Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.

Published byToby Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk."— Presentation transcript:

1 CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk

2 CS519, © A.SelcukDifferential & Linear Cryptanalysis2 Block Cipher Cryptanalysis Find a property of the cipher that “distinguishes” it from a random function. (“distinguisher”) Such a property is usually constructed beginning from the 1-round cipher, or from the s-boxes. Once such a property is found, extend it to obtain a distinguisher for r-1 (or r-2) rounds of the cipher. Having found such a distinguisher, attack (parts of) the first or the last round key, by exhaustive trial.

3 CS519, © A.SelcukDifferential & Linear Cryptanalysis3 Differential Cryptanalysis A chosen plaintext attack that exploits the non- uniform difference propagations over rounds. To attack an r-round cipher: –find a “characteristic” (a seq. of differences) which relates an input difference to a (r-1)st round difference with a non-trivial probability. –Assuming the characteristic holds, find the last round key from ∆X r-1 & ∆X r (i.e. ∆C). The remaining key bits can be attacked either by brute force or by DC on r-1 rounds.

4 CS519, © A.SelcukDifferential & Linear Cryptanalysis4 Differential Cryptanalysis Two questions: How to find such a “characteristic”? (∆L 0, ∆R 0 )  (∆L r-1, ∆R r-1 ) How to obtain K r from here? ∆L 0 ∆R 0... ∆L r-1 ∆R r-1  f ∆L r ∆R r KrKr K r = ?

5 CS519, © A.SelcukDifferential & Linear Cryptanalysis5 DC of Feistel Ciphers A characteristic of a Feistel cipher must be of the following form: ∆L 0 f   f 11 11 f   f ∆R 0 22  2 33 33 44 44  1 = ∆R 0  2 = ∆L 0   1  3 =  1   2  4 =  2   3...

6 CS519, © A.SelcukDifferential & Linear Cryptanalysis6 E.g.: 1-round DES A difference of the f function: For inputs X (1) & X (2) with difference we have E.g., for 14 out of the 64 possible inputs, we have S 1 (X  K) = S 1 (X  K  ∆X) for ∆X = 000011 on S 1. P(  → 0) = (14 · 8 · 10) / (64 3 )  1 / 234. X (1)  X (2) =  = 0001 1001 0110 0000... 0000 S1S1 S2S2 S3S3

7 CS519, © A.SelcukDifferential & Linear Cryptanalysis7 An Iterative DES Characteristic (Biham & Shamir, 1992) This 2-round DES characteristic can be concatenated by itself:  0 f   f  00 0  0 p = 1 p = 1/234

8 CS519, © A.SelcukDifferential & Linear Cryptanalysis8 16-round DES Attack Start with pairs P (1)  P (2) = ( ,0) Take those pairs with ∆L 16 = . Assuming that ∆R 15 = 0, we have ∆Y 16 = ∆R 16. We know X 16 (1), X 16 (2) from c.t. Take the values of K 16 that can map X 16 (1), X 16 (2) to ∆Y 16 & increment their counters. After all collected pairs are processed, take the K 16 value that is suggested most. ∆L 0 =  f   f 00 f   f ∆R 0 = 0  0 00  0  0 ... 1: 2: 3: 4: f   f 00  ∆Y 16  0 15: 16:... ∆L 16 ∆R 16

9 CS519, © A.SelcukDifferential & Linear Cryptanalysis9 DC of DES 8 rounds: 2 14 chosen plaintexts 12 rounds: 2 31 chosen plaintexts 16 rounds: 2 47 chosen plaintexts (first cryptanalysis of the 16-round DES faster than exhaustive search) Ordering of the s-boxes turned out to be optimized against DC!

10 CS519, © A.SelcukDifferential & Linear Cryptanalysis10 Linear Cryptanalysis A statistical known plaintext attack Correlation among pt, ct, key bits are exploited: –Find a binary equation of pt, ct, key bits (“linear approximation”) which shows a non-trivial correlation among them (“bias”). –Collect a large pt-ct sample. –Try all key values with the collected pt-ct in the eq. (hence, relatively few key bits must be involved.) –Take the key that maximizes the bias as the right key. The remaining key bits can be found by brute force or by another LC attack.

11 CS519, © A.SelcukDifferential & Linear Cryptanalysis11 Linear Approximation A linear approximation of r-1 rounds: P[i 1...i a ]  X r-1 [j 1...j b ] = K[m 1...m c ] with p ≠ ½. (p =1 usually not possible) |p – ½|: the “bias” of the approximation (notation: X i : ciphertext after i rounds; S[...]: xor of the specified bits of the string S.) Expressed in terms of the ciphertext: P[i 1...i a ]  F(C, K r )[j 1...j b ] = K[m 1...m c ] where F is related to the last round’s decryption.

12 CS519, © A.SelcukDifferential & Linear Cryptanalysis12 LC Attack Approximation: P[i 1...i a ]  F(C, K r )[j 1...j b ] = K[m 1...m c ] (1) Collect a large number (N) of pt-ct blocks For all possible K r values, compute the left side of (1). T (i) denoting the # of zeros for the i th candidate, take the K r value that maximizes the “sample bias” | T (i) – N/2 | as the right key. Another bit of key information (that is, K[m 1...m c ]) can be obtained comparing the signs of (p – ½) and (T (i) – N/2).

13 CS519, © A.SelcukDifferential & Linear Cryptanalysis13 Linear Approximation of DES’ f Function Shamir’s discovery (1985): P(16·x = 15·S 5 (x)) = 12 / 64 where “·” denotes binary dot product. (Brickell et al.: “Normal”) From s-box to f function: x[15]  f(x,k)[7, 18, 24, 29] = k[22] p = 12/64.

14 CS519, © A.SelcukDifferential & Linear Cryptanalysis14 Combining Round Approximations When these approximations are combined, we get the 3-round appr.: L 0 [7,18,24,29]  R 0 [15]  L 3 [7,18,24,29]  R 3 [15] = K 1 [22]  K 3 [22] (no intermediate terms are left.) p = p 1 p 3 + (1-p 1 )(1-p 3 ) = ½ + 2(p 1 – ½) (p 3 – ½) assuming the round approximations are independent. L0L0 f   f 7,18,24,29 15 f  R0R0 –– 7,18,24,29 15 L1L1 L2L2 L3L3 R1R1 R2R2 R3R3 L 0 [7,18,24,29]  L 1 [7,18,24,29]  R 0 [15] = K 1 [22] p 1 = 12/64 L 2 [7,18,24,29]  L 3 [7,18,24,29]  R 2 [15] = K 3 [22] p 3 = 12/64

15 CS519, © A.SelcukDifferential & Linear Cryptanalysis15 Linear Approximations of Feistel Ciphers For the intermediate terms to cancel out, we need:  i+1 =  i   i-1 The probability of the combined approximation is p = ½ +  2 r-1  i (p i – ½ ) assuming round approximations are independent. f   f 11 11 f   f 1  21  2 22  2 33 33 44 44 11 22 33... 33 11 22 44 44 11  f rr rr  r   r-1 rr

16 CS519, © A.SelcukDifferential & Linear Cryptanalysis16 Best DES Approximation (Matsui, 1993) A: x[15]  f(x,k)[7,18,24,29] = k[22] p = 12/64 C: x[29]  f(x,k)[15] = k[44] p = 30/64 D: x[15]  f(x,k)[7,18,24] = k[22] p = 42/64  f f  7,18,24,2915 f  7,18,2415 2915  f −−  f f  7,18,2415 f  7,18,24,2915 2915  f −− f  7,18,2415... D C A — A C D — D

17 CS519, © A.SelcukDifferential & Linear Cryptanalysis17 LC of DES 8 rounds: 2 21 known plaintexts 12 rounds: 2 33 known plaintexts 16 rounds: 2 43 known plaintexts First experimental cryptanalysis of the 16-round DES (Matsui, 1994). Ordering of the s-boxes was far from optimal against LC.

18 CS519, © A.SelcukDifferential & Linear Cryptanalysis18 Issues in DC & LC r-1 round relation is found, which is used to attack the last round key K r. (r-2 round attacks are also possible) Assumptions: –key independence of the char./appr. used. –independence of the individual round char./appr.s Helped by: –the invertible key schedule of DES –lack of key mixing after the last round’s substitution

19 CS519, © A.SelcukDifferential & Linear Cryptanalysis19 Results of DC & LC Discovery of DC & LC attacks motivated: –the theory of functions resistant against differential & linear attacks –new block cipher design techniques (resulting in AES) –development of non-invertible key schedules

Download ppt "CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.

Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
FEAL FEAL 1.

FEAL FEAL 1.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
CS470, A.SelcukLucifer & DES1 Block Ciphers Lucifer & DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukLucifer & DES1 Block Ciphers Lucifer & DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.

Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie

CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Similar presentations

Ads by Google