Block Ciphers - The Basics · 1920s, rotor machines, mechanical crypto Enigma, Germany Sigaba, USA...

IntroAttack on iterated ciphers

Differential cryptanalysisLinear cryptanalysis

Block Ciphers - The Basics

Lars R. Knudsen

Spring 2011

L.R. Knudsen Block Ciphers - The Basics



Content

Introduction

Iterated ciphers

Cryptanalysis

Differential cryptanalysis

Linear cryptanalysis




Symmetric encryption

Same key for encryption and decryption

Two types

Block ciphers

Stream ciphers




Symmetric encryption: Model of reality

M-Source

sender

K-Source

receiver

?m

-insecure channelc c

66

Enemy

6

secure channelkk

-m




Symmetric encryption

Kerckhoffs’ principle

Everything is known to an attacker except for the value of thesecret key.

Attack scenarios

Ciphertext only

Known plaintext

Chosen plaintext/ciphertext

Adaptive chosen plaintext/ciphertext (black-box)




From classical crypto to modern crypto

looking back..

(almost) all ciphers before 1920s very weak

1920s, rotor machines, mechanical crypto

Enigma, Germany

Sigaba, USA

Typex, UK

1970s, computers take over from rotor machines

ciphers operate on long sequence of bits (bytes)




Block ciphers

Input block m, output block c , key k

e c

k

m - -

?

e : 0, 1n × 0, 1κ → 0, 1n

given k easy to encrypt and decrypt

given m, c hard to compute k, such that ek(m) = c

one-way function: f (k) = ek(m0) for fixed m0




Block ciphers

Applications

block encryption (symmetric)

pseudorandom number generators/stream ciphers

message authentication codes

building block in hash functions

one-way functions




Block cipher, n-bit blocks, κ-bit key

family of n-bit permutations

# n-bit permutations in block cipher: 2κ

# n-bit permutations: 2n! ≃ (2n−1)2n

DES: n = 64, κ = 56

AES: n = 128, κ = 128, 192, 256

design aim: choose the 2κ permutations uniformly at randomfrom the set of all 2n! permutations




Cryptanalysis

Assumption

Assume cryptanalyst has access to black-box implementing blockcipher with secret key k

Aims of cryptanalyst

find key k, or

find (m, c) such that ek(m) = c for unknown k, or

distinguish member of block cipher from randomly chosenpermutation




Generic, brute-force attacks

Block size n, key size κ

1 exhaustive key search

try all keys, one by one

⌈κ/n⌉ texts, time 2κ, storage small

2 table attack

store ek(m0) for all k

storage 2κ, time (of attack) small

3 Hellman tradeoffs of 1 and 2, e.g. n = κ, 22n/3 time &memory




Generic, brute-force attacks (cont.)

Dictionary and birthday attacks

known plaintexts: Collect pairs (m, c)

ciphertext-only: Collect ciphertexts, look for matches ci = cj .

Example

CBC mode

1 Collect 2n/2 ciphertext blocks

2 With 2 equal ciphertext blocksci = cj ⇒ ek(mi ⊕ ci−1) = ek(mj ⊕ cj−1)⇒ mi ⊕ mj = ci−1 ⊕ cj−1

(similar attacks for ECB and CFB)L.R. Knudsen Block Ciphers - The Basics



Short-cut attacks

Success dependent on intrinsic properties of e(·)

Differential cryptanalysis

Linear cryptanalysis

Interpolation attacks

Integral attacks

Related key attacks

Variants of the above: higher-order differentials, truncateddifferentials, mod n attack, boomerang attack, .....




