TA a (0 ≤ a < 2 13 ) where a corresponds to each value on 13 effective text bits  For each plaintext and corresponding ciphertext, compute the value of effective text bits(=a) and count up the TA a by one. 15 / 30

16. Principle of the attack (Cont’)  Key Counting Phase of first equation  Prepare 2 12 counters KA b (0 ≤ b < 2 13 ) where a corresponds to each value on 12 effective key bits.  For each b, KA b is the sum of TA a such that left side of first equation (be uniquely determined by a, b) equal to zero.  Rearrange KA b in order of |KA b – N/2| and rename them KAc b (0 ≤ c < 2 12 ) Then, for each c.. If (KAc b – N/2) ≤ 0, guess that right side of equation is 0. If (KAc b – N/2) > 0, guess that right side of equation is 1.  Second equation can be solved in the same manner. 16 / 30

17. Principle of the attack (Cont’)  Total of 26 secret key bits (after the PC-1)  K[0], K[1], K[3], K[4], K[8], K[9], K[14], K[15], K[18], K[19], K[24], K[25], K[31], K[32], K[38], K[39], K[41], K[42], K[44], K[45], K[50], K[51], K[54], K[55], K[5]  K[13]  K[17]  K[20]  K[46], K[2]  K[7]  K[11]  K[22]  K[26]  K[37]  K[52]  Exhaustive Search Phase (Finding remaning 30 key bits)  Let Wm (m=0,1,2…) be a series of candidates for the 26 key bits arranged in order of their reliabiity  For each Wm, search for the remaining key bits until the correct value is found 17 / 30

18. Success Rate and Complexity  DES reduced to 8 rounds  Left side of equation is essentially the same  Best 6-round expression (6) (7) 18 / 30

19. Success Rate and Complexity(cont’)  Full 16 round DES to 8-round DES  Equation of number of N random plaintext, success rate  Depend on 19 / 30

20. Success Rate and Complexity(cont’)  Full 16 round DES to 8-round DES  Lemma 1.  Let N be the number of given random plaintexts and p be the probability that the following eq holds.  Assuming |p-1/2| is small 20 / 30

21. Success Rate and Complexity(cont’)  Full 16 round DES to 8-round DES 8 round DES 16 round DES 21 / 30

22. Success Rate and Complexity(cont’)  Full 16 round DES to 8-round DES  Lemma 1.  Success rate of our attack on 8-round DES with N8  Same that on 16round DES with N16 plaintexts  equivalent to 22 / 30

23. Success Rate and Complexity(cont’)  Computer experiments in Solving eq (6)  100,000 times to estimate (4) 23 / 30

24. Success Rate and Complexity(cont’) 24 / 30

25. The Computer Experiment  First computer experiment in breaking DES  Implemented software only  C and assembly languages 1000 lines  1Mbyte in running 25 / 30

26. The Computer Experiment(cont’) 26 / 30

27. The Computer Experiment(cont’) 27 / 30

28. Concluding Remarks  Improvement of linear cryptanalysis  Presented the first successful experiment Breaking full 16-round DES  Remaining 30 Key bits – it also Possible  Result fig.2, fig.3 – Simple function, Formalized - New combination will give more effective 28 / 30

29. Nowdays.  EFF made DES attack Hardware in 1998  Decode 56hours (56bit Key)  22hours in 1999  More than 128bit Keys Safe in present. 29 / 30

30. References  National Bureau of Standards: Data Encryption Standard. (1977)  Matsui, M.: Linear Cryptanalysis Method for DES cipher. Matsui M.: On correlation between the order of S-boxes and the strength of DES.(1993)  Matsui, M.: On correlation between the order of S-boxes and the strength of DES.(1994)  Hellman, M., Merkle, R., Schroeppel, R., Washinton, L., Diffie, W., Pohlig, S., Schweizer, P.: Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard. (1976)  Shamir, A: On the security of DES.(1985)  Davies, D., Murphy, S.: Pairs and triplets of DES s-boxes.(preprint)  Ruepple, R.A.,: Analysis and design of stream ciphers. (1986)  김광조 : DES 의 선형 해독법에 관한 해설 (3) 한국정보보호학회, 정보보호학회 지 通信情報保護學會誌 第 4 卷 第 1 號, 1994. 3, pp. 30 ~ 43 (14pages) 30 / 30

31. Korex527 at gmail.com Betelgs at chol.com Any Question?