Post on 22-Dec-2015
Cryptanalysis on Substitution-Permutation Networks
Jen-Chang Liu, 2005
Ref: Cryptography: Theory and Practice, D. R. Stinson
Outline Substitution-permutation networks
(SPN) Linear cryptanalysis
Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN
Differential cryptanalysis Differential distribution table of S-boxes
Substitution-permutation networks (1)
Substitution function (S-box)
1,01,0: S
z 0 1 2 3 4 5 6 7 8 9 A B C D E F
S(z)
E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
Ex. =4, 4-bit input
Substitution-permutation networks (2)
Permutation function
mmP ,,2,1,,2,1:
z 1 2 3 4 5 6 7 8 9 10
11
12
13
14
15
16
P(z)
1 5 9 13
2 6 10
14
3 7 11
15
4 8 12
16
Ex. =m=4, 16-bit input
0 1 0 0 0 1 0 1 1 1 0 1 0 0 0 1
00 1 0 1 1 1 0 0 0 0 0 0 1 1 1
SPN exampleRound 1
Round 2
Round 3
Round 4(no permutation)
Ki : subkeysXOR with input
whitening:Prevent attack
Substitution-permutation networks (3)
Implementation issues: S-Box: using look-up tables
4-bit input: 244=26 bits memory space 16-bit input: 21616=220 bits memory space DES: 6-bits to 4-bits, AES: 8-bits to 8-bits
Variations of SPN: Different S-Boxes in each round, ex. DES Include invertible linear transformation in
addition to permutation, ex. AES
Question about S-box: Are these S-boxes secure?
We will try to find some probabilistic relationship between (differential) input and (differential) output to S-boxes
Linear approximation table (1)
S-box z 0 1 2 3 4 5 6 7 8 9 A B C D E F
S(z)
E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
Input 4-bits Output 4-bits
Linear approximation table (2)
considerT=X1 X4 Y2
Input 4-bits Output 4-bits
Pr[T=0]=1/2
Pr[T=1]=1/2
Linear approximation table (3)
considerT=X3X4Y1Y4
Input 4-bits Output 4-bits
Pr[T=0]=1/8
Pr[T=1]=7/8
Linear approximation table (4)
XOR of input and output bits can be taken as linear combination
ii
iii
i
baT YX4
1
4
1
T=X1 X4 Y2 a :(1 0 0 1) b :(0 1 0 0)
T=X3X4Y1Y4 a :(0 0 1 1) b :(1 0 0 1)
For all a and b, we computeNL (a,b): number of occurrences such that T=0
Linear approximation table (5)
Idea: away from 8 means some probabilistic relationshipbetween input and output
Outline Substitution-permutation networks
(SPN) Linear cryptanalysis
Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN
Differential cryptanalysis Differential distribution table of S-boxes
Bias of a random variable X is a random variable taking on values
from {0, 1}
Pr[X=0]=p
Pr[X=1]=1-p
Bias of X is defined to be
=p-1/2
* Bias with high absolute value implies non-randomness
Ex. Pr[X=0]=1/2 bias = 0
Ex. Pr[X=0]=1 bias = 1/2
Pilling-up lemma Let T denotes the bias of the random
variable T=X1X2... Xk
Then
Ex. T=X1X2, bias T = 212
k
ii
kT
1
12
A Linear Attack onan SPN (1)
T1 has bias 1/4
T2 has bias -1/4
T3 has bias -1/4
T4 has bias -1/4
T1T2T3T4
has bias
32
1
4
1
4
12
33
A Linear Attack onan SPN (2)
T1T2T3T4
X1 X2 X3
X1X2X3
(subkey bits)
U1 U2 U3 U4
=U1U2U3 U4
=T1T2T3T4
X1X2X3
(subkey bits)
U1U2U3 U4
A Linear Attack on an SPN (3)
Previous result:
Fix the subkey bits (assume the same key)
Thus,
=T1T2T3T4
X1X2X3 (subkey bits)U1U2U3 U4
=T1T2T3T4
X1X2X3 (0 or 1)U1U2U3 U4
X1X2X3U1U2U3 U4has the same bias asT1T2T3T4(may have different sign, depending on subkey bits)
A Linear Attack onan SPN (4)
T1T2T3T4
has bias32
1
X1 X2 X3
U1 U2 U3 U4
X1X2X3
U1U2U3 U4
has bias32
1
Known-plaintext attack
Assume 8000 (x, y) pairs are known
x
y
Goal: solve the 8-bit subkey
Initialize: Counter[256]
For each (x,y) pairFor subkey value s=0 to 255
determine
U1 U2 U3 U4
U1,U2,U3,U4
If X1X2X3
U1U2U3 U4 =0
X1 X2 X3
Counter[s] ++
Final: Find s, such that Counter[s]/8000
32
1
2
1
Linear cryptanalysis on DES
1994, Matsui (inventor of linear cryptanalysis) Using 243 plaintext-ciphertext pairs
(generated using the same key) : it takes 40 days
Use linear cryptanalysis to find the key: 10 days
However, it is unlikely to accumulate such a large number of plaintext-ciphertext pairs
Outline Substitution-permutation networks
(SPN) Linear cryptanalysis
Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN
Differential cryptanalysis Differential distribution table of S-boxes
Differential cryptanalysis Two binary streams
Differential cryptanalysis Find the probabilistic relationship between
XOR of two inputs and XOR of two output
0101100….01110
1001010….01100
1100110….00010
Different bits will be labeled as 1 after XOR
44 S-box : input X =[X1 X2 X3 X4], output Y =[Y1 Y2 Y3 Y4]
input pair (X’, X’’),
by
Analyzing the Cipher Components
XXXXXX ''"'
XXXX '"' ,Y
Y Y
Y
Given Δx, we want to determine the associatedprobabilities for each ΔY
Difference distribution table
X
Y
= 0010, =1011 (hex B), probability = 8/24 = 8/16Y X
= 1011, =1000 (hex 8), probability = 4/16Y X
= 1010, =0100 (hex 4), probability = 0/16Y X
ΔX=[0000 1011 0000 0000]
ΔU=[xxxx 0110 xxxx 0110]with prob. = 0.0264
5000 chosen plaintext pairs:[0000 1011 0000 0000, 0000 0000 0000 0000][0000 1011 0000 0001, 0000 0000 0000 0001][0000 1011 0000 0010, 0000 0000 0000 0010]
…
5000 ciphertext pairs: [Y1, Y’1], [Y2, Y’2], [Y3, Y’3], …
Differential Cryptanalysis on DES
Biham and Shamir, 1993 Complexity: order of 247 , requiring 247
chosen plaintext Recall: brute-force search: 255
In fact, the DES designers knew differential cryptanalysis early in 1974 They had strengthened S-boxes
Programming project#2 Generate tables for the following DES S-
Box linear approximation table difference distribution table
Output your results in well-formatted ASCII text file
Due date: 11/1
Notes for Programming Project#1
You must submit PowerPoint slides, which includes
Description of your DES source code, how to use it (write a small sample program to demo how to use it)
How do you evaluate the avalanche effects of DES? The results of your experiments
All programs