Iterated block ciphers (DES, AES, . . . )

m −→k0↓

⊕−→ g −→k1↓

⊕−→ g −→k2↓

⊕ · · · · · · −→ g −→kr↓

⊕−→ c

plaintext m, ciphertext c , key k

key-schedule: user-selected key k → k0, . . . , kr

round function, g , weak by itself

idea: g r , strong for “large” r




DES

History

developed in early 70’s by IBM using 17 man years

evaluation by National Security Agency (US)

1975: publication of proposed standard

public discussion (trapdoors, key size)

1977: publication of FIPS 46 (DES)

most realistic attack is exhaustive search for key




DES

Parameters

block size 64 bits

key size 64 bits, effective 56 bits

16 round Feistel cipher

Feistel network

f ⊕




DES

Results

∀ m, k : c = DESk(m) ⇐⇒ c = DESk(m)

4 weak keys: DESk(DESk(m)) = m, ∀ m

6 pairs of semi-weak keys: DESk1 = DES−1

k2

differential cryptanalysis (1991), 247 chosen plaintexts

linear cryptanalysis (1993), 245 known plaintexts

key search engine (98-99), 1 mio US$, 1 key/30 min.

record for finding DES-key: 22 hours, 1999




AES

Advanced Encryption Standard

US governmental encryption standard

open (world) competition announced January 97

keys: choice of 128-bit, 192-bit, and 256-bit keys

blocks: 128 bits

October 2000: AES=Rijndael

standard: FIPS 197, November 2001

iterated cipher, 10, 12 or 14 iterations depending on key




Multiple encryption

1 assume e·(·) is a block cipher

2 double encryption

m −→k1↓e −→

k2↓e −→ c

3 triple encryption

m −→k1

↓e −→

k2

↓e −→

k3

↓e −→ c




Triple-DES

ek(·), dk(·): single encryption and decryption

two-key triple DES:

c = ek1(dk2

(ek1(m)))

known attack: time ≃ 2120/2t , 2t known plaintexts

tripleDES:c = ek3

(ek2(ek1

(m)))

known attack: time ≃ 2112, 2 known plaintexts, memory ≈ 256




Provably secure encryption (assuming ideal components)

1 assume p(·) is ideal n-bit bijection (permutation)

2 Even-Mansour (1991)

m −→k0

↓⊕−→ p −→

k1

↓⊕−→ c

3 security bound of 2n/2

4 bound tight, attack by Daemen




Provably secure encryption (assuming ideal components)

1 assume p(·) and q(·) are two ideal n-bit bijections

2 Knudsen-Leander et al. (work in progress)

m −→k0

↓⊕−→ p −→

k1

↓⊕−→ q −→

k2

↓⊕−→ c

3 security bound of 22

3n

4 with r “rounds”, bound is 2r

r+1n




Generic attack: r-round iterated ciphers

m −→k0↓

⊕−→ g −→k1↓

⊕−→ g −→k2↓

⊕ · · · · · ·cr−1

↓−→ g −→kr↓

⊕−→ c

1 assume “correlation” between m and cr−1

2 given a number of pairs (m, c)3 repeat for all pairs and all values i of kr :

1 let c ′ = g−1(c ⊕ i), compute x = cor(m, c ′)

2 if key gives cor(m, cr−1), increment counter

4 value of i which yields cor(m, cr−1) taken as value of kr




Differential cryptanalysis - (Biham-Shamir 1991)

chosen plaintext attack

assume x is combined with key, k, via group operation ⊗

define difference of x1 and x2 as

∆(x1, x2) = x1 ⊗ x−12

difference same after combination of key

∆(x1 ⊗ k, x2 ⊗ k) = x1 ⊗ k ⊗ k−1 ⊗ x−12 = ∆(x1, x2)

definition of difference relative to cipher (often exor)




Differential cryptanalysis (2)

Consider r -round iterated ciphers of the form

m −→k0↓

⊕−→ g −→k1↓

⊕−→ g −→k2↓

⊕ · · · · · · −→ g −→kr↓

⊕−→ c

Main criterion for success

distribution of differences through nonlinear components of g isnon-uniform




Differential cryptanalysis - example (1)

n-bit strings m, c , k

c = m ⊕ k

key used only once, system unconditionally secure under aciphertext-only attack

key used more than once, the system is insecure, since

c ⊕ c ′ = (m ⊕ k) ⊕ (m′ ⊕ k) = m ⊕ m′

note that key cancels out





k0, k1 : n-bit keys, S : 0, 1n → 0, 1n

c = S(m ⊕ k0) ⊕ k1

assume attacker knows two pairs messages (m, c) and (m′, c ′)

