Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian - - PowerPoint PPT Presentation

block cipher cryptanalysis an overview
SMART_READER_LITE
LIVE PREVIEW

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian - - PowerPoint PPT Presentation

Sep 19, 2022 435 likes •1.59k views

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

slide-1
SLIDE 1

Block Cipher Cryptanalysis: An Overview

Subhabrata Samajder

Indian Statistical Institute, Kolkata 17th May, 2017

0/52

slide-2
SLIDE 2

Iterated Block Cipher

Outline

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

0/52

slide-3
SLIDE 3

Iterated Block Cipher

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

1/52

slide-4
SLIDE 4

Iterated Block Cipher

Iterated Block Cipher

Iterated Block Cipher A block cipher is a function E : {0, 1}k × {0, 1}n → {0, 1}n such that for each K ∈ {0, 1}k, the function EK(·) = E(K, ·) is a permutation of {0, 1}n. The n-bit input to the block cipher is called the plaintext; and the n-bit output of the block cipher is called the ciphertext. The k-bit quantity K is called the secret key.

2/52

slide-5
SLIDE 5

Iterated Block Cipher

Iterated Block Cipher (Cont.)

Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds.

3/52

slide-6
SLIDE 6

Iterated Block Cipher

Iterated Block Cipher (Cont.)

Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds. The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys.

3/52

slide-7
SLIDE 7

Iterated Block Cipher Designs

Outline

1

Iterated Block Cipher Designs Attacks

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

3/52

slide-8
SLIDE 8

Iterated Block Cipher Designs

Substitution-Permutation Network (SPN)

Sub-key k(1) Mixing S11 S12 S13 S14 Sub-key k(2) Mixing S21 S22 S23 S24 Sub-key k(3) Mixing S31 S32 S33 S34 Sub-key k(4) Mixing S41 S42 S43 S44 Sub-key k(5) Mixing P1 . . . Plaintext P16 . . . C1 . . . Ciphertext C16 . . . Round 1 Round 2 Round 3 Round 4

Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy:

Heys’s Tutorial).

4/52

slide-9
SLIDE 9

Iterated Block Cipher Designs

Substitution-Permutation Network (SPN) (Cont.)

The substitution must be a bijection to ensure decryption.

5/52

slide-10
SLIDE 10

Iterated Block Cipher Designs

Substitution-Permutation Network (SPN) (Cont.)

The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order.

5/52

slide-11
SLIDE 11

Iterated Block Cipher Designs

Substitution-Permutation Network (SPN) (Cont.)

The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar.

5/52

slide-12
SLIDE 12

Iterated Block Cipher Designs

Substitution-Permutation Network (SPN) (Cont.)

The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc.

5/52

slide-13
SLIDE 13

Iterated Block Cipher Designs

Feistel Cipher

L0 R0 k(0) F

  • k(1)

F

  • k(r)

F

  • Rr+1

Lr+1 Ciphertext Plaintext Encryption Rr+1 Lr+1 k(r) F

  • k(r−1)

F

  • k(0)

F

  • L0

R0 Plaintext Ciphertext Decryption

Figure : Encryption and Decryption Network of a Basic Feistel Cipher

(Courtesy: Wikipedia).

6/52

slide-14
SLIDE 14

Iterated Block Cipher Designs

Feistel Cipher vs. SPN

The main advantage of this type of design is that encryption and decryption are very similar, even identical in some cases, requiring only a reversal of the key schedule. One advantage of the Feistel cipher over an SPN is that unlike SPN, here the round function F need not be invertible.

7/52

slide-15
SLIDE 15

Iterated Block Cipher Designs

Feistel Cipher: Variants and Examples

Unbalanced Feistel cipher: Two halves are unequal in length. Generalised Feistel cipher: Plaintext is divided into more than two parts.

Examples: RC6, Skipjack, etc.

Other Examples: Blowfish, DES, FEAL , RC5 , LOKI etc.

8/52

slide-16
SLIDE 16

Iterated Block Cipher Designs

Lai Massey

L0 R0

F

⊞ ⊞

k(0) H

F

⊞ ⊞

k(1) H

F

⊞ ⊞

k(r) H Lr Rr H Ciphertext Plaintext Encryption Lr+1 Rr+1

F

⊟ ⊟

k(r) H−1

F

⊟ ⊟

k(r−1) H−1

F

⊟ ⊟

k(0) H−1 L0 R0 H−1 Plaintext Ciphertext Decryption

Figure : Encryption and Decryption Network of a Basic Lai-Massey Scheme

(Courtesy: Wikipedia).

9/52

slide-17
SLIDE 17

Iterated Block Cipher Designs

Lai Massey (Cont.)

The security properties of the Lai-Massey scheme is similar to those of the Feistel structure. Like the Feistel cipher it also shares the advantage that the round function F need not be invertible. Example: IDEA.

