block cipher cryptanalysis an overview
play

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian - PowerPoint PPT Presentation

Sep 19, 2022 •435 likes •1.58k views

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

  1. A Basic Substitution Permutation Network Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 15/52

  2. A Basic Substitution Permutation Network Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 16/52

  3. A Basic Substitution Permutation Network SPN P 1 . . . . . . P 16 Plaintext Sub-key k (1) Mixing S 11 S 12 S 13 S 14 Round 1 Sub-key k (2) Mixing S 21 S 22 S 23 S 24 Round 2 Sub-key k (3) Mixing S 31 S 32 S 33 S 34 Round 3 Sub-key k (4) Mixing Round 4 S 41 S 42 S 43 S 44 Sub-key k (5) Mixing C 1 . . . Ciphertext . . . C 16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys’s Tutorial). 17/52

  4. A Basic Substitution Permutation Network Substitution 16-bit data block broken into four 4-bit sub-blocks. 18/52

  5. A Basic Substitution Permutation Network Substitution 16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same. 18/52

  6. A Basic Substitution Permutation Network Substitution 16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same. Input 0 1 2 3 4 5 6 7 Output E 4 D 1 2 F B 8 Input 8 9 A B C D E F Output 3 A 6 C 5 9 0 7 18/52

  7. A Basic Substitution Permutation Network Permutation Input 1 2 3 4 5 6 7 8 Output 1 5 9 13 2 6 10 14 Input 9 10 11 12 13 14 15 16 Output 3 7 11 15 4 8 12 16 19/52

  8. A Basic Substitution Permutation Network Key Mixing & Decryption Key Mixing Bit-wise exclusive-OR. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA. 20/52

  9. A Basic Substitution Permutation Network Key Mixing & Decryption Key Mixing Bit-wise exclusive-OR. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA. Decryption Also an SPN. S-boxes are the inverse of the encryption S-boxes. The sub-keys are applied in the reverse order and is moved around according to the permutation. 20/52

  10. Linear Cryptanalysis Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 20/52

  11. Linear Cryptanalysis Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 21/52

  12. Linear Cryptanalysis Goal The main aim in linear cryptanalysis is to find linear expressions of the form X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0 , which have a high or low probability of occurrence. 22/52

  13. Linear Cryptanalysis Goal The main aim in linear cryptanalysis is to find linear expressions of the form X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0 , which have a high or low probability of occurrence. Let, p L = Pr [ X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0] , then linear probability bias b L = | p L − 1 2 | . 22/52

  14. Linear Cryptanalysis Goal The main aim in linear cryptanalysis is to find linear expressions of the form X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0 , which have a high or low probability of occurrence. Let, p L = Pr [ X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0] , then linear probability bias b L = | p L − 1 2 | . Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. 22/52

  15. Linear Cryptanalysis Goal The main aim in linear cryptanalysis is to find linear expressions of the form X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0 , which have a high or low probability of occurrence. Let, p L = Pr [ X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0] , then linear probability bias b L = | p L − 1 2 | . Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. It is a known plaintext attack. 22/52

  16. Linear Cryptanalysis Notations P and C denotes the 16-bit plaintext and ciphertext, respectively. 23/52

  17. Linear Cryptanalysis Notations P and C denotes the 16-bit plaintext and ciphertext, respectively. X i denotes the i th bit of the input X = [ X 1 , X 2 , X 3 , X 4 ] to the S-box. Y i denotes the i th bit of the output Y = [ Y 1 , Y 2 , Y 3 , Y 4 ] to the S-box. X 1 X 2 X 3 X 4 S-box Y 1 Y 2 Y 3 Y 4 Figure : S-box Mapping (Courtesy: Heys’s Tutorial). 23/52

  18. Linear Cryptanalysis Notations (Cont.) U ( i ) represents the input to the i th round S-box and U ( i ) j represents the j th bit of block U ( i ) . V ( i ) represents the output of the i th round S-box and V ( i ) j represents the j th bit of block V ( i ) . 24/52

  19. Linear Cryptanalysis Notations (Cont.) U ( i ) represents the input to the i th round S-box and U ( i ) j represents the j th bit of block U ( i ) . V ( i ) represents the output of the i th round S-box and V ( i ) j represents the j th bit of block V ( i ) . Let, k ( i ) represent the i th round key. 24/52

  20. Linear Cryptanalysis Piling-Up Lemma Piling-Up Lemma (Matsui) For n independent, random binary variables, X 1 , X 2 , . . . , X n n Pr [ X 1 ⊕ · · · ⊕ X n = 0] = 1 2 + 2 n − 1 � ε i i =1 or, equivalently, n ε 1 , 2 ,..., n = 2 n − 1 � ε i , i =1 where ε 1 , 2 ,..., n represents the bias of X 1 ⊕ · · · ⊕ X n = 0 . 25/52

  21. Linear Cryptanalysis How to construct such linear expressions? 26/52

  22. Linear Cryptanalysis How to construct such linear expressions? This is done by considering the cipher’s non-linear components. 26/52

  23. Linear Cryptanalysis How to construct such linear expressions? This is done by considering the cipher’s non-linear components. In this case, the S-Box. 26/52

  24. Linear Cryptanalysis S-Box Analysis X 1 X 2 X 3 X 4 Y 1 Y 2 Y 3 Y 4 X 2 ⊕ X 3 Y 1 ⊕ Y 3 ⊕ Y 4 X 1 ⊕ X 4 Y 2 X 3 ⊕ X 4 Y 1 ⊕ Y 4 0 0 0 0 1 1 1 0 0 0 0 1 0 1 0 0 0 1 0 1 0 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1 1 0 0 1 1 0 0 0 1 1 0 0 0 1 1 1 1 0 0 1 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 1 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 0 0 1 1 1 1 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 1 1 0 0 1 0 0 1 0 0 0 1 1 0 1 0 0 0 0 0 1 1 0 0 1 0 0 1 1 0 1 1 1 1 1 0 0 0 1 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 0 1 0 1 1 1 1 1 0 1 0 1 0 1 1 0 0 1 1 0 0 0 1 0 0 1 1 0 0 0 0 0 0 0 1 0 1 0 0 1 1 1 0 1 1 1 0 0 0 1 0 1 Table : Sample Difference Pairs of the S-box. 27/52

  25. Linear Cryptanalysis S-Box Analysis (cont.) Input Mask in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -2 -2 0 0 -2 +6 +2 +2 0 0 +2 +2 0 0 1 0 0 -2 -2 0 0 -2 -2 0 0 +2 +2 0 0 -6 +2 2 Output Mask in Hexadecimal 0 0 0 0 0 0 0 0 +2 -6 -2 -2 +2 +2 -2 -2 3 0 +2 0 -2 -2 -4 -2 0 0 -2 0 +2 +2 -4 +2 0 4 0 -2 -2 0 -2 0 +4 +2 -2 0 -4 +2 0 -2 -2 0 5 0 +2 -2 +4 +2 0 0 +2 0 -2 +2 +4 -2 0 0 -2 6 0 -2 0 +2 +2 -4 +2 0 -2 0 +2 0 +4 +2 0 +2 7 0 0 0 0 0 0 0 0 -2 +2 +2 -2 +2 -2 -2 -6 8 0 0 -2 -2 0 0 -2 -2 -4 0 -2 +2 0 +4 +2 -2 9 0 +4 -2 +2 -4 0 +2 -2 +2 +2 0 0 +2 +2 0 0 A 0 +4 0 -4 +4 0 +4 0 0 0 0 0 0 0 0 0 B 0 -2 +4 -2 -2 0 +2 0 +2 0 +2 +4 0 +2 0 -2 C 0 +2 +2 0 -2 +4 0 +2 -4 -2 +2 0 +2 0 0 +2 D E 0 +2 +2 0 -2 -4 0 +2 -2 0 0 -2 -4 +2 -2 0 0 -2 -4 -2 -2 0 +2 0 0 -2 +4 -2 -2 0 +2 0 F Table : Linea Approximation Table of the S-box Represented by Table. 28/52

  26. Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher Linear approximation of the overall cipher is achieved by concatenating appropiate S-boxes. By constructing a linear approximation involving plaintext bits and the data bits from the output of the second last round, it is possible to attack the cipher by recovering a subset of the subkey bits that follow the last round. 29/52

  27. Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) P 5 P 7 P 8 k ( 1 ) k ( 1 ) k ( 1 ) 5 7 8 S 11 S 12 S 13 S 14 Round 1 k ( 2 ) 6 S 21 S 22 S 23 S 24 Round 2 k ( 3 ) k ( 3 ) 6 14 S 31 S 32 S 33 S 34 Round 3 k ( 4 ) k ( 4 ) k ( 4 ) k ( 4 ) 6 14 6 14 U ( 4 ) U ( 4 ) U ( 4 ) 14 U ( 4 ) 6 8 16 Round 4 S 41 S 42 S 43 S 44 k ( 5 ) 5 . . . k ( 5 ) k ( 5 ) 13 . . . k ( 5 ) 8 16 Figure : Sample Linear Approximation (Courtesy: Heys’s Tutorial). 30/52

  28. Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) We use the following approximation of the S-box : S 12 : X 1 ⊕ X 3 ⊕ X 4 = Y 2 with probability 12 16 and bias + 1 4 16 and bias − 1 4 S 22 : X 2 = Y 2 ⊕ Y 4 with probability 4 16 and bias − 1 4 S 32 : X 2 = Y 2 ⊕ Y 4 with probability 4 16 and bias − 1 4 S 34 : X 2 = Y 2 ⊕ Y 4 with probability 4 31/52

  29. Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) Notice, U (1) = P ⊕ k (1) . For S 12 , we have V (1) U (1) ⊕ U (1) ⊕ U (1) = 6 5 7 8 = ( P 5 ⊕ K 1 , 5 ) ⊕ ( P 7 ⊕ K 1 , 7 ) ⊕ ( P 8 ⊕ K 1 , 8 ) . This holds with probability 3 4 . 32/52

  30. Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) Continuing . . . � U 4 , 6 ⊕ U 4 , 8 ⊕ U 4 , 14 ⊕ U 4 , 16 ⊕ P 5 ⊕ P 7 ⊕ P 8 ⊕ = 0 , K where � = K 1 , 5 ⊕ K 1 , 7 ⊕ K 1 , 8 ⊕ K 2 , 6 ⊕ K 3 , 6 ⊕ K 3 , 14 ⊕ K 4 , 6 ⊕ K 4 , 8 ⊕ K 4 , 14 ⊕ K 4 , 16 . K 33/52

  31. Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) � K is fixed to either 0 or 1 depending on the key of the cipher. Using piling-up lemma � 3 � 3 � � 1 p L = 1 4 − 1 4 − 1 = 15 2 + 2 3 32 . 2 2 Therefore, b L = − 1 32 . 34/52

  32. Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) Depending on whether � K = 0 or 1, the expression U 4 , 6 ⊕ U 4 , 8 ⊕ U 4 , 14 ⊕ U 4 , 16 ⊕ P 5 ⊕ P 7 ⊕ P 8 holds with either probability p L = 15 32 or 1 − p L = 17 32 . 35/52

  33. Linear Cryptanalysis Extracting Key Bits Once an r − 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4. 36/52

  34. Linear Cryptanalysis Extracting Key Bits Once an r − 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4. We shall refer to the bits to be recovered from the last sub-key as the target partial sub-key . In our example k (5) 5 , k (5) 6 , k (5) 7 , k (5) 8 , k (5) 13 , k (5) 14 , k (5) 15 , k (5) 16 . 36/52

  35. Linear Cryptanalysis Extracting Key Bits: Algorithm 1 Generate about L many known plaintext/ ciphertext pairs. b 2 37/52

  36. Linear Cryptanalysis Extracting Key Bits: Algorithm 1 Generate about L many known plaintext/ ciphertext pairs. b 2 Assume that we have 10000 plaintext/ ciphertext pairs encrypted under a particular key. 37/52

