Block Ciphers - The Basics · 1920s, rotor machines, mechanical crypto Enigma, Germany Sigaba, USA...
Transcript of Block Ciphers - The Basics · 1920s, rotor machines, mechanical crypto Enigma, Germany Sigaba, USA...
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Block Ciphers - The Basics
Lars R. Knudsen
Spring 2011
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Content
Introduction
Iterated ciphers
Cryptanalysis
Differential cryptanalysis
Linear cryptanalysis
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Symmetric encryption
Same key for encryption and decryption
Two types
Block ciphers
Stream ciphers
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Symmetric encryption: Model of reality
M-Source
sender
K-Source
receiver
?m
-insecure channelc c
66
Enemy
6
secure channelkk
-m
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Symmetric encryption
Kerckhoffs’ principle
Everything is known to an attacker except for the value of thesecret key.
Attack scenarios
Ciphertext only
Known plaintext
Chosen plaintext/ciphertext
Adaptive chosen plaintext/ciphertext (black-box)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
From classical crypto to modern crypto
looking back..
(almost) all ciphers before 1920s very weak
1920s, rotor machines, mechanical crypto
Enigma, Germany
Sigaba, USA
Typex, UK
1970s, computers take over from rotor machines
ciphers operate on long sequence of bits (bytes)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Block ciphers
Input block m, output block c , key k
e c
k
m - -
?
e : 0, 1n × 0, 1κ → 0, 1n
given k easy to encrypt and decrypt
given m, c hard to compute k, such that ek(m) = c
one-way function: f (k) = ek(m0) for fixed m0
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Block ciphers
Applications
block encryption (symmetric)
pseudorandom number generators/stream ciphers
message authentication codes
building block in hash functions
one-way functions
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Block cipher, n-bit blocks, κ-bit key
family of n-bit permutations
# n-bit permutations in block cipher: 2κ
# n-bit permutations: 2n! ≃ (2n−1)2n
DES: n = 64, κ = 56
AES: n = 128, κ = 128, 192, 256
design aim: choose the 2κ permutations uniformly at randomfrom the set of all 2n! permutations
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Cryptanalysis
Assumption
Assume cryptanalyst has access to black-box implementing blockcipher with secret key k
Aims of cryptanalyst
find key k, or
find (m, c) such that ek(m) = c for unknown k, or
distinguish member of block cipher from randomly chosenpermutation
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Generic, brute-force attacks
Block size n, key size κ
1 exhaustive key search
try all keys, one by one
⌈κ/n⌉ texts, time 2κ, storage small
2 table attack
store ek(m0) for all k
storage 2κ, time (of attack) small
3 Hellman tradeoffs of 1 and 2, e.g. n = κ, 22n/3 time &memory
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Generic, brute-force attacks (cont.)
Dictionary and birthday attacks
known plaintexts: Collect pairs (m, c)
ciphertext-only: Collect ciphertexts, look for matches ci = cj .
Example
CBC mode
1 Collect 2n/2 ciphertext blocks
2 With 2 equal ciphertext blocksci = cj ⇒ ek(mi ⊕ ci−1) = ek(mj ⊕ cj−1)⇒ mi ⊕ mj = ci−1 ⊕ cj−1
(similar attacks for ECB and CFB)L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Short-cut attacks
Success dependent on intrinsic properties of e(·)
Differential cryptanalysis
Linear cryptanalysis
Interpolation attacks
Integral attacks
Related key attacks
Variants of the above: higher-order differentials, truncateddifferentials, mod n attack, boomerang attack, .....
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Iterated block ciphers (DES, AES, . . . )
m −→k0↓
⊕−→ g −→k1↓
⊕−→ g −→k2↓
⊕ · · · · · · −→ g −→kr↓
⊕−→ c
plaintext m, ciphertext c , key k
key-schedule: user-selected key k → k0, . . . , kr
round function, g , weak by itself
idea: g r , strong for “large” r
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
DES
History
developed in early 70’s by IBM using 17 man years
evaluation by National Security Agency (US)
1975: publication of proposed standard
public discussion (trapdoors, key size)
1977: publication of FIPS 46 (DES)
most realistic attack is exhaustive search for key
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
DES
Parameters
block size 64 bits
key size 64 bits, effective 56 bits
16 round Feistel cipher
Feistel network
f ⊕
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
DES
Results
∀ m, k : c = DESk(m) ⇐⇒ c = DESk(m)
4 weak keys: DESk(DESk(m)) = m, ∀ m
6 pairs of semi-weak keys: DESk1 = DES−1
k2
differential cryptanalysis (1991), 247 chosen plaintexts
linear cryptanalysis (1993), 245 known plaintexts
key search engine (98-99), 1 mio US$, 1 key/30 min.