m −→k0↓

⊕−→ u −→ S −→ v −→k1↓

⊕−→ c

from m,m′, compute u ⊕ u′ = m ⊕ m′

key recovery: from c , c ′ and k1, compute u ⊕ u′





k0, k1, k2: n-bit keys, S : 0, 1n → 0, 1n

c = S(S(m ⊕ k0) ⊕ k1) ⊕ k2

assume attacker knows (m, c) and (m′, c ′)

m →k0↓

⊕→ u → S → v →k1↓

⊕→ w → S → x →k2↓

⊕→ c

from m,m′, compute u ⊕ u′ = m ⊕ m′

from c , c ′ and k2, compute v ⊕ v ′

then what?





Assume for concreteness that n = 4 and that S is

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 6 4 c 5 0 7 2 e 1 f 3 d 8 a 9 b

consider two inputs to S , m and m, where m is the bitwisecomplemented value of m.




m m′ S(m) S(m′) S(m) ⊕ S(m′)

0 f 6 ⊕ b = d1 e 4 ⊕ 9 = d2 d c ⊕ a = 63 c 5 ⊕ 8 = d4 b 0 ⊕ d = d5 a 7 ⊕ 3 = 46 9 2 ⊕ f = d7 8 e ⊕ 1 = f8 7 1 ⊕ e = f9 6 f ⊕ 2 = da 5 3 ⊕ 7 = 4b 4 d ⊕ 0 = dc 3 8 ⊕ 5 = dd 2 a ⊕ c = 6e 1 9 ⊕ 4 = df 0 b ⊕ 6 = dL.R. Knudsen Block Ciphers - The Basics




m −→k0↓

⊕−→ u −→ S −→ v −→k1↓

⊕−→ w −→ S −→ x −→k2↓

⊕−→ c

choose random m, get (m, c), (m′, c ′), where m ⊕ m′ = fx .

then u ⊕ u′ = fx v ⊕ v ′ = δ

for correct value of k2: In 10 of 16 cases, one gets δ = dx

Assumption

for an incorrect value of k2, δ is random





m −→k0↓

⊕−→ u −→ S −→ v −→k1↓

⊕−→ w −→ S −→ x −→k2↓

⊕−→ c

1 choose random m, compute m′ = m ⊕ fx , obtain (m, c) and(m′, c ′)

2 for i = 0, . . . , 15: (guess k2 = i)1 compute δ = S−1(c ⊕ i) ⊕ S−1(c ′ ⊕ i)2 if δ = dx increment counter for i

3 go to 1, until one counter holds significant value




Idea in differential attacks

consider r -round iterated ciphers

find suitable differences in plaintexts such that differences inciphertexts after r − 1 rounds can be determined with goodprobability.

for all values of last-round key kr , compute difference afterr − 1 rounds of encryption from the ciphertexts




Example. CipherFour: block size 16, r rounds

Round keys independent, uniformly random. One round:

1 exclusive-or round key to text2 split text, evaluate each nibble via S-box

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 6 4 c 5 0 7 2 e 1 f 3 d 8 a 9 b

and concatenate results into 16-bit string y = y0, . . . , y15

3 permute bits in y according to:

y 0 1 2 3 4 5 6 7 8 9 a b c d e f

P(y) 0 4 8 c 1 5 9 d 2 6 a e 3 7 b f

so, P(y) = y0, y4, . . . , y11, y15.

Exclusive-or round key to output of last roundL.R. Knudsen Block Ciphers - The Basics



Product cipher example - 16-bit messages

k1

?

???? ???? ???? ????

S S S S???? ???? ???? ????

?

?-

m

k0

?

???? ???? ???? ????

S S S S???? ???? ???? ????

?

?-




Differential characteristics

denote by

(α0, α1, α2, α3)S→ (β0, β1, β2, β3)

that two 4-word inputs to S-boxes of differences(α0, α1, α2, α3) lead to outputs from S-boxes of differences(β0, β1, β2, β3) with some probability p

similar notation for P , (β0, β1, β2, β3)P→ (γ0, γ1, γ2, γ3)

then(α0, α1, α2, α3)

1r→ (γ0, γ1, γ2, γ3)

is called a one-round characteristic of probability p forCipherFour.