  37. Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : 38/52

  38. Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. 38/52

  39. Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. - Do a inverse substitution (S-Box − 1 ) to get U (4) 6 , U (4) 8 , U (4) 14 , U (4) 16 . 38/52

  40. Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. - Do a inverse substitution (S-Box − 1 ) to get U (4) 6 , U (4) 8 , U (4) 14 , U (4) 16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. 38/52

  41. Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. - Do a inverse substitution (S-Box − 1 ) to get U (4) 6 , U (4) 8 , U (4) 14 , U (4) 16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. - Find the | bias | = | count − 5000 | . 10000 38/52

  42. Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. - Do a inverse substitution (S-Box − 1 ) to get U (4) 6 , U (4) 8 , U (4) 14 , U (4) 16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. - Find the | bias | = | count − 5000 | . 10000 Select the guess with the maximum bias as our target sub-key. 38/52

  43. Linear Cryptanalysis Experimental Results (Partial) Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal | bias | | bias | [ k (5) 5 , . . . , k (5) 8 , k (5) 13 , . . . , k (5) [ k (5) 5 , . . . , k (5) 8 , k (5) 13 , . . . , k (5) 16 ] 16 ] 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048 Table : Experimental Result (Partial) for Linear Attack. 39/52

  44. Linear Cryptanalysis Experimental Results (Partial) Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal | bias | | bias | [ k (5) 5 , . . . , k (5) 8 , k (5) 13 , . . . , k (5) [ k (5) 5 , . . . , k (5) 8 , k (5) 13 , . . . , k (5) 16 ] 16 ] 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048 Table : Experimental Result (Partial) for Linear Attack. Note that the experimental bias = 0 . 0336 is very close to the 1 expected value of 32 = 0 . 03125 . 39/52

  45. Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. 40/52

  46. Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. - This is done by careful structural analysis of the block cipher. 40/52

  47. Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. 40/52

  48. Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: 40/52

  49. Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: Wide trail strategy. “ Stronger ” S-boxes or non-linear function. . . . 40/52

  50. Differential Cryptanalysis Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 40/52

  51. Differential Cryptanalysis Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 41/52

  52. Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. 42/52

  53. Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. 42/52

  54. Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. 42/52

  55. Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. 42/52

  56. Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. In order to determine a high probability difference pair, we consider the input-output differences of the S-Boxes. 42/52

  57. Differential Cryptanalysis Notations Let X 1 , X 2 ∈ { 0 , 1 } n . Define, ∆ X = X 1 ⊕ X 2 . Let, ∆ X = [∆ X 1 , . . . , ∆ X n ]. A differential (∆ X , ∆ Y ): for a given input difference ∆ X , ∆ Y is the difference in output. Differential Characteristics: A sequence of input and output differences to the rounds so that the output difference from one round corresponds to the input difference for the next round. 43/52

  58. Differential Cryptanalysis Sample Difference Pairs of the S-BOX ∆ Y X Y ∆ X = 1011 ∆ X = 1000 ∆ X = 0100 0000 1110 0010 1101 1100 0001 0100 0010 1110 1011 0010 1101 0111 0101 0110 0011 0001 0010 1011 1001 0100 0010 0101 0111 1100 0101 1111 1111 0110 1011 0110 1011 0010 1011 0110 0111 1000 1101 1111 1001 0000 0011 0010 1101 0110 0001 1010 0111 1110 0011 0010 0110 0010 0101 0110 0011 1100 0010 1011 1011 0100 0101 1101 0111 0110 0101 1001 0010 0110 0011 0110 0000 1111 1011 0110 0111 0111 0101 1111 1011 Table : Sample Difference Pairs of the S-box. 44/52