record for finding DES-key: 22 hours, 1999
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
AES
Advanced Encryption Standard
US governmental encryption standard
open (world) competition announced January 97
keys: choice of 128-bit, 192-bit, and 256-bit keys
blocks: 128 bits
October 2000: AES=Rijndael
standard: FIPS 197, November 2001
iterated cipher, 10, 12 or 14 iterations depending on key
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Multiple encryption
1 assume e·(·) is a block cipher
2 double encryption
m −→k1↓e −→
k2↓e −→ c
3 triple encryption
m −→k1
↓e −→
k2
↓e −→
k3
↓e −→ c
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Triple-DES
ek(·), dk(·): single encryption and decryption
two-key triple DES:
c = ek1(dk2
(ek1(m)))
known attack: time ≃ 2120/2t , 2t known plaintexts
tripleDES:c = ek3
(ek2(ek1
(m)))
known attack: time ≃ 2112, 2 known plaintexts, memory ≈ 256
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Provably secure encryption (assuming ideal components)
1 assume p(·) is ideal n-bit bijection (permutation)
2 Even-Mansour (1991)
m −→k0
↓⊕−→ p −→
k1
↓⊕−→ c
3 security bound of 2n/2
4 bound tight, attack by Daemen
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Provably secure encryption (assuming ideal components)
1 assume p(·) and q(·) are two ideal n-bit bijections
2 Knudsen-Leander et al. (work in progress)
m −→k0
↓⊕−→ p −→
k1
↓⊕−→ q −→
k2
↓⊕−→ c
3 security bound of 22
3n
4 with r “rounds”, bound is 2r
r+1n
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Generic attack: r-round iterated ciphers
m −→k0↓
⊕−→ g −→k1↓
⊕−→ g −→k2↓
⊕ · · · · · ·cr−1
↓−→ g −→kr↓
⊕−→ c
1 assume “correlation” between m and cr−1
2 given a number of pairs (m, c)3 repeat for all pairs and all values i of kr :
1 let c ′ = g−1(c ⊕ i), compute x = cor(m, c ′)
2 if key gives cor(m, cr−1), increment counter
4 value of i which yields cor(m, cr−1) taken as value of kr
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis - (Biham-Shamir 1991)
chosen plaintext attack
assume x is combined with key, k, via group operation ⊗
define difference of x1 and x2 as
∆(x1, x2) = x1 ⊗ x−12
difference same after combination of key
∆(x1 ⊗ k, x2 ⊗ k) = x1 ⊗ k ⊗ k−1 ⊗ x−12 = ∆(x1, x2)
definition of difference relative to cipher (often exor)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis (2)
Consider r -round iterated ciphers of the form
m −→k0↓
⊕−→ g −→k1↓
⊕−→ g −→k2↓
⊕ · · · · · · −→ g −→kr↓
⊕−→ c
Main criterion for success
distribution of differences through nonlinear components of g isnon-uniform
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis - example (1)
n-bit strings m, c , k
c = m ⊕ k
key used only once, system unconditionally secure under aciphertext-only attack
key used more than once, the system is insecure, since
c ⊕ c ′ = (m ⊕ k) ⊕ (m′ ⊕ k) = m ⊕ m′
note that key cancels out
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis - example (2)
k0, k1 : n-bit keys, S : 0, 1n → 0, 1n
c = S(m ⊕ k0) ⊕ k1
assume attacker knows two pairs messages (m, c) and (m′, c ′)
m −→k0↓
⊕−→ u −→ S −→ v −→k1↓
⊕−→ c
from m,m′, compute u ⊕ u′ = m ⊕ m′
key recovery: from c , c ′ and k1, compute u ⊕ u′
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis - example (3)
k0, k1, k2: n-bit keys, S : 0, 1n → 0, 1n
c = S(S(m ⊕ k0) ⊕ k1) ⊕ k2
assume attacker knows (m, c) and (m′, c ′)
m →k0↓
⊕→ u → S → v →k1↓
⊕→ w → S → x →k2↓
⊕→ c
from m,m′, compute u ⊕ u′ = m ⊕ m′
from c , c ′ and k2, compute v ⊕ v ′
then what?