10/52

slide-18
SLIDE 18

Iterated Block Cipher Designs

We will be considering SPN type block ciphers.

11/52

slide-19
SLIDE 19

Iterated Block Cipher Attacks

Outline

1

Iterated Block Cipher Designs Attacks

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

11/52

slide-20
SLIDE 20

Iterated Block Cipher Attacks

Attacks

Algebraic Attacks

12/52

slide-21
SLIDE 21

Iterated Block Cipher Attacks

Attacks

Algebraic Attacks

Buchberger’s Algorithm

12/52

slide-22
SLIDE 22

Iterated Block Cipher Attacks

Attacks

Algebraic Attacks

Buchberger’s Algorithm Linearization Technique

12/52

slide-23
SLIDE 23

Iterated Block Cipher Attacks

Attacks

Algebraic Attacks

Buchberger’s Algorithm Linearization Technique Relinearization Technique

12/52

slide-24
SLIDE 24

Iterated Block Cipher Attacks

Attacks

Algebraic Attacks

Buchberger’s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization)

12/52

slide-25
SLIDE 25

Iterated Block Cipher Attacks

Attacks

Algebraic Attacks

Buchberger’s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization)

Slide Attack and Advanced Slide Attack

12/52

slide-26
SLIDE 26

Iterated Block Cipher Attacks

Attacks

Algebraic Attacks

Buchberger’s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization)

Slide Attack and Advanced Slide Attack . . .

12/52

slide-27
SLIDE 27

Iterated Block Cipher Attacks

Attacks (Cont.)

Statistical Attacks

13/52

slide-28
SLIDE 28

Iterated Block Cipher Attacks

Attacks (Cont.)

Statistical Attacks

Distinguishing Attacks

13/52

slide-29
SLIDE 29

Iterated Block Cipher Attacks

Attacks (Cont.)

Statistical Attacks

Distinguishing Attacks Linear Cryptanalysis

13/52

slide-30
SLIDE 30

Iterated Block Cipher Attacks

Attacks (Cont.)

Statistical Attacks

Distinguishing Attacks Linear Cryptanalysis and variants like

Zero-correlation attack

13/52

slide-31
SLIDE 31

Iterated Block Cipher Attacks

Attacks (Cont.)

Statistical Attacks

Distinguishing Attacks Linear Cryptanalysis and variants like

Zero-correlation attack

Differential Cryptanalysis

13/52

slide-32
SLIDE 32

Iterated Block Cipher Attacks

Attacks (Cont.)

Statistical Attacks

Distinguishing Attacks Linear Cryptanalysis and variants like

Zero-correlation attack

Differential Cryptanalysis and variants like

Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack

13/52

slide-33
SLIDE 33

Iterated Block Cipher Attacks

Attacks (Cont.)

Statistical Attacks

Distinguishing Attacks Linear Cryptanalysis and variants like

Zero-correlation attack

Differential Cryptanalysis and variants like

Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack

Other Attacks

Differential-linear attack The Integral or Square attack The Saturation attack . . .

13/52

slide-34
SLIDE 34

Iterated Block Cipher Attacks

Attacks (Cont.)

Statistical Attacks

Distinguishing Attacks Linear Cryptanalysis and variants like

Zero-correlation attack

Differential Cryptanalysis and variants like

Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack

Other Attacks

Differential-linear attack The Integral or Square attack The Saturation attack . . .

13/52

slide-35
SLIDE 35

S-Boxes

Outline

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

13/52

slide-36
SLIDE 36

S-Boxes

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

14/52

slide-37
SLIDE 37

S-Boxes

S-Boxes

Boolean Function An m−variable Boolean fuction is a map g : Fm

2 → F2.

15/52

slide-38
SLIDE 38

S-Boxes

S-Boxes

Boolean Function An m−variable Boolean fuction is a map g : Fm

2 → F2.

S-Boxes An (m, n) S-Box (or vectorial fuction) is a map f : Fn

2 → Fm 2 . An

S-Box f : Fn

2 → Fm 2 has component functions f1, . . . , fm, where

each fi : Fn

2 → F2.

15/52

slide-39
SLIDE 39

A Basic Substitution Permutation Network

Outline

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

15/52

slide-40
SLIDE 40

A Basic Substitution Permutation Network

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

16/52

slide-41
SLIDE 41

A Basic Substitution Permutation Network

SPN

Sub-key k(1) Mixing S11 S12 S13 S14 Sub-key k(2) Mixing S21 S22 S23 S24 Sub-key k(3) Mixing S31 S32 S33 S34 Sub-key k(4) Mixing S41 S42 S43 S44 Sub-key k(5) Mixing P1 . . . Plaintext P16 . . . C1 . . . Ciphertext C16 . . . Round 1 Round 2 Round 3 Round 4

Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy:

Heys’s Tutorial).

