[PPT] - Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. PowerPoint Presentation

SLIDE 1

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Block Ciphers - The Basics

Lars R. Knudsen Spring 2011

L.R. Knudsen Block Ciphers - The Basics

SLIDE 2

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Content

Introduction Iterated ciphers Cryptanalysis

Differential cryptanalysis Linear cryptanalysis

L.R. Knudsen Block Ciphers - The Basics

SLIDE 3

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Symmetric encryption

Same key for encryption and decryption Two types

Block ciphers Stream ciphers

L.R. Knudsen Block Ciphers - The Basics

SLIDE 4

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Symmetric encryption: Model of reality

M-Source sender K-Source receiver

❄

m

✲ insecure channel

c c

✻ ✻

Enemy

✻ secure channel

k k

✲

m

L.R. Knudsen Block Ciphers - The Basics

SLIDE 5

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Symmetric encryption

Kerckhoffs’ principle Everything is known to an attacker except for the value of the secret key. Attack scenarios Ciphertext only Known plaintext Chosen plaintext/ciphertext Adaptive chosen plaintext/ciphertext (black-box)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 6

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

From classical crypto to modern crypto

looking back.. (almost) all ciphers before 1920s very weak 1920s, rotor machines, mechanical crypto

Enigma, Germany Sigaba, USA Typex, UK

1970s, computers take over from rotor machines ciphers operate on long sequence of bits (bytes)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 7

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Block ciphers

Input block m, output block c, key k e c k m

✲ ✲ ❄

e : {0, 1}n × {0, 1}κ → {0, 1}n given k easy to encrypt and decrypt given m, c hard to compute k, such that ek(m) = c

ne-way function: f (k) = ek(m0) for fixed m0

L.R. Knudsen Block Ciphers - The Basics

SLIDE 8

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Block ciphers

Applications block encryption (symmetric) pseudorandom number generators/stream ciphers message authentication codes building block in hash functions

ne-way functions

L.R. Knudsen Block Ciphers - The Basics

SLIDE 9

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Block cipher, n-bit blocks, κ-bit key

family of n-bit permutations # n-bit permutations in block cipher: 2κ # n-bit permutations: 2n! ≃ (2n−1)2n DES: n = 64, κ = 56 AES: n = 128, κ = 128, 192, 256 design aim: choose the 2κ permutations uniformly at random from the set of all 2n! permutations

L.R. Knudsen Block Ciphers - The Basics

SLIDE 10

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Cryptanalysis

Assumption Assume cryptanalyst has access to black-box implementing block cipher with secret key k Aims of cryptanalyst find key k, or find (m, c) such that ek(m) = c for unknown k, or distinguish member of block cipher from randomly chosen permutation

L.R. Knudsen Block Ciphers - The Basics

SLIDE 11

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Generic, brute-force attacks

Block size n, key size κ

1 exhaustive key search

try all keys, one by one ⌈κ/n⌉ texts, time 2κ, storage small

2 table attack

store ek(m0) for all k storage 2κ, time (of attack) small

3 Hellman tradeoffs of 1 and 2, e.g. n = κ, 22n/3 time &

memory

L.R. Knudsen Block Ciphers - The Basics

SLIDE 12

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Generic, brute-force attacks (cont.)

Dictionary and birthday attacks known plaintexts: Collect pairs (m, c) ciphertext-only: Collect ciphertexts, look for matches ci = cj. Example CBC mode

1 Collect 2n/2 ciphertext blocks 2 With 2 equal ciphertext blocks

ci = cj ⇒ ek(mi ⊕ ci−1) = ek(mj ⊕ cj−1) ⇒ mi ⊕ mj = ci−1 ⊕ cj−1 (similar attacks for ECB and CFB)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 13

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Short-cut attacks

Success dependent on intrinsic properties of e(·) Differential cryptanalysis Linear cryptanalysis Interpolation attacks Integral attacks Related key attacks Variants of the above: higher-order differentials, truncated differentials, mod n attack, boomerang attack, .....