Differential characteristics - probabilities

assume Pr(αiSi→ βi ) = pi for i = 0, ..., 3 where probability is

computed over all inputs to Si

then Pr((α0, α1, α2, α3)S→ (β0, β1, β2, β3)) = p0p1p2p3

assume further that (α0, α1, α2, α3)1r→ (γ0, γ1, γ2, γ3) is of

probability p and that (γ0, γ1, γ2, γ3)1r→ (φ0, φ1, φ2, φ3) is of

probability q

then under suitable assumptions (u.s.a.)

(α0, α1, α2, α3)2r→ (φ0, φ1, φ2, φ3) is of probability pq




Example - differential attack

Differential distribution table for S :0 1 2 3 4 5 6 7 8 9 a b c d e f

0 16 - - - - - - - - - - - - - - -1 - - 6 - - - - 2 - 2 - - 2 - 4 -2 - 6 6 - - - - - - 2 2 - - - - -3 - - - 6 - 2 - - 2 - - - 4 - 2 -4 - - - 2 - 2 4 - - 2 2 2 - - 2 -5 - 2 2 - 4 - - 4 2 - - 2 - - - -.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..a - - - - 2 2 - - - 4 4 - 2 2 - -b - - - 2 2 - 2 2 2 - - 4 - - 2 -c - 4 - 2 - 2 - - 2 - - - - - 6 -d - - - - - - 2 2 - - - - 6 2 - 4e - 2 - 4 2 - - - - - 2 - - - - 6f - - - - 2 - 2 - - - - - - 10 - 2




CipherFour - some possible characteristics

(0, 0, 0, fx )S→ (0, 0, 0, dx )

has a probability of 1016

. Consequently (since P is linear)

(0, 0, 0, fx )1r→ (1, 1, 0, 1)

is one-round characteristic of probability 1016

.

(1, 1, 0, 1)S→ (2, 2, 0, 2)

has a probability of ( 616

)3. Consequently (u.s.a.)

(0, 0, 0, fx )2r→ (0, 0, dx , 0)

is a two-round characteristic of probability 1016

( 616

)3 ≃ 0.033.




CipherFour - iterative characteristics

(0, 0, 2, 0)S→ (0, 0, 2, 0)

has a probability of 616

and therefore

(0, 0, 2, 0)1r→ (0, 0, 2, 0)

is a one-round characteristic of probability 616

Characteristic can be concatenated with itself, e.g.,

(0, 0, 2, 0)4r→ (0, 0, 2, 0)

is a 4-round characteristic of probability ( 616

)4 (u.s.a.)These are called “iterative” characteristics




CipherFour - differential attack

Consider CipherFour with 5 rounds and the 4-roundcharacteristic

(0, 0, 2, 0)1r→ (0, 0, 2, 0)

1r→ (0, 0, 2, 0)1r→ (0, 0, 2, 0)

1r→ (0, 0, 2, 0)

with a (conjectured) probability of ( 616

)4 ≃ 1/51Idea of attack:

choose pairs of messages with desired difference

for all values of four (target) bits of k5

from ciphertexts compute backwards one round etc.

If successful, this (sub)attack finds four bits of k5





Consider final round for a pair of texts. One has

(0, 0, 2, 0)S→ (0, 0, h, 0), where h ∈ 1, 2, 9, ax

Since P linear, last round must have one of following forms:

(0, 0, 2, 0)1r→ (0, 0, 0, 2) (0, 0, 2, 0)

1r→ (0, 0, 2, 0)

(0, 0, 2, 0)1r→ (2, 0, 0, 2) (0, 0, 2, 0)

1r→ (2, 0, 2, 0)

Filtering

Use only pairs for which difference in ciphertexts is of one of abovefour

In our case, most pairs which survive filtering will have difference(0, 0, 2, 0) after four rounds





a “right” pair of texts “follow” characteristic in each round

let p be prob. of characteristic, N number of pairs used.

assume all surviving pairs after filtering are right pairs

how many times will correct value of four target bits besuggested in attack? answer: Np

how many times will an incorrect value of four target bits besuggested in attack? answer: Np/15

signal-to-noise ratio:

S/N =Np

Np/15= 15





how many pairs of plaintexts are needed?

depends on (at least) p, S/N and on number of target bits

in our case, Np = 3 suffices.

with Np = 3 ⇒ N = 3 · 51 = 153 pairs of plaintexts




CipherFour - differentials

Consider CipherFour with 5 rounds and the 4-roundcharacteristic

(0, 0, 2, 0)1r→ (0, 0, 2, 0)

1r→ (0, 0, 2, 0)1r→ (0, 0, 2, 0)

1r→ (0, 0, 2, 0)

with a (conjectured) probability of ( 616

)4 ≃ 1/51

In attack only first and last occurrence of (0, 0, 2, 0) is used. In ourexample, what was used is, in fact

(0, 0, 2, 0)1r→ (∗, ∗, ∗, ∗) 1r→ (∗, ∗, ∗, ∗) 1r→ (∗, ∗, ∗, ∗) 1r→ (0, 0, 2, 0),

where asterisks represent “any value”. Such a structure is called adifferential




CipherFour - differentials

(0, 0, 2, 0)1r→ (0, 0, 2, 0)

1r→ (0, 0, 2, 0)1r→ (0, 0, 2, 0)

1r→ (0, 0, 2, 0),

(0, 0, 2, 0)1r→ (0, 0, 0, 2)

1r→ (0, 0, 0, 1)1r→ (0, 0, 1, 0)

1r→ (0, 0, 2, 0),

(0, 0, 2, 0)1r→ (0, 0, 0, 2)

1r→ (0, 0, 1, 0)1r→ (0, 0, 2, 0)

1r→ (0, 0, 2, 0),

(0, 0, 2, 0)1r→ (0, 0, 2, 0)

1r→ (0, 0, 0, 2)1r→ (0, 0, 1, 0)

1r→ (0, 0, 2, 0),

are four 4-round characteristics: (0, 0, 2, 0) → (0, 0, 2, 0)

all four characteristics have a (conjectured) probability of 1/51

one should think Pr((0, 0, 2, 0)4r→ (0, 0, 2, 0)) ≥ 4/51

with Np = 3 ⇒ N = 3 ∗ 4/51 ≈ 40 pairs of plaintexts




Differential cryptanalysis in general

Definition

An s-round characteristic is a series of differences defined as an(s + 1)-tuple

Ω : α0, α1, . . . , αs,where ∆m = α0, ∆ci = αi for 1 ≤ i ≤ s

Probability

Pr(Ω) = Pr(∆cs = αs , .....,∆c1 = α1|∆m = α0).Probability is taken over all possible plaintexts and keys




Differential cryptanalysis in general

Find (r − 1)-round characteristic determining ∆cr−1 with prob. pRepeat

1 choose pairs of plaintexts with difference ∆m

2 get the pairs of ciphertexts c and c∗

3 for i = 0, . . . , 2k − 1 do:

decrypt ciphertexts one round using guess kr = i ,

if expected difference ∆cr−1 is obtained, counter for iincremented

until one counter has value significantly different from othercounters




Key recovery part

· · · −→ g −→kr−1

↓

⊕ −→ y −→ g −→kr↓

⊕−→ c −→i

↓

⊕−→ g−1 −→ c

kr = i ⇒ c = y

kr 6= i ⇒ c =?

Hypothesis of random-key randomization (standard)




Filtering

Definition (Right pair)

A right pair is a pair of plaintexts with intermediate ciphertextsfollowing the characteristic

Definition (Wrong pair)

A wrong pair is a pair which is not a right pair

right pairs always suggest the correct value of the key

strategy: minimise the number of wrong pairs

often possible from ciphertexts alone to determine that a pairis wrong; in that case the pair is filtered out (not used) in theanalysis




Signal to noise ratio

S/N =prob. correct key is counted

prob. a random key is counted

k number of key bits to findp probability of characteristicm number of pairs requiredβ ratio of used pairs to all pairsα # keys suggested by each used pair

S/N =m · pm·β·α2k−1

=p · (2k − 1)