17/52

slide-42
SLIDE 42

A Basic Substitution Permutation Network

Substitution

16-bit data block broken into four 4-bit sub-blocks.

18/52

slide-43
SLIDE 43

A Basic Substitution Permutation Network

Substitution

16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same.

18/52

slide-44
SLIDE 44

A Basic Substitution Permutation Network

Substitution

16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same. Input 1 2 3 4 5 6 7 Output E 4 D 1 2 F B 8 Input 8 9 A B C D E F Output 3 A 6 C 5 9 7

18/52

slide-45
SLIDE 45

A Basic Substitution Permutation Network

Permutation

Input 1 2 3 4 5 6 7 8 Output 1 5 9 13 2 6 10 14 Input 9 10 11 12 13 14 15 16 Output 3 7 11 15 4 8 12 16

19/52

slide-46
SLIDE 46

A Basic Substitution Permutation Network

Key Mixing & Decryption

Key Mixing Bit-wise exclusive-OR. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA.

20/52

slide-47
SLIDE 47

A Basic Substitution Permutation Network

Key Mixing & Decryption

Key Mixing Bit-wise exclusive-OR. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA. Decryption Also an SPN. S-boxes are the inverse of the encryption S-boxes. The sub-keys are applied in the reverse order and is moved around according to the permutation.

20/52

slide-48
SLIDE 48

Linear Cryptanalysis

Outline

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

20/52

slide-49
SLIDE 49

Linear Cryptanalysis

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

21/52

slide-50
SLIDE 50

Linear Cryptanalysis

Goal

The main aim in linear cryptanalysis is to find linear expressions of the form Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0, which have a high or low probability of occurrence.

22/52

slide-51
SLIDE 51

Linear Cryptanalysis

Goal

The main aim in linear cryptanalysis is to find linear expressions of the form Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0, which have a high or low probability of occurrence. Let, pL = Pr [Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0] , then linear probability bias bL =| pL − 1

2 | .

22/52

slide-52
SLIDE 52

Linear Cryptanalysis

Goal

The main aim in linear cryptanalysis is to find linear expressions of the form Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0, which have a high or low probability of occurrence. Let, pL = Pr [Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0] , then linear probability bias bL =| pL − 1

2 | .

Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits.

22/52

slide-53
SLIDE 53

Linear Cryptanalysis

Goal

The main aim in linear cryptanalysis is to find linear expressions of the form Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0, which have a high or low probability of occurrence. Let, pL = Pr [Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0] , then linear probability bias bL =| pL − 1

2 | .

Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. It is a known plaintext attack.

22/52

slide-54
SLIDE 54

Linear Cryptanalysis

Notations

P and C denotes the 16-bit plaintext and ciphertext, respectively.

23/52

slide-55
SLIDE 55

Linear Cryptanalysis

Notations

P and C denotes the 16-bit plaintext and ciphertext, respectively. Xi denotes the ith bit of the input X = [X1, X2, X3, X4] to the S-box. Yi denotes the ith bit of the output Y = [Y1, Y2, Y3, Y4] to the S-box.

S-box X1 X2 X3 X4 Y1 Y2 Y3 Y4

Figure : S-box Mapping (Courtesy: Heys’s Tutorial).

23/52

slide-56
SLIDE 56

Linear Cryptanalysis

Notations (Cont.)

U(i) represents the input to the ith round S-box and U(i)

j

represents the jth bit of block U(i). V (i) represents the output of the ith round S-box and V (i)

j

represents the jth bit of block V (i).

24/52

slide-57
SLIDE 57

Linear Cryptanalysis

Notations (Cont.)

U(i) represents the input to the ith round S-box and U(i)

j

represents the jth bit of block U(i). V (i) represents the output of the ith round S-box and V (i)

j

represents the jth bit of block V (i). Let, k(i) represent the ith round key.

24/52

slide-58
SLIDE 58

Linear Cryptanalysis

Piling-Up Lemma

Piling-Up Lemma (Matsui) For n independent, random binary variables, X1, X2, . . . , Xn Pr[X1 ⊕ · · · ⊕ Xn = 0] = 1 2 + 2n−1

n

  • i=1

εi

  • r, equivalently,

ε1,2,...,n = 2n−1

n

  • i=1

εi, where ε1,2,...,n represents the bias of X1 ⊕ · · · ⊕ Xn = 0.

25/52

slide-59
SLIDE 59

Linear Cryptanalysis

How to construct such linear expressions?

26/52

slide-60
SLIDE 60

Linear Cryptanalysis

How to construct such linear expressions?

This is done by considering the cipher’s non-linear components.

26/52

slide-61
SLIDE 61

Linear Cryptanalysis

How to construct such linear expressions?

This is done by considering the cipher’s non-linear components. In this case, the S-Box.

26/52

slide-62
SLIDE 62

Linear Cryptanalysis

S-Box Analysis

X1 X2 X3 X4 Y1 Y2 Y3 Y4 X2 ⊕ X3 Y1 ⊕ Y3 ⊕ Y4 X1 ⊕ X4 Y2 X3 ⊕ X4 Y1 ⊕ Y4 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Table : Sample Difference Pairs of the S-box.

27/52

slide-63
SLIDE 63

Linear Cryptanalysis

S-Box Analysis (cont.)

Input Mask in Hexadecimal 1 2 3 4 5 6 7 8 9 A B C D E F Output Mask in Hexadecimal +8 1

  • 2
  • 2
  • 2

+6 +2 +2 +2 +2 2

  • 2
  • 2
  • 2
  • 2

+2 +2

  • 6

+2 3 +2

  • 6
  • 2
  • 2

+2 +2

  • 2
  • 2

4 +2

  • 2
  • 2
  • 4
  • 2
  • 2

+2 +2

  • 4

+2 5

  • 2
  • 2
  • 2

+4 +2

  • 2
  • 4

+2

  • 2
  • 2

6 +2

  • 2

+4 +2 +2

  • 2

+2 +4

  • 2
  • 2

7

  • 2

+2 +2

  • 4

+2

  • 2

+2 +4 +2 +2 8

  • 2

+2 +2

  • 2

+2

  • 2
  • 2
  • 6

9

  • 2
  • 2
  • 2
  • 2
  • 4
  • 2

+2 +4 +2

  • 2

A +4

  • 2

+2

  • 4

+2

  • 2

+2 +2 +2 +2 B +4

  • 4

+4 +4 C

  • 2

+4

  • 2
  • 2

+2 +2 +2 +4 +2

  • 2

D +2 +2

  • 2

+4 +2

  • 4
  • 2

+2 +2 +2 E +2 +2

  • 2
  • 4

+2

  • 2
  • 2
  • 4

+2

  • 2

F

  • 2
  • 4
  • 2
  • 2

+2

  • 2

+4

  • 2
  • 2

+2

Table : Linea Approximation Table of the S-box Represented by Table.

28/52

slide-64
SLIDE 64

Linear Cryptanalysis

Constructing Linear Approximation For The Complete Cipher

Linear approximation of the overall cipher is achieved by concatenating appropiate S-boxes. By constructing a linear approximation involving plaintext bits and the data bits from the output of the second last round, it is possible to attack the cipher by recovering a subset of the subkey bits that follow the last round.

29/52

slide-65
SLIDE 65

Linear Cryptanalysis

Constructing Linear Approximation For The Complete Cipher (cont.)

S11 S12 S13 S14 S21 S22 S23 S24 S31 S32 S33 S34 S41 S42 S43 S44 P5 P7P8 k(1)

5

k(1)

7

k(1)

8

k(2)

6

k(3)

6

k(3)

14

k(4)

6

k(4)

14

k(4)

6

k(4)

14

U(4)

6

U(4)

8

U(4)

14 U(4) 16

k(5)

5 . . . k(5) 8

k(5)

13 . . .k(5) 16

Round 1 Round 2 Round 3 Round 4

Figure : Sample Linear Approximation (Courtesy: Heys’s Tutorial).

30/52

slide-66
SLIDE 66

Linear Cryptanalysis

Constructing Linear Approximation For The Complete Cipher (cont.)

We use the following approximation of the S-box : S12 : X1 ⊕ X3 ⊕ X4 = Y2 with probability 12

16 and bias + 1 4

S22 : X2 = Y2 ⊕ Y4 with probability

4 16 and bias − 1 4

S32 : X2 = Y2 ⊕ Y4 with probability

4 16 and bias − 1 4

S34 : X2 = Y2 ⊕ Y4 with probability

4 16 and bias − 1 4

31/52

slide-67
SLIDE 67

Linear Cryptanalysis

Constructing Linear Approximation For The Complete Cipher (cont.)

Notice, U(1) = P ⊕ k(1). For S12, we have V (1)

6

= U(1)

5

⊕ U(1)

7

⊕ U(1)

8

= (P5 ⊕ K1,5) ⊕ (P7 ⊕ K1,7) ⊕ (P8 ⊕ K1,8). This holds with probability 3

4.

32/52

slide-68
SLIDE 68

Linear Cryptanalysis

Constructing Linear Approximation For The Complete Cipher (cont.)

Continuing . . . U4,6 ⊕ U4,8 ⊕ U4,14 ⊕ U4,16 ⊕ P5 ⊕ P7 ⊕ P8 ⊕

  • K

= 0, where

  • K

= K1,5⊕K1,7⊕K1,8⊕K2,6⊕K3,6⊕K3,14⊕K4,6⊕K4,8⊕K4,14⊕K4,16.