L.R. Knudsen Block Ciphers - The Basics

SLIDE 14

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Iterated block ciphers (DES, AES, . . . )

m − →

k0

↓

⊕− → g − →

k1

↓

⊕− → g − →

k2

↓

⊕ · · · · · · − → g − →

kr

↓

⊕− → c plaintext m, ciphertext c, key k key-schedule: user-selected key k → k0, . . . , kr round function, g, weak by itself idea: gr, strong for “large” r

L.R. Knudsen Block Ciphers - The Basics

SLIDE 15

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

DES

History developed in early 70’s by IBM using 17 man years evaluation by National Security Agency (US) 1975: publication of proposed standard public discussion (trapdoors, key size) 1977: publication of FIPS 46 (DES) most realistic attack is exhaustive search for key

L.R. Knudsen Block Ciphers - The Basics

SLIDE 16

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

DES

Parameters block size 64 bits key size 64 bits, effective 56 bits 16 round Feistel cipher Feistel network f

✛ ✛

⊕

L.R. Knudsen Block Ciphers - The Basics

SLIDE 17

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

DES

Results ∀ m, k : c = DESk(m) ⇐ ⇒ c = DESk(m) 4 weak keys: DESk(DESk(m)) = m, ∀ m 6 pairs of semi-weak keys: DESk1 = DES−1

k2

differential cryptanalysis (1991), 247 chosen plaintexts linear cryptanalysis (1993), 245 known plaintexts key search engine (98-99), 1 mio US$, 1 key/30 min. record for finding DES-key: 22 hours, 1999

L.R. Knudsen Block Ciphers - The Basics

SLIDE 18

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

AES

Advanced Encryption Standard US governmental encryption standard

pen (world) competition announced January 97

keys: choice of 128-bit, 192-bit, and 256-bit keys blocks: 128 bits October 2000: AES=Rijndael standard: FIPS 197, November 2001 iterated cipher, 10, 12 or 14 iterations depending on key

L.R. Knudsen Block Ciphers - The Basics

SLIDE 19

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Multiple encryption

1 assume e·(·) is a block cipher 2 double encryption

m − →

k1

↓

e − →

k2

↓

e − → c

3 triple encryption

m − →

k1

↓

e − →

k2

↓

e − →

k3

↓

e − → c

L.R. Knudsen Block Ciphers - The Basics

SLIDE 20

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Triple-DES

ek(·), dk(·): single encryption and decryption two-key triple DES: c = ek1(dk2(ek1(m)))

known attack: time ≃ 2120/2t, 2t known plaintexts

tripleDES: c = ek3(ek2(ek1(m)))

known attack: time ≃ 2112, 2 known plaintexts, memory ≈ 256

L.R. Knudsen Block Ciphers - The Basics

SLIDE 21

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Provably secure encryption (assuming ideal components)

1 assume p(·) is ideal n-bit bijection (permutation) 2 Even-Mansour (1991)

m − →

k0

↓

⊕− → p − →

k1

↓

⊕− → c

3 security bound of 2n/2 4 bound tight, attack by Daemen L.R. Knudsen Block Ciphers - The Basics

SLIDE 22

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Provably secure encryption (assuming ideal components)

1 assume p(·) and q(·) are two ideal n-bit bijections 2 Knudsen-Leander et al. (work in progress)

m − →

k0

↓

⊕− → p − →

k1

↓

⊕− → q − →

k2

↓

⊕− → c

3 security bound of 2 2 3 n 4 with r “rounds”, bound is 2 r r+1 n L.R. Knudsen Block Ciphers - The Basics

SLIDE 23

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Generic attack: r-round iterated ciphers

m − →

k0

↓

⊕− → g − →

k1

↓

⊕− → g − →

k2

↓

⊕ · · · · · ·

cr−1

↓

− → g − →

kr

↓

⊕− → c

1 assume “correlation” between m and cr−1 2 given a number of pairs (m, c) 3 repeat for all pairs and all values i of kr: 1

let c′ = g −1(c ⊕ i), compute x = cor(m, c′)

2

if key gives cor(m, cr−1), increment counter

4 value of i which yields cor(m, cr−1) taken as value of kr L.R. Knudsen Block Ciphers - The Basics

SLIDE 24

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis - (Biham-Shamir 1991)

chosen plaintext attack assume x is combined with key, k, via group operation ⊗ define difference of x1 and x2 as ∆(x1, x2) = x1 ⊗ x−1

2

difference same after combination of key ∆(x1 ⊗ k, x2 ⊗ k) = x1 ⊗ k ⊗ k−1 ⊗ x−1

2

= ∆(x1, x2) definition of difference relative to cipher (often exor)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 25

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis (2)

Consider r-round iterated ciphers of the form m − →

k0

↓

⊕− → g − →

k1

↓

⊕− → g − →

k2

↓

⊕ · · · · · · − → g − →

kr

↓

⊕− → c Main criterion for success distribution of differences through nonlinear components of g is non-uniform