α · β

If S/N 6= 1 repeat attack until correct key “sticks out”




Complexity

chosen plaintexts needed roughly c × 1/pΩ, wherepΩ probability of characteristic Ω used,c ≥ 1 a function of S/N (usually small)

increase S/N ratio: filter out wrong pairs

success of differential attacks depends on

probability of characteristic

number of counters required

S/N ratio

filtering

time to run the attack




Iterative characteristics

Problem: for t big, t-round characteristics hard to find

Definition

An s-round iterative characteristic has the form

Ω : αi , αi+1, . . . , αi+s+1,

where αi = αi+s+1.

Construct ts-round characteristics by concatenating Ω with itself ttimes.




Probability of characteristics

for attack (k is secret key)

PrM(∆ci = αi , .....,∆c1 = α1|∆m = α0, k is key)

but k is unknown? Average over all keys:

PrM,K (∆ci = αi , .....,∆c1 = α1|∆m = α0)

proposal:

PrM,K (∆ci = αi , .....,∆c1 = α1|∆m = α0) =s

∏

i=1

PrM,K (∆c1 = αi |∆m = αi−1) ????

Requires that individual rounds are independent.......L.R. Knudsen Block Ciphers - The Basics



Probability of characteristics (2)

Definition

An iterated cipher is a Markov cipher, with respect to the defineddifference, if

PrK (∆c1 = β | ∆c0 = α, c0 = γ)

is independent of γ for all α, β

For Markov ciphers with independent round keys

PrM,K (∆cs = αs , .....,∆c1 = α1|∆m = α0) =

PrK (∆cs = αs , .....,∆c1 = α1|∆m = α0) =s

∏

i=1

PrK (∆c1 = αi |∆m = αi−1)




Probability of characteristics (3)

Fact

DES and AES are Markov ciphers with difference defined by ⊕




Differentials

In attacks based on basic differential cryptanalysis intermediatedifferences (usually) not used

characteristic Φ = (∆m,∆c1, . . . ∆cr−2,∆cr−1)

differential Ω = (∆m,∆cr−1)

Pr(Ω) ≥ Pr(Φ)




Differentials - probability

probability of characteristic (Markov ciphers)

Pr(∆cs = αs , .....,∆c1 = α1|∆m = α0) =s

∏

i=1

Pr(∆c1 = αi |∆m = αi−1)

probability of differential (Markov ciphers)

Pr(∆cs = βs | ∆m = β0) =

∑

β1

· · ·∑

βs−1

s∏

i=1

Pr(∆ci = βi | ∆ci−1 = βi−1)

where ∆c0 = ∆m




Differentials and probabilities

probability of differentials taken over all plaintexts and keys

for Markov cipher only over all keys

probability is an average over all keys

in attack, one key is used. Probability?

Definition (Hypothesis of stochastic equivalence)

For virtually all high probability s-round differentials (α, β)

PrM(∆cs = β | ∆m = α, K = k) ≈PrM,K (∆cs = β | ∆m = α)

holds for substantial fraction of key values k




Linear cryptanalysis (Matsui 1993)

Known plaintext attack

Uses linear relations between bits of m, c = ek(m) and k

Suppose with probability p 6= 12

(m · α) ⊕ (c · β) = 0 (∗)

Collect N pairs of plaintext/ciphertext (using same key!)

T : number of times left side of (*) is 0

If p > 1/2, E (T ) > N/2

If m and c independent, T ≃ N/2.




Linear attack: Complexity

T binomial random variable which is 0 with p > 1/2

Pr(T > N/2) = 1 − Pr(T ≤ N/2) ≃ 1 − Φ(N/2 + 1/2 − Np√

p(1 − p) ×√

N)

≃ 1 − Φ(−2√

N |p − 1/2|)= Φ(2

√N |p − 1/2|)

where Φ is the normal distribution function

With N = |p − 1/2|−2 probability is about 97.72%

|p − 1/2| called the bias




Joining linear approximations

Random, independent boolean variables X ,Y , and ZIf α · X = β · Y with probability p1

and β · Y = γ · Z with probability p2

then α · X = γ · Z with probability 12

+ 2(p1 − 1/2)(p2 − 1/2)