33/52

slide-69
SLIDE 69

Linear Cryptanalysis

Constructing Linear Approximation For The Complete Cipher (cont.)

  • K is fixed to either 0 or 1 depending on the key of the

cipher. Using piling-up lemma pL = 1 2 + 23 3 4 − 1 2 1 4 − 1 2 3 = 15 32. Therefore, bL = − 1 32.

34/52

slide-70
SLIDE 70

Linear Cryptanalysis

Constructing Linear Approximation For The Complete Cipher (cont.)

Depending on whether

K = 0 or 1, the expression

U4,6 ⊕ U4,8 ⊕ U4,14 ⊕ U4,16 ⊕ P5 ⊕ P7 ⊕ P8 holds with either probability pL = 15 32 or 1 − pL = 17 32.

35/52

slide-71
SLIDE 71

Linear Cryptanalysis

Extracting Key Bits

Once an r − 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4.

36/52

slide-72
SLIDE 72

Linear Cryptanalysis

Extracting Key Bits

Once an r − 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4. We shall refer to the bits to be recovered from the last sub-key as the target partial sub-key. In our example k(5)

5 , k(5) 6 , k(5) 7 , k(5) 8 , k(5) 13 , k(5) 14 , k(5) 15 , k(5) 16 .

36/52

slide-73
SLIDE 73

Linear Cryptanalysis

Extracting Key Bits: Algorithm

Generate about

1 b2

L many known plaintext/ ciphertext pairs. 37/52

slide-74
SLIDE 74

Linear Cryptanalysis

Extracting Key Bits: Algorithm

Generate about

1 b2

L many known plaintext/ ciphertext pairs.

Assume that we have 10000 plaintext/ ciphertext pairs encrypted under a particular key.

37/52

slide-75
SLIDE 75

Linear Cryptanalysis

Extracting Key Bits: Algorithm (Cont.)

For each of the of the 256 possible values of K5,5, K5,6, K5,7, K5,8, K5,13, K5,14, K5,15, K5,16, do the following :

38/52

slide-76
SLIDE 76

Linear Cryptanalysis

Extracting Key Bits: Algorithm (Cont.)

For each of the of the 256 possible values of K5,5, K5,6, K5,7, K5,8, K5,13, K5,14, K5,15, K5,16, do the following :

  • For each plaintext/ ciphertext pair we exclusive-OR the partial

ciphertext [C5, . . . , C8, C13, . . . , C16] with the guessed key value.

38/52

slide-77
SLIDE 77

Linear Cryptanalysis

Extracting Key Bits: Algorithm (Cont.)

For each of the of the 256 possible values of K5,5, K5,6, K5,7, K5,8, K5,13, K5,14, K5,15, K5,16, do the following :

  • For each plaintext/ ciphertext pair we exclusive-OR the partial

ciphertext [C5, . . . , C8, C13, . . . , C16] with the guessed key value.

  • Do a inverse substitution (S-Box−1) to get

U(4)

6 , U(4) 8 , U(4) 14 , U(4) 16 .

38/52

slide-78
SLIDE 78

Linear Cryptanalysis

Extracting Key Bits: Algorithm (Cont.)

For each of the of the 256 possible values of K5,5, K5,6, K5,7, K5,8, K5,13, K5,14, K5,15, K5,16, do the following :

  • For each plaintext/ ciphertext pair we exclusive-OR the partial

ciphertext [C5, . . . , C8, C13, . . . , C16] with the guessed key value.

  • Do a inverse substitution (S-Box−1) to get

U(4)

6 , U(4) 8 , U(4) 14 , U(4) 16 .

  • Count the number of plaintext/ ciphertext pairs that satisfy

the 4-round linear approximation.

38/52

slide-79
SLIDE 79

Linear Cryptanalysis

Extracting Key Bits: Algorithm (Cont.)

For each of the of the 256 possible values of K5,5, K5,6, K5,7, K5,8, K5,13, K5,14, K5,15, K5,16, do the following :

  • For each plaintext/ ciphertext pair we exclusive-OR the partial

ciphertext [C5, . . . , C8, C13, . . . , C16] with the guessed key value.

  • Do a inverse substitution (S-Box−1) to get

U(4)

6 , U(4) 8 , U(4) 14 , U(4) 16 .

  • Count the number of plaintext/ ciphertext pairs that satisfy

the 4-round linear approximation.

  • Find the | bias |= |count−5000|

10000

.

38/52

slide-80
SLIDE 80

Linear Cryptanalysis

Extracting Key Bits: Algorithm (Cont.)

For each of the of the 256 possible values of K5,5, K5,6, K5,7, K5,8, K5,13, K5,14, K5,15, K5,16, do the following :

  • For each plaintext/ ciphertext pair we exclusive-OR the partial

ciphertext [C5, . . . , C8, C13, . . . , C16] with the guessed key value.