L.R. Knudsen Block Ciphers - The Basics

SLIDE 26

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis - example (1)

n-bit strings m, c, k c = m ⊕ k key used only once, system unconditionally secure under a ciphertext-only attack key used more than once, the system is insecure, since c ⊕ c′ = (m ⊕ k) ⊕ (m′ ⊕ k) = m ⊕ m′ note that key cancels out

L.R. Knudsen Block Ciphers - The Basics

SLIDE 27

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis - example (2)

k0, k1 : n-bit keys, S : {0, 1}n → {0, 1}n c = S(m ⊕ k0) ⊕ k1 assume attacker knows two pairs messages (m, c) and (m′, c′) m − →

k0

↓

⊕− → u − → S − → v − →

k1

↓

⊕− → c from m, m′, compute u ⊕ u′ = m ⊕ m′ key recovery: from c, c′ and k1, compute u ⊕ u′

L.R. Knudsen Block Ciphers - The Basics

SLIDE 28

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis - example (3)

k0, k1, k2: n-bit keys, S : {0, 1}n → {0, 1}n c = S(S(m ⊕ k0) ⊕ k1) ⊕ k2 assume attacker knows (m, c) and (m′, c′) m →

k0

↓

⊕→ u → S → v →

k1

↓

⊕→ w → S → x →

k2

↓

⊕→ c from m, m′, compute u ⊕ u′ = m ⊕ m′ from c, c′ and k2, compute v ⊕ v ′ then what?

L.R. Knudsen Block Ciphers - The Basics

SLIDE 29

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis - example (4)

Assume for concreteness that n = 4 and that S is x 1 2 3 4 5 6 7 8 9 a b c d e f S(x) 6 4 c 5 7 2 e 1 f 3 d 8 a 9 b consider two inputs to S, m and m, where m is the bitwise complemented value of m.

L.R. Knudsen Block Ciphers - The Basics

SLIDE 30

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

m m′ S(m) S(m′) S(m) ⊕ S(m′) f 6 ⊕ b = d 1 e 4 ⊕ 9 = d 2 d c ⊕ a = 6 3 c 5 ⊕ 8 = d 4 b ⊕ d = d 5 a 7 ⊕ 3 = 4 6 9 2 ⊕ f = d 7 8 e ⊕ 1 = f 8 7 1 ⊕ e = f 9 6 f ⊕ 2 = d a 5 3 ⊕ 7 = 4 b 4 d ⊕ = d c 3 8 ⊕ 5 = d d 2 a ⊕ c = 6 e 1 9 ⊕ 4 = d f b ⊕ 6 = d

L.R. Knudsen Block Ciphers - The Basics

SLIDE 31

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis - example (5)

m − →

k0

↓

⊕− → u − → S − → v − →

k1

↓

⊕− → w − → S − → x − →

k2

↓

⊕− → c choose random m, get (m, c), (m′, c′), where m ⊕ m′ = fx. then u ⊕ u′ = fx v ⊕ v ′ = δ for correct value of k2: In 10 of 16 cases, one gets δ = dx Assumption for an incorrect value of k2, δ is random

L.R. Knudsen Block Ciphers - The Basics

SLIDE 32

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis - example (6)

m − →

k0

↓

⊕− → u − → S − → v − →

k1

↓

⊕− → w − → S − → x − →

k2

↓

⊕− → c

1 choose random m, compute m′ = m ⊕ fx, obtain (m, c) and

(m′, c′)

2 for i = 0, . . . , 15:

(guess k2 = i)

1

compute δ = S−1(c ⊕ i) ⊕ S−1(c′ ⊕ i)

2

if δ = dx increment counter for i

3 go to 1, until one counter holds significant value L.R. Knudsen Block Ciphers - The Basics

SLIDE 33

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Idea in differential attacks

consider r-round iterated ciphers find suitable differences in plaintexts such that differences in ciphertexts after r − 1 rounds can be determined with good probability. for all values of last-round key kr, compute difference after r − 1 rounds of encryption from the ciphertexts

L.R. Knudsen Block Ciphers - The Basics

SLIDE 34

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Example. CipherFour: block size 16, r rounds

Round keys independent, uniformly random. One round:

1 exclusive-or round key to text 2 split text, evaluate each nibble via S-box

x 1 2 3 4 5 6 7 8 9 a b c d e f S(x) 6 4 c 5 7 2 e 1 f 3 d 8 a 9 b and concatenate results into 16-bit string y = y0, . . . , y15

3 permute bits in y according to:

y 1 2 3 4 5 6 7 8 9 a b c d e f P(y) 4 8 c 1 5 9 d 2 6 a e 3 7 b f so, P(y) = y0, y4, . . . , y11, y15. Exclusive-or round key to output of last round

L.R. Knudsen Block Ciphers - The Basics

SLIDE 35

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Product cipher example - 16-bit messages

k1

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

S S S S

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ✲

m k0

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

S S S S

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ✲

L.R. Knudsen Block Ciphers - The Basics

SLIDE 36

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential characteristics

denote by (α0, α1, α2, α3) S → (β0, β1, β2, β3) that two 4-word inputs to S-boxes of differences (α0, α1, α2, α3) lead to outputs from S-boxes of differences (β0, β1, β2, β3) with some probability p similar notation for P, (β0, β1, β2, β3) P → (γ0, γ1, γ2, γ3) then (α0, α1, α2, α3) 1r → (γ0, γ1, γ2, γ3) is called a one-round characteristic of probability p for CipherFour.

L.R. Knudsen Block Ciphers - The Basics

SLIDE 37

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential characteristics - probabilities

assume Pr(αi

Si

→ βi) = pi for i = 0, ..., 3 where probability is computed over all inputs to Si then Pr((α0, α1, α2, α3) S → (β0, β1, β2, β3)) = p0p1p2p3 assume further that (α0, α1, α2, α3) 1r → (γ0, γ1, γ2, γ3) is of probability p and that (γ0, γ1, γ2, γ3) 1r → (φ0, φ1, φ2, φ3) is of probability q then under suitable assumptions (u.s.a.) (α0, α1, α2, α3) 2r → (φ0, φ1, φ2, φ3) is of probability pq

L.R. Knudsen Block Ciphers - The Basics

SLIDE 38

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Example - differential attack

Differential distribution table for S:

1 2 3 4 5 6 7 8 9 a b c d e f 16

1
6
2
2
2
4
2
6

6

2

2

3
6
2
2
4
2
4
2
2

4

2

2 2

2
5
2

2

4
4

2

2
..

.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. a

2

2

4

4

2

2

b
2

2

2

2 2

4
2
c
4
2
2
2
6
d
2

2

6

2

4

e

2
4

2

2
6

f

2
2
10
2

L.R. Knudsen Block Ciphers - The Basics

SLIDE 39

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - some possible characteristics

(0, 0, 0, fx) S → (0, 0, 0, dx) has a probability of 10

16. Consequently (since P is linear)

(0, 0, 0, fx) 1r → (1, 1, 0, 1) is one-round characteristic of probability 10

16.

(1, 1, 0, 1) S → (2, 2, 0, 2) has a probability of ( 6

16)3. Consequently (u.s.a.)

(0, 0, 0, fx) 2r → (0, 0, dx, 0) is a two-round characteristic of probability 10

16( 6 16)3 ≃ 0.033.

L.R. Knudsen Block Ciphers - The Basics

SLIDE 40

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - iterative characteristics

(0, 0, 2, 0) S → (0, 0, 2, 0) has a probability of

6 16 and therefore

(0, 0, 2, 0) 1r → (0, 0, 2, 0) is a one-round characteristic of probability

6 16

Characteristic can be concatenated with itself, e.g., (0, 0, 2, 0) 4r → (0, 0, 2, 0) is a 4-round characteristic of probability ( 6

16)4 (u.s.a.)

These are called “iterative” characteristics

L.R. Knudsen Block Ciphers - The Basics

SLIDE 41

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - differential attack

Consider CipherFour with 5 rounds and the 4-round characteristic (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0) with a (conjectured) probability of ( 6

16)4 ≃ 1/51

Idea of attack: choose pairs of messages with desired difference for all values of four (target) bits of k5

from ciphertexts compute backwards one round etc.

If successful, this (sub)attack finds four bits of k5

L.R. Knudsen Block Ciphers - The Basics

SLIDE 42

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - differential attack

Consider final round for a pair of texts. One has (0, 0, 2, 0) S → (0, 0, h, 0), where h ∈ {1, 2, 9, ax} Since P linear, last round must have one of following forms: (0, 0, 2, 0) 1r → (0, 0, 0, 2) (0, 0, 2, 0) 1r → (0, 0, 2, 0) (0, 0, 2, 0) 1r → (2, 0, 0, 2) (0, 0, 2, 0) 1r → (2, 0, 2, 0) Filtering Use only pairs for which difference in ciphertexts is of one of above four In our case, most pairs which survive filtering will have difference (0, 0, 2, 0) after four rounds

L.R. Knudsen Block Ciphers - The Basics

SLIDE 43

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - differential attack

a “right” pair of texts “follow” characteristic in each round let p be prob. of characteristic, N number of pairs used. assume all surviving pairs after filtering are right pairs how many times will correct value of four target bits be suggested in attack? answer: Np how many times will an incorrect value of four target bits be suggested in attack? answer: Np/15 signal-to-noise ratio: S/N = Np Np/15 = 15

L.R. Knudsen Block Ciphers - The Basics

SLIDE 44

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - differential attack

how many pairs of plaintexts are needed? depends on (at least) p, S/N and on number of target bits in our case, Np = 3 suffices. with Np = 3 ⇒ N = 3 · 51 = 153 pairs of plaintexts

L.R. Knudsen Block Ciphers - The Basics

SLIDE 45

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - differentials

Consider CipherFour with 5 rounds and the 4-round characteristic (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0) with a (conjectured) probability of ( 6

16)4 ≃ 1/51

In attack only first and last occurrence of (0, 0, 2, 0) is used. In our example, what was used is, in fact (0, 0, 2, 0) 1r → (∗, ∗, ∗, ∗) 1r → (∗, ∗, ∗, ∗) 1r → (∗, ∗, ∗, ∗) 1r → (0, 0, 2, 0), where asterisks represent “any value”. Such a structure is called a differential

L.R. Knudsen Block Ciphers - The Basics

SLIDE 46

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - differentials

(0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0), (0, 0, 2, 0) 1r → (0, 0, 0, 2) 1r → (0, 0, 0, 1) 1r → (0, 0, 1, 0) 1r → (0, 0, 2, 0), (0, 0, 2, 0) 1r → (0, 0, 0, 2) 1r → (0, 0, 1, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 2, 0), (0, 0, 2, 0) 1r → (0, 0, 2, 0) 1r → (0, 0, 0, 2) 1r → (0, 0, 1, 0) 1r → (0, 0, 2, 0), are four 4-round characteristics: (0, 0, 2, 0) → (0, 0, 2, 0) all four characteristics have a (conjectured) probability of 1/51

ne should think Pr((0, 0, 2, 0) 4r

→ (0, 0, 2, 0)) ≥ 4/51 with Np = 3 ⇒ N = 3 ∗ 4/51 ≈ 40 pairs of plaintexts

L.R. Knudsen Block Ciphers - The Basics

SLIDE 47

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis in general

Definition An s-round characteristic is a series of differences defined as an (s + 1)-tuple Ω : {α0, α1, . . . , αs}, where ∆m = α0, ∆ci = αi for 1 ≤ i ≤ s Probability Pr(Ω) = Pr(∆cs = αs, ....., ∆c1 = α1|∆m = α0). Probability is taken over all possible plaintexts and keys

L.R. Knudsen Block Ciphers - The Basics

SLIDE 48

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differential cryptanalysis in general

Find (r − 1)-round characteristic determining ∆cr−1 with prob. p Repeat

1 choose pairs of plaintexts with difference ∆m 2 get the pairs of ciphertexts c and c∗ 3 for i = 0, . . . , 2k − 1 do:

decrypt ciphertexts one round using guess kr = i, if expected difference ∆cr−1 is obtained, counter for i incremented

until one counter has value significantly different from other counters

L.R. Knudsen Block Ciphers - The Basics

SLIDE 49

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Key recovery part

· · · − → g − →

kr−1

↓

⊕ − → y − → g − →

kr

↓

⊕− → c − →

i

↓

⊕− → g−1 − → ˜ c kr = i ⇒ ˜ c = y kr = i ⇒ ˜ c =? Hypothesis of random-key randomization (standard)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 50

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Filtering

Definition (Right pair) A right pair is a pair of plaintexts with intermediate ciphertexts following the characteristic Definition (Wrong pair) A wrong pair is a pair which is not a right pair right pairs always suggest the correct value of the key strategy: minimise the number of wrong pairs

ften possible from ciphertexts alone to determine that a pair

is wrong; in that case the pair is filtered out (not used) in the analysis

L.R. Knudsen Block Ciphers - The Basics

SLIDE 51

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Signal to noise ratio

S/N =

prob. correct key is counted
prob. a random key is counted

k number of key bits to find p probability of characteristic m number of pairs required β ratio of used pairs to all pairs α # keys suggested by each used pair S/N = m · p

m·β·α 2k−1

= p · (2k − 1) α · β If S/N = 1 repeat attack until correct key “sticks out”