Piling Up-Lemma

Let Zi , 1 ≤ i ≤ n, be independent random boolean variables,which are 0 with probability pi . Then

Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) = 1/2 + 2n−1

n∏

i=1

(pi − 1/2)




Joining linear approximations

Piling Up-Lemma

Let Zi , 1 ≤ i ≤ n, be independent random boolean variables,which are 0 with probability pi . Then

Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) = 1/2 + 2n−1

n∏

i=1

(pi − 1/2)

or similarly

2Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) − 1 =n

∏

i=1

(2pi − 1)




Linear cryptanalysis - iterated ciphers

ci −→k

↓

⊕−→ x −→ f −→ ci+1

(α · ci) ⊕ (α · x) = (α · k)

(α · x) = (β · ci+1) with pi 6= 1/2

(α · ci )⊕ (β · ci+1) = 0 with bias |pi − 1/2| (whatever value of(α · k))

linear characteristic (δi , δi+1) with bias |pi − 1/2| means that

(δi · ci ) ⊕ (δi+1 · ci+1) = 0

with bias |pi − 1/2|L.R. Knudsen Block Ciphers - The Basics



Linear characteristics - iterated ciphers

· · · ci −→ki↓

⊕−→ g −→ ci+1 −→ki+1

↓

⊕ −→ g −→ ci+2 · · ·

assume that

(δ0 · c0) ⊕ (δ1 · c1) = 0 with bias |p1 − 1/2|(δ1 · c1) ⊕ (δ2 · c2) = 0 with bias |p2 − 1/2|

. . . . . . . . . . . . . . . . . .

(δs−1 · cs−1) ⊕ (δs · cs) = 0 with bias |ps − 1/2|

then (u.s.a.) (δ0, δ1, . . . , δs) is called an s-round linearcharacteristic with bias 2s−1

∏si=1 |pi − 1/2| (piling up biases)




Linear attack - r-round iterated cipher

m −→k0↓

⊕−→ g −→k1↓

⊕−→ g −→ · · · · · · −→kr−1

↓

⊕ −→ g −→kr↓

⊕−→ c

consider r -round characteristic (δ0, . . . , δr−1) with bias b(m · δ0) ⊕ (cr−1 · δr−1) = 0

consider for some value of i :(m · δ0) ⊕ (g−1(c , i) · δr−1) = 0 (*)

with i = kr , (*) is characteristic for r − 1 rounds

Assumption

For i 6= kr , (*) is random approximation with bias ≃ 0




Linear attack (2)

m −→k0↓

⊕−→ g −→k1↓

⊕−→ g −→ · · · · · · −→kr−1

↓

⊕ −→ g −→kr↓

⊕−→ c

assume kr has κ bits

for i = 0, . . . , 2κ − 1 compute bias of

(m · δ0) ⊕ (g−1(c , i) · δr−1) = 0

using N known plaintexts

guess kr = i , for value of i which produces bias closest toexpected

complexity N ≃ c · |p − 1/2|−2, c small constant




Probability of linear characteristics

For attack (k is secret key)

PrM((cr−1 · δr−1) ⊕ (m · δ0) = 0 | k is key)

But k unknown? Average over all keys:

PrM,K ((cr−1 · δr−1) ⊕ (m · δ0) = 0)

can be hard to calculate




Probability of linear characteristics

Assume that

|PrK ((ci · δi ) = (ci−1 · δi−1) | ci−1 = γ) − 1/2|

is independent of γand

assume that round keys are independent, then bias of

|PrM,K ((cr−1 · δr−1) ⊕ (m · δ0) = 0) − 1/2|

can be calculated from one-round biases and the Piling-up Lemma




Example: CipherFour: block size 16, r rounds

Round keys independent, uniformly random. One round:

1 exclusive-or round key to text2 split text, evaluate each nibble via S-box

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 6 4 c 5 0 7 2 e 1 f 3 d 8 a 9 b

and concatenate results into 16-bit string y = y0, . . . , y15

3 permute bits in y according to:

y 0 1 2 3 4 5 6 7 8 9 a b c d e f

P(y) 0 4 8 c 1 5 9 d 2 6 a e 3 7 b f

So, P(y) = y0, y4, . . . , y11, y15.