  • Do a inverse substitution (S-Box−1) to get

U(4)

6 , U(4) 8 , U(4) 14 , U(4) 16 .

  • Count the number of plaintext/ ciphertext pairs that satisfy

the 4-round linear approximation.

  • Find the | bias |= |count−5000|

10000

.

Select the guess with the maximum bias as our target sub-key.

38/52

slide-81
SLIDE 81

Linear Cryptanalysis

Experimental Results (Partial)

Target Sub-key in Hexadecimal [k(5)

5 , . . . , k(5) 8 , k(5) 13 , . . . , k(5) 16 ]

| bias | Target Sub-key in Hexadecimal [k(5)

5 , . . . , k(5) 8 , k(5) 13 , . . . , k(5) 16 ]

| bias | 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048

Table : Experimental Result (Partial) for Linear Attack.

39/52

slide-82
SLIDE 82

Linear Cryptanalysis

Experimental Results (Partial)

Target Sub-key in Hexadecimal [k(5)

5 , . . . , k(5) 8 , k(5) 13 , . . . , k(5) 16 ]

| bias | Target Sub-key in Hexadecimal [k(5)

5 , . . . , k(5) 8 , k(5) 13 , . . . , k(5) 16 ]

| bias | 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048

Table : Experimental Result (Partial) for Linear Attack.

Note that the experimental bias = 0.0336 is very close to the expected value of

1 32 = 0.03125.

39/52

slide-83
SLIDE 83

Linear Cryptanalysis

Summary

Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function, which deviates “substantially” from uniform.

40/52

slide-84
SLIDE 84

Linear Cryptanalysis

Summary

Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function, which deviates “substantially” from uniform.

  • This is done by careful structural analysis of the block cipher.

40/52

slide-85
SLIDE 85

Linear Cryptanalysis

Summary

Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function, which deviates “substantially” from uniform.

  • This is done by careful structural analysis of the block cipher.

Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force.

40/52

slide-86
SLIDE 86

Linear Cryptanalysis

Summary

Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function, which deviates “substantially” from uniform.

  • This is done by careful structural analysis of the block cipher.

Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention:

40/52

slide-87
SLIDE 87

Linear Cryptanalysis

Summary

Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function, which deviates “substantially” from uniform.

  • This is done by careful structural analysis of the block cipher.

Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: Wide trail strategy. “Stronger” S-boxes or non-linear function. . . .

40/52

slide-88
SLIDE 88

Differential Cryptanalysis

Outline

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

40/52

slide-89
SLIDE 89

Differential Cryptanalysis

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

41/52

slide-90
SLIDE 90

Differential Cryptanalysis

Idea

In an ideally randomizing cipher, the probability that a particular output difference ∆Y occurs, given a particular input difference ∆X is

1 2n where n is the number of bits.

42/52

slide-91
SLIDE 91

Differential Cryptanalysis

Idea

In an ideally randomizing cipher, the probability that a particular output difference ∆Y occurs, given a particular input difference ∆X is

1 2n where n is the number of bits.

It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher.

42/52

slide-92
SLIDE 92

Differential Cryptanalysis

Idea

In an ideally randomizing cipher, the probability that a particular output difference ∆Y occurs, given a particular input difference ∆X is

1 2n where n is the number of bits.

It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack.

42/52

slide-93
SLIDE 93

Differential Cryptanalysis

Idea

In an ideally randomizing cipher, the probability that a particular output difference ∆Y occurs, given a particular input difference ∆X is

1 2n where n is the number of bits.

It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer

  • f sub-keys.

42/52

slide-94
SLIDE 94

Differential Cryptanalysis

Idea

In an ideally randomizing cipher, the probability that a particular output difference ∆Y occurs, given a particular input difference ∆X is

1 2n where n is the number of bits.

It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer

  • f sub-keys.

In order to determine a high probability difference pair, we consider the input-output differences of the S-Boxes.

42/52

slide-95
SLIDE 95

Differential Cryptanalysis

Notations

Let X 1, X 2 ∈ {0, 1}n. Define, ∆X = X 1 ⊕ X 2. Let, ∆X = [∆X1, . . . , ∆Xn]. A differential (∆X, ∆Y ): for a given input difference ∆X, ∆Y is the difference in output. Differential Characteristics: A sequence of input and output differences to the rounds so that the output difference from

  • ne round corresponds to the input difference for the next

round.