L.R. Knudsen Block Ciphers - The Basics

SLIDE 52

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Complexity

chosen plaintexts needed roughly c × 1/pΩ, where pΩ probability of characteristic Ω used, c ≥ 1 a function of S/N (usually small) increase S/N ratio: filter out wrong pairs success of differential attacks depends on

probability of characteristic number of counters required S/N ratio filtering time to run the attack

L.R. Knudsen Block Ciphers - The Basics

SLIDE 53

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Iterative characteristics

Problem: for t big, t-round characteristics hard to find Definition An s-round iterative characteristic has the form Ω : {αi, αi+1, . . . , αi+s+1}, where αi = αi+s+1. Construct ts-round characteristics by concatenating Ω with itself t times.

L.R. Knudsen Block Ciphers - The Basics

SLIDE 54

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Probability of characteristics

for attack (k is secret key) PrM(∆ci = αi, ....., ∆c1 = α1|∆m = α0, k is key) but k is unknown? Average over all keys: PrM,K(∆ci = αi, ....., ∆c1 = α1|∆m = α0) proposal: PrM,K(∆ci = αi, ....., ∆c1 = α1|∆m = α0) =

s

i=1

PrM,K(∆c1 = αi|∆m = αi−1) ???? Requires that individual rounds are independent.......

L.R. Knudsen Block Ciphers - The Basics

SLIDE 55

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Probability of characteristics (2)

Definition An iterated cipher is a Markov cipher, with respect to the defined difference, if PrK(∆c1 = β | ∆c0 = α, c0 = γ) is independent of γ for all α, β For Markov ciphers with independent round keys PrM,K(∆cs = αs, ....., ∆c1 = α1|∆m = α0) = PrK(∆cs = αs, ....., ∆c1 = α1|∆m = α0) =

s

i=1

PrK(∆c1 = αi|∆m = αi−1)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 56

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Probability of characteristics (3)

Fact DES and AES are Markov ciphers with difference defined by ⊕

L.R. Knudsen Block Ciphers - The Basics

SLIDE 57

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differentials

In attacks based on basic differential cryptanalysis intermediate differences (usually) not used characteristic Φ = (∆m, ∆c1, . . . ∆cr−2, ∆cr−1) differential Ω = (∆m, ∆cr−1) Pr(Ω) ≥ Pr(Φ)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 58

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differentials - probability

probability of characteristic (Markov ciphers) Pr(∆cs = αs, ....., ∆c1 = α1|∆m = α0) =

s

i=1

Pr(∆c1 = αi|∆m = αi−1) probability of differential (Markov ciphers) Pr(∆cs = βs | ∆m = β0) =

β1

· · ·

βs−1

s

i=1

Pr(∆ci = βi | ∆ci−1 = βi−1) where ∆c0 = ∆m

L.R. Knudsen Block Ciphers - The Basics

SLIDE 59

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Differentials and probabilities

probability of differentials taken over all plaintexts and keys for Markov cipher only over all keys probability is an average over all keys in attack, one key is used. Probability? Definition (Hypothesis of stochastic equivalence) For virtually all high probability s-round differentials (α, β) PrM(∆cs = β | ∆m = α, K = k) ≈ PrM,K(∆cs = β | ∆m = α) holds for substantial fraction of key values k

L.R. Knudsen Block Ciphers - The Basics

SLIDE 60

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Linear cryptanalysis (Matsui 1993)

Known plaintext attack Uses linear relations between bits of m, c = ek(m) and k Suppose with probability p = 1

2

(m · α) ⊕ (c · β) = 0 (∗) Collect N pairs of plaintext/ciphertext (using same key!) T : number of times left side of (*) is 0 If p > 1/2, E(T) > N/2 If m and c independent, T ≃ N/2.