Exclusive-or round key to output of last roundL.R. Knudsen Block Ciphers - The Basics



Example cipher - linear attack

Linear approximation table for S (entries are (p − 1/2) · 16)1 2 3 4 5 6 7 8 9 a b c d e f

1 2 2 . 4 -2 2 . 2 . -4 -2 2 . . 22 2 . 2 . 2 4 -2 2 . 2 . -2 -4 2 .3 . 2 -2 . . 2 6 . . 2 -2 . . 2 -24 -2 2 . -4 -2 -2 . 2 . . -2 2 -4 . 25 . -4 . . -4 . . . -4 . . . . 4 ... .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..9 2 -2 . . 2 -2 . -2 4 . -2 2 . 4 2a -2 . 2 . -2 . 2 2 4 -2 4 -2 . 2 .b . -2 -2 . . 2 2 . . 2 2 . . -2 6c 2 2 . . -2 -2 . -2 . . -2 -6 . . 2d . . . -4 . 4 . -4 . -4 . . . . .e 4 -2 -2 . . -2 2 . . -2 2 . -4 -2 -2f -2 -4 2 . 2 . 2 2 . -2 -4 -2 . -2 .




CipherFour - linear characteristic

entry (cx , cx), value ‘-6’: bias 616

, probability − 616

+ 12

= 216

thus (0 0 0 cx )S→ (0 0 0 cx ) has bias 6

16

since P is linear, (0 0 0 cx )1r→ (1 1 0 0x ) is one-round

characteristic of bias 38

also, (1 1 0 0x )S→ (4 4 0 0x ), has bias 2( 4

16)( 4

16) = 1

8

so (u.s.a.) (0 0 0 cx )2r→ (0 0 c 0x) is two-round characteristic of

bias 2(38)(1

8) = 3

32




CipherFour - linear iterative characteristic

Better approach for CipherFour:

(8 0 0 0x )S→ (8 0 0 0x )

has bias 416

and therefore

(8 0 0 0x )1r→ (8 0 0 0x )

is a one-round characteristic of bias 14

Use it to build t-round characteristics

(8 0 0 0x )t r→ (8 0 0 0x )

of bias 2t−1(1/4)t = 2−1−t




CipherFour - a linear attack

consider CipherFour with 5 rounds and the four-roundcharacteristic

(8 0 0 0x )1r→ (8 0 0 0x )

1r→ (8 0 0 0x )1r→ (8 0 0 0x )

1r→ (8 0 0 0x )

which (u.s.a.) has bias of 2−1−4 = 1

32according to Piling-up

Lemma

for all values of four bits in last-round key, (partically) decryptciphertexts one round, compute bias

value of key which produces bias of 1

32is taken as value of

secret key

N = c · |p − 1/2|−2 = c · 210 known plaintexts required to findfour bits of last-round key




Linear attack on DES

iterative 4-round characteristic

build 14-round characteristic with bias 1.2 × 2−21

guess on six round key bits in both first and last rounds

potential to find 12 key bits

swap role of plaintext and ciphertext, repeat attack

in total, potential to find 24 bits of key information

find remaining 32 bits by an exhaustive search




Linear attack on DES

estimate - with 245 known plaintexts a DES key can berecovered with 98.8% success rate

Matsui-test:

January, 1994

key found in 50 days on 12 HP9735 workstations (120 Mips)

243 known plaintexts

ciphertext only attack possible, assuming English plaintextsencoded in ASCII




Rounding off

intro to block ciphers

differential cryptanalysis

characteristics

differentials

linear cryptanalysis

linear hulls equivalent to differential

two most general attacks on block ciphers

good knowledge of how to protect against these attacks, seeAES


Block Ciphers - The Basics · 1920s, rotor machines, mechanical crypto Enigma, Germany Sigaba, USA...

Documents

Transcript of Block Ciphers - The Basics · 1920s, rotor machines, mechanical crypto Enigma, Germany Sigaba, USA...