43/52

slide-96
SLIDE 96

Differential Cryptanalysis

Sample Difference Pairs of the S-BOX

X Y ∆Y ∆X = 1011 ∆X = 1000 ∆X = 0100 0000 1110 0010 1101 1100 0001 0100 0010 1110 1011 0010 1101 0111 0101 0110 0011 0001 0010 1011 1001 0100 0010 0101 0111 1100 0101 1111 1111 0110 1011 0110 1011 0010 1011 0110 0111 1000 1101 1111 1001 0000 0011 0010 1101 0110 0001 1010 0111 1110 0011 0010 0110 0010 0101 0110 0011 1100 0010 1011 1011 0100 0101 1101 0111 0110 0101 1001 0010 0110 0011 0110 0000 1111 1011 0110 0111 0111 0101 1111 1011

Table : Sample Difference Pairs of the S-box.

44/52

slide-97
SLIDE 97

Differential Cryptanalysis

Difference Distribution Table

Input Difference in Hexadecimal 1 2 3 4 5 6 7 8 9 A B C D E F Output Difference in Hexadecimal 16 1 2 2 2 4 4 2 2 2 6 2 2 2 2 3 2 2 4 2 2 4 4 2 6 2 4 2 5 4 2 2 4 2 2 6 4 4 2 2 2 2 7 2 2 2 2 2 2 4 8 2 2 4 4 2 2 9 2 2 4 2 2 2 2 A 2 2 6 2 4 B 8 2 2 2 2 C 2 2 2 2 2 6 D 4 4 2 2 2 2 E 2 4 2 6 2 F 2 6 4 2 2

Table : Difference Distribution Table for the S-box Represented by Table.

45/52

slide-98
SLIDE 98

Differential Cryptanalysis

Keyed S-BOX

S-box W1 W2 W3 W4 X1 X2 X3 X4 K1 K2 K3 K4 Y1 Y2 Y3 Y4

Figure : Keyed S-box.

46/52

slide-99
SLIDE 99

Differential Cryptanalysis

Sample Differential Cryptanalysis

S11 S12 S13 S14 S21 S22 S23 S24 S31 S32 S33 S34 S41 S42 S43 S44 ∆P = [0000, 1011, 0000, 0000] ∆U(4)

5

. . . ∆U(4)

8

∆U(4)

13 . . . ∆U(4) 16

k(5)

5 . . . k(5) 8

k(5)

13 . . .k(5) 16

Round 1 Round 2 Round 3 Round 4

Figure : Sample Differential Characteristic.

47/52

slide-100
SLIDE 100

Differential Cryptanalysis

Probability of the Differential Characteristics

Active S-Boxes: S12 : ∆X = B → ∆Y = 2 with probability 8/16. S23 : ∆X = 4 → ∆Y = 6 with probability 6/16 S32 : ∆X = 2 → ∆Y = 5 with probability 6/16 S33 : ∆X = 2 → ∆Y = 5 with probability 6/16

48/52

slide-101
SLIDE 101

Differential Cryptanalysis

Probability of the Differential Characteristics

Active S-Boxes: S12 : ∆X = B → ∆Y = 2 with probability 8/16. S23 : ∆X = 4 → ∆Y = 6 with probability 6/16 S32 : ∆X = 2 → ∆Y = 5 with probability 6/16 S33 : ∆X = 2 → ∆Y = 5 with probability 6/16 Probability of the Differential Characteristics: pD = product of the differentials of the active S-Boxes = (8/16) × (1/16)3 = 27/1024.

48/52

slide-102
SLIDE 102

Differential Cryptanalysis

Extracting Key Bits : Algorithm

Generate about

1 pD many chosen plaintext/ ciphertext pairs

satisfying the input difference. Assume that we have 5000 such pairs.

49/52

slide-103
SLIDE 103

Differential Cryptanalysis

Extracting Key Bits : Algorithm (Cont.)

For each of the of the 256 possible values of K (5)

5 , K (5) 6 , K (5) 7 , K (5) 8 , K (5) 13 , K (5) 14 , K (5) 15 , K (5) 16 , we do the

following :

50/52

slide-104
SLIDE 104

Differential Cryptanalysis

Extracting Key Bits : Algorithm (Cont.)

For each of the of the 256 possible values of K (5)

5 , K (5) 6 , K (5) 7 , K (5) 8 , K (5) 13 , K (5) 14 , K (5) 15 , K (5) 16 , we do the

following :

  • For each pair of plaintext/ ciphertext pairs, exclusive-OR the

partial ciphertext (C5, . . . , C8, C13, . . . , C16) with the guessed key value.

50/52

slide-105
SLIDE 105

Differential Cryptanalysis

Extracting Key Bits : Algorithm (Cont.)

For each of the of the 256 possible values of K (5)

5 , K (5) 6 , K (5) 7 , K (5) 8 , K (5) 13 , K (5) 14 , K (5) 15 , K (5) 16 , we do the

following :

  • For each pair of plaintext/ ciphertext pairs, exclusive-OR the

partial ciphertext (C5, . . . , C8, C13, . . . , C16) with the guessed key value.

  • Do a inverse substitution (S-Box−1) to get

U(4)

6 , U(4) 8 , U(4) 14 , U(4) 16 .

50/52

slide-106
SLIDE 106

Differential Cryptanalysis

Extracting Key Bits : Algorithm (Cont.)

For each of the of the 256 possible values of K (5)

5 , K (5) 6 , K (5) 7 , K (5) 8 , K (5) 13 , K (5) 14 , K (5) 15 , K (5) 16 , we do the

following :

  • For each pair of plaintext/ ciphertext pairs, exclusive-OR the

partial ciphertext (C5, . . . , C8, C13, . . . , C16) with the guessed key value.

  • Do a inverse substitution (S-Box−1) to get

U(4)

6 , U(4) 8 , U(4) 14 , U(4) 16 .

  • Count the number of pairs of plaintext/ ciphertext pairs that

satisfy our differential characteristics and then find the prob = count/5000.

50/52

slide-107
SLIDE 107

Differential Cryptanalysis

Extracting Key Bits : Algorithm (Cont.)

For each of the of the 256 possible values of K (5)

5 , K (5) 6 , K (5) 7 , K (5) 8 , K (5) 13 , K (5) 14 , K (5) 15 , K (5) 16 , we do the

following :

  • For each pair of plaintext/ ciphertext pairs, exclusive-OR the

partial ciphertext (C5, . . . , C8, C13, . . . , C16) with the guessed key value.

  • Do a inverse substitution (S-Box−1) to get

U(4)

6 , U(4) 8 , U(4) 14 , U(4) 16 .

  • Count the number of pairs of plaintext/ ciphertext pairs that

satisfy our differential characteristics and then find the prob = count/5000.

Select the one which has the maximum ‘prob’ as our target partial key.

50/52

slide-108
SLIDE 108

Differential Cryptanalysis

Experimental Results (Partial)

Target Sub-key in Hexadecimal [k(5)

5 , . . . , k(5) 8 , k(5) 13 , . . . , k(5) 16 ]

Empirical Probability Target Sub-key in Hexadecimal [k(5)

5 , . . . , k(5) 8 , k(5) 13 , . . . , k(5) 16 ]

Empirical Probability 0x1C 0.0000 0x2A 0.0032 0x1D 0.0000 0x2B 0.0022 0x1E 0.0000 0x2C 0.0000 0x1F 0.0000 0x2D 0.0000 0x20 0.0000 0x2E 0.0000 0x21 0.0136 0x2F 0.0000 0x22 0.0068 0x30 0.0004 0x23 0.0068 0x31 0.0000 0x24 0.0244 0x32 0.0004 0x25 0.0000 0x33 0.0004 0x26 0.0068 0x34 0.0000 0x27 0.0068 0x35 0.0004 0x28 0.0030 0x36 0.0000 0x29 0.0024 0x37 0.0008

Table : Experimental Result (Partial) for Differential Attack.

51/52

slide-109
SLIDE 109

Differential Cryptanalysis

Experimental Results (Partial)

Target Sub-key in Hexadecimal [k(5)

5 , . . . , k(5) 8 , k(5) 13 , . . . , k(5) 16 ]

Empirical Probability Target Sub-key in Hexadecimal [k(5)

5 , . . . , k(5) 8 , k(5) 13 , . . . , k(5) 16 ]

Empirical Probability 0x1C 0.0000 0x2A 0.0032 0x1D 0.0000 0x2B 0.0022 0x1E 0.0000 0x2C 0.0000 0x1F 0.0000 0x2D 0.0000 0x20 0.0000 0x2E 0.0000 0x21 0.0136 0x2F 0.0000 0x22 0.0068 0x30 0.0004 0x23 0.0068 0x31 0.0000 0x24 0.0244 0x32 0.0004 0x25 0.0000 0x33 0.0004 0x26 0.0068 0x34 0.0000 0x27 0.0068 0x35 0.0004 0x28 0.0030 0x36 0.0000 0x29 0.0024 0x37 0.0008

Table : Experimental Result (Partial) for Differential Attack.

Note that the experimatal value of the probability, = 0.0244 is very close to the expected value of

27 1024 = 0.0264.

51/52

slide-110
SLIDE 110

Appendix

Outline

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

51/52

slide-111
SLIDE 111

Appendix

1

Iterated Block Cipher

2

S-Boxes

3

A Basic Substitution Permutation Network

4

Linear Cryptanalysis

5

Differential Cryptanalysis

6

Appendix

52/52

slide-112
SLIDE 112

Appendix

References

1 A Tutorial on Linear and Differential Cryptanalysis by Howard

  • M. Heys.

2 Wikipedia. 52/52

slide-113
SLIDE 113

Appendix

Thank you for your kind attention!

52/52