L.R. Knudsen Block Ciphers - The Basics

SLIDE 61

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Linear attack: Complexity

T binomial random variable which is 0 with p > 1/2 Pr(T > N/2) = 1 − Pr(T ≤ N/2) ≃ 1 − Φ( N/2 + 1/2 − Np

p(1 − p) ×

√ N ) ≃ 1 − Φ(−2 √ N|p − 1/2|) = Φ(2 √ N|p − 1/2|) where Φ is the normal distribution function With N = |p − 1/2|−2 probability is about 97.72% |p − 1/2| called the bias

L.R. Knudsen Block Ciphers - The Basics

SLIDE 62

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Joining linear approximations

Random, independent boolean variables X, Y , and Z If α · X = β · Y with probability p1 and β · Y = γ · Z with probability p2 then α · X = γ · Z with probability 1

2 + 2(p1 − 1/2)(p2 − 1/2)

Piling Up-Lemma Let Zi, 1 ≤ i ≤ n, be independent random boolean variables, which are 0 with probability pi. Then Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) = 1/2 + 2n−1

n

i=1

(pi − 1/2)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 63

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Joining linear approximations

Piling Up-Lemma Let Zi, 1 ≤ i ≤ n, be independent random boolean variables, which are 0 with probability pi. Then Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) = 1/2 + 2n−1

n

i=1

(pi − 1/2)

r similarly

2Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) − 1 =

n

i=1

(2pi − 1)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 64

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Linear cryptanalysis - iterated ciphers

ci − →

k

↓

⊕− → x − → f − → ci+1 (α · ci) ⊕ (α · x) = (α · k) (α · x) = (β · ci+1) with pi = 1/2 (α · ci) ⊕ (β · ci+1) = 0 with bias |pi − 1/2| (whatever value of (α · k)) linear characteristic (δi, δi+1) with bias |pi − 1/2| means that (δi · ci) ⊕ (δi+1 · ci+1) = 0 with bias |pi − 1/2|

L.R. Knudsen Block Ciphers - The Basics

SLIDE 65

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Linear characteristics - iterated ciphers

· · · ci − →

ki

↓

⊕− → g − → ci+1 − →

ki+1

↓

⊕ − → g − → ci+2 · · · assume that (δ0 · c0) ⊕ (δ1 · c1) = 0 with bias |p1 − 1/2| (δ1 · c1) ⊕ (δ2 · c2) = 0 with bias |p2 − 1/2| . . . . . . . . . . . . . . . . . . (δs−1 · cs−1) ⊕ (δs · cs) = 0 with bias |ps − 1/2| then (u.s.a.) (δ0, δ1, . . . , δs) is called an s-round linear characteristic with bias 2s−1 s

i=1 |pi − 1/2| (piling up biases)

L.R. Knudsen Block Ciphers - The Basics

SLIDE 66

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Linear attack - r-round iterated cipher

m − →

k0

↓

⊕− → g − →

k1

↓

⊕− → g − → · · · · · · − →

kr−1

↓

⊕ − → g − →

kr

↓

⊕− → c consider r-round characteristic (δ0, . . . , δr−1) with bias b (m · δ0) ⊕ (cr−1 · δr−1) = 0 consider for some value of i: (m · δ0) ⊕ (g−1(c, i) · δr−1) = 0 () with i = kr, () is characteristic for r − 1 rounds Assumption For i = kr, (*) is random approximation with bias ≃ 0

L.R. Knudsen Block Ciphers - The Basics

SLIDE 67

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Linear attack (2)

m − →

k0

↓

⊕− → g − →

k1

↓

⊕− → g − → · · · · · · − →

kr−1

↓

⊕ − → g − →

kr

↓

⊕− → c assume kr has κ bits for i = 0, . . . , 2κ − 1 compute bias of (m · δ0) ⊕ (g−1(c, i) · δr−1) = 0 using N known plaintexts guess kr = i, for value of i which produces bias closest to expected complexity N ≃ c · |p − 1/2|−2, c small constant

L.R. Knudsen Block Ciphers - The Basics

SLIDE 68

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Probability of linear characteristics

For attack (k is secret key) PrM((cr−1 · δr−1) ⊕ (m · δ0) = 0 | k is key) But k unknown? Average over all keys: PrM,K((cr−1 · δr−1) ⊕ (m · δ0) = 0) can be hard to calculate

L.R. Knudsen Block Ciphers - The Basics

SLIDE 69

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Probability of linear characteristics

Assume that |PrK((ci · δi) = (ci−1 · δi−1) | ci−1 = γ) − 1/2| is independent of γ and assume that round keys are independent, then bias of |PrM,K((cr−1 · δr−1) ⊕ (m · δ0) = 0) − 1/2| can be calculated from one-round biases and the Piling-up Lemma

L.R. Knudsen Block Ciphers - The Basics

SLIDE 70

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Example: CipherFour: block size 16, r rounds

Round keys independent, uniformly random. One round:

1 exclusive-or round key to text 2 split text, evaluate each nibble via S-box

x 1 2 3 4 5 6 7 8 9 a b c d e f S(x) 6 4 c 5 7 2 e 1 f 3 d 8 a 9 b and concatenate results into 16-bit string y = y0, . . . , y15

3 permute bits in y according to:

y 1 2 3 4 5 6 7 8 9 a b c d e f P(y) 4 8 c 1 5 9 d 2 6 a e 3 7 b f So, P(y) = y0, y4, . . . , y11, y15. Exclusive-or round key to output of last round

L.R. Knudsen Block Ciphers - The Basics

SLIDE 71

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Example cipher - linear attack

Linear approximation table for S (entries are (p − 1/2) · 16)

1 2 3 4 5 6 7 8 9 a b c d e f 1 2 2 . 4

2

2 . 2 .

4
2

2 . . 2 2 2 . 2 . 2 4

2

2 . 2 .

2
4

2 . 3 . 2

2

. . 2 6 . . 2

2

. . 2

2

4

2

2 .

4
2
2

. 2 . .

2

2

4

. 2 5 .

4

. .

4

. . .

4

. . . . 4 . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 9 2

2

. . 2

2

.

2

4 .

2

2 . 4 2 a

2

. 2 .

2

. 2 2 4

2

4

2

. 2 . b .

2
2

. . 2 2 . . 2 2 . .

2

6 c 2 2 . .

2
2

.

2

. .

2
6

. . 2 d . . .

4

. 4 .

4

.

4

. . . . . e 4

2
2

. .

2

2 . .

2

2 .

4
2
2

f

2
4

2 . 2 . 2 2 .

2
4
2

.

2

.

L.R. Knudsen Block Ciphers - The Basics

SLIDE 72

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - linear characteristic

entry (cx, cx), value ‘-6’: bias

6 16, probability − 6 16 + 1 2 = 2 16

thus (0 0 0 cx) S → (0 0 0 cx) has bias

6 16

since P is linear, (0 0 0 cx) 1r → (1 1 0 0x) is one-round characteristic of bias 3

8

also, (1 1 0 0x) S → (4 4 0 0x), has bias 2( 4

16)( 4 16) = 1 8

so (u.s.a.) (0 0 0 cx) 2r → (0 0 c 0x) is two-round characteristic of bias 2(3

8)(1 8) = 3 32

L.R. Knudsen Block Ciphers - The Basics

SLIDE 73

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - linear iterative characteristic

Better approach for CipherFour: (8 0 0 0x) S → (8 0 0 0x) has bias

4 16 and therefore

(8 0 0 0x) 1r → (8 0 0 0x) is a one-round characteristic of bias 1

4

Use it to build t-round characteristics (8 0 0 0x) t r → (8 0 0 0x)

f bias 2t−1(1/4)t = 2−1−t

L.R. Knudsen Block Ciphers - The Basics

SLIDE 74

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

CipherFour - a linear attack

consider CipherFour with 5 rounds and the four-round characteristic (8 0 0 0x) 1r → (8 0 0 0x) 1r → (8 0 0 0x) 1r → (8 0 0 0x) 1r → (8 0 0 0x) which (u.s.a.) has bias of 2−1−4 =

1 32 according to Piling-up

Lemma for all values of four bits in last-round key, (partically) decrypt ciphertexts one round, compute bias value of key which produces bias of

1 32 is taken as value of

secret key N = c · |p − 1/2|−2 = c · 210 known plaintexts required to find four bits of last-round key

L.R. Knudsen Block Ciphers - The Basics

SLIDE 75

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Linear attack on DES

iterative 4-round characteristic build 14-round characteristic with bias 1.2 × 2−21 guess on six round key bits in both first and last rounds potential to find 12 key bits swap role of plaintext and ciphertext, repeat attack in total, potential to find 24 bits of key information find remaining 32 bits by an exhaustive search

L.R. Knudsen Block Ciphers - The Basics

SLIDE 76

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Linear attack on DES

estimate - with 245 known plaintexts a DES key can be recovered with 98.8% success rate Matsui-test:

January, 1994 key found in 50 days on 12 HP9735 workstations (120 Mips) 243 known plaintexts

ciphertext only attack possible, assuming English plaintexts encoded in ASCII

L.R. Knudsen Block Ciphers - The Basics

SLIDE 77

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis

Rounding off

intro to block ciphers differential cryptanalysis

characteristics differentials

linear cryptanalysis

linear hulls equivalent to differential

two most general attacks on block ciphers good knowledge of how to protect against these attacks, see AES

L.R. Knudsen Block Ciphers - The Basics