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis - example (4)
Assume for concreteness that n = 4 and that S is
x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 6 4 c 5 0 7 2 e 1 f 3 d 8 a 9 b
consider two inputs to S , m and m, where m is the bitwisecomplemented value of m.
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
m m′ S(m) S(m′) S(m) ⊕ S(m′)
0 f 6 ⊕ b = d1 e 4 ⊕ 9 = d2 d c ⊕ a = 63 c 5 ⊕ 8 = d4 b 0 ⊕ d = d5 a 7 ⊕ 3 = 46 9 2 ⊕ f = d7 8 e ⊕ 1 = f8 7 1 ⊕ e = f9 6 f ⊕ 2 = da 5 3 ⊕ 7 = 4b 4 d ⊕ 0 = dc 3 8 ⊕ 5 = dd 2 a ⊕ c = 6e 1 9 ⊕ 4 = df 0 b ⊕ 6 = dL.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis - example (5)
m −→k0↓
⊕−→ u −→ S −→ v −→k1↓
⊕−→ w −→ S −→ x −→k2↓
⊕−→ c
choose random m, get (m, c), (m′, c ′), where m ⊕ m′ = fx .
then u ⊕ u′ = fx v ⊕ v ′ = δ
for correct value of k2: In 10 of 16 cases, one gets δ = dx
Assumption
for an incorrect value of k2, δ is random
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis - example (6)
m −→k0↓
⊕−→ u −→ S −→ v −→k1↓
⊕−→ w −→ S −→ x −→k2↓
⊕−→ c
1 choose random m, compute m′ = m ⊕ fx , obtain (m, c) and(m′, c ′)
2 for i = 0, . . . , 15: (guess k2 = i)1 compute δ = S−1(c ⊕ i) ⊕ S−1(c ′ ⊕ i)2 if δ = dx increment counter for i
3 go to 1, until one counter holds significant value
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Idea in differential attacks
consider r -round iterated ciphers
find suitable differences in plaintexts such that differences inciphertexts after r − 1 rounds can be determined with goodprobability.
for all values of last-round key kr , compute difference afterr − 1 rounds of encryption from the ciphertexts
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Example. CipherFour: block size 16, r rounds
Round keys independent, uniformly random. One round:
1 exclusive-or round key to text2 split text, evaluate each nibble via S-box
x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 6 4 c 5 0 7 2 e 1 f 3 d 8 a 9 b
and concatenate results into 16-bit string y = y0, . . . , y15
3 permute bits in y according to:
y 0 1 2 3 4 5 6 7 8 9 a b c d e f
P(y) 0 4 8 c 1 5 9 d 2 6 a e 3 7 b f
so, P(y) = y0, y4, . . . , y11, y15.
Exclusive-or round key to output of last roundL.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Product cipher example - 16-bit messages
k1
?
???? ???? ???? ????
S S S S???? ???? ???? ????
?
?-
m
k0
?
???? ???? ???? ????
S S S S???? ???? ???? ????
?
?-
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential characteristics
denote by
(α0, α1, α2, α3)S→ (β0, β1, β2, β3)
that two 4-word inputs to S-boxes of differences(α0, α1, α2, α3) lead to outputs from S-boxes of differences(β0, β1, β2, β3) with some probability p
similar notation for P , (β0, β1, β2, β3)P→ (γ0, γ1, γ2, γ3)
then(α0, α1, α2, α3)
1r→ (γ0, γ1, γ2, γ3)
is called a one-round characteristic of probability p forCipherFour.