  59. Differential Cryptanalysis Difference Distribution Table Input Difference in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 2 0 2 4 0 4 2 0 0 1 Output Difference in Hexadecimal 0 0 0 2 0 6 2 2 0 2 0 0 0 0 2 0 2 0 0 2 0 2 0 0 0 0 4 2 0 2 0 0 4 3 0 0 0 2 0 0 6 0 0 2 0 4 2 0 0 0 4 0 4 0 0 0 2 2 0 0 0 4 0 2 0 0 2 5 0 0 0 4 0 4 0 0 0 0 0 0 2 2 2 2 6 0 0 2 2 2 0 2 0 0 2 2 0 0 0 0 4 7 0 0 0 0 0 0 2 2 0 0 0 4 0 4 2 2 8 0 2 0 0 2 0 0 4 2 0 2 2 2 0 0 0 9 0 2 2 0 0 0 0 0 6 0 0 2 0 0 4 0 A 0 0 8 0 0 2 0 2 0 0 0 0 0 2 0 2 B C 0 2 0 0 2 2 2 0 0 0 0 2 0 6 0 0 0 4 0 0 0 0 0 4 2 0 2 0 2 0 2 0 D 0 0 2 4 2 0 0 0 6 0 0 0 0 0 2 0 E 0 2 0 0 6 0 0 0 0 4 0 2 0 0 2 0 F Table : Difference Distribution Table for the S-box Represented by Table. 45/52

  60. Differential Cryptanalysis Keyed S-BOX W 1 W 2 W 3 W 4 K 1 K 2 K 3 � � � � K 4 X 1 X 2 X 3 X 4 S-box Y 1 Y 2 Y 3 Y 4 Figure : Keyed S-box. 46/52

  61. Differential Cryptanalysis Sample Differential Cryptanalysis ∆P = [ 0000 , 1011 , 0000 , 0000 ] S 11 S 12 S 13 S 14 Round 1 S 21 S 22 S 23 S 24 Round 2 S 31 S 32 S 33 S 34 Round 3 ∆U ( 4 ) . . . ∆U ( 4 ) ∆U ( 4 ) 13 . . . ∆U ( 4 ) 5 8 16 Round 4 S 41 S 42 S 43 S 44 k ( 5 ) 5 . . . k ( 5 ) k ( 5 ) 13 . . . k ( 5 ) 8 16 Figure : Sample Differential Characteristic. 47/52

  62. Differential Cryptanalysis Probability of the Differential Characteristics Active S-Boxes: S 12 : ∆ X = B → ∆ Y = 2 with probability 8/16. S 23 : ∆ X = 4 → ∆ Y = 6 with probability 6/16 S 32 : ∆ X = 2 → ∆ Y = 5 with probability 6/16 S 33 : ∆ X = 2 → ∆ Y = 5 with probability 6/16 48/52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University Weimar 22nd April 2009 Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3

757 views • 42 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

1 / 22 Introduction SAC 2012 Cryptanalysis of the Kindle Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . .

556 views • 29 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective)

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective)

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective) Rijndael Security of Rijndael/AES Spreading of AES Stream ciphers: competitors? Conclusions The early years (1997)

939 views • 70 slides
Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons

Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons

Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported. 1 66 / Agenda The Theory What is it ? Why should I care ? The Practice The

974 views • 66 slides
Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition

Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition

9:22 AM Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. Security Appliance (noun) -

1.1k views • 63 slides
WITH GREATFET+FD TROOPERS18 KATE TEMKIN & DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin):

WITH GREATFET+FD TROOPERS18 KATE TEMKIN & DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin):

OPENING BLACK BOX SYSTEMS WITH GREATFET+FD TROOPERS18 KATE TEMKIN & DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin): Dominic Spill (@dominicgs): slayer of Tegras, destroyer of worlds cannot stop being extraordinary, on penalty of

861 views • 21 slides
Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires http://oasis.coralcdn.org/ Whats the replica-selection problem? mycdn ? Client needs to choose a good replica server Performance and cost

798 views • 56 slides
Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum Confidential McAfee Internal Use Only Security Testing Confidential McAfee Internal Use Only Cost Impact m suffered a heavy The TJX Company breach, which m

429 views • 20 slides
Analyse de primitives sym etriques Pierre Karpman a lInria Saclay & Rennes, l Th`

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay & Rennes, l Th`

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay & Rennes, l Th` ese pr epar ee ` Ecole polytechnique, et la Nanyang Technological University Sous la direction de Daniel Augot, Pierre-Alain Fouque et

906 views • 58 slides
Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) message message Attack at

1.56k views • 143 slides

More recommend