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential characteristics - probabilities
assume Pr(αiSi→ βi ) = pi for i = 0, ..., 3 where probability is
computed over all inputs to Si
then Pr((α0, α1, α2, α3)S→ (β0, β1, β2, β3)) = p0p1p2p3
assume further that (α0, α1, α2, α3)1r→ (γ0, γ1, γ2, γ3) is of
probability p and that (γ0, γ1, γ2, γ3)1r→ (φ0, φ1, φ2, φ3) is of
probability q
then under suitable assumptions (u.s.a.)
(α0, α1, α2, α3)2r→ (φ0, φ1, φ2, φ3) is of probability pq
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Example - differential attack
Differential distribution table for S :0 1 2 3 4 5 6 7 8 9 a b c d e f
0 16 - - - - - - - - - - - - - - -1 - - 6 - - - - 2 - 2 - - 2 - 4 -2 - 6 6 - - - - - - 2 2 - - - - -3 - - - 6 - 2 - - 2 - - - 4 - 2 -4 - - - 2 - 2 4 - - 2 2 2 - - 2 -5 - 2 2 - 4 - - 4 2 - - 2 - - - -.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..a - - - - 2 2 - - - 4 4 - 2 2 - -b - - - 2 2 - 2 2 2 - - 4 - - 2 -c - 4 - 2 - 2 - - 2 - - - - - 6 -d - - - - - - 2 2 - - - - 6 2 - 4e - 2 - 4 2 - - - - - 2 - - - - 6f - - - - 2 - 2 - - - - - - 10 - 2
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - some possible characteristics
(0, 0, 0, fx )S→ (0, 0, 0, dx )
has a probability of 1016
. Consequently (since P is linear)
(0, 0, 0, fx )1r→ (1, 1, 0, 1)
is one-round characteristic of probability 1016
.
(1, 1, 0, 1)S→ (2, 2, 0, 2)
has a probability of ( 616
)3. Consequently (u.s.a.)
(0, 0, 0, fx )2r→ (0, 0, dx , 0)
is a two-round characteristic of probability 1016
( 616
)3 ≃ 0.033.
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - iterative characteristics
(0, 0, 2, 0)S→ (0, 0, 2, 0)
has a probability of 616
and therefore
(0, 0, 2, 0)1r→ (0, 0, 2, 0)
is a one-round characteristic of probability 616
Characteristic can be concatenated with itself, e.g.,
(0, 0, 2, 0)4r→ (0, 0, 2, 0)
is a 4-round characteristic of probability ( 616
)4 (u.s.a.)These are called “iterative” characteristics
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - differential attack
Consider CipherFour with 5 rounds and the 4-roundcharacteristic
(0, 0, 2, 0)1r→ (0, 0, 2, 0)
1r→ (0, 0, 2, 0)1r→ (0, 0, 2, 0)
1r→ (0, 0, 2, 0)
with a (conjectured) probability of ( 616
)4 ≃ 1/51Idea of attack:
choose pairs of messages with desired difference
for all values of four (target) bits of k5
from ciphertexts compute backwards one round etc.
If successful, this (sub)attack finds four bits of k5
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - differential attack
Consider final round for a pair of texts. One has
(0, 0, 2, 0)S→ (0, 0, h, 0), where h ∈ 1, 2, 9, ax
Since P linear, last round must have one of following forms:
(0, 0, 2, 0)1r→ (0, 0, 0, 2) (0, 0, 2, 0)
1r→ (0, 0, 2, 0)
(0, 0, 2, 0)1r→ (2, 0, 0, 2) (0, 0, 2, 0)
1r→ (2, 0, 2, 0)
Filtering
Use only pairs for which difference in ciphertexts is of one of abovefour
In our case, most pairs which survive filtering will have difference(0, 0, 2, 0) after four rounds
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - differential attack
a “right” pair of texts “follow” characteristic in each round
let p be prob. of characteristic, N number of pairs used.
assume all surviving pairs after filtering are right pairs
how many times will correct value of four target bits besuggested in attack? answer: Np
how many times will an incorrect value of four target bits besuggested in attack? answer: Np/15
signal-to-noise ratio:
S/N =Np
Np/15= 15
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - differential attack
how many pairs of plaintexts are needed?
depends on (at least) p, S/N and on number of target bits
in our case, Np = 3 suffices.
with Np = 3 ⇒ N = 3 · 51 = 153 pairs of plaintexts
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - differentials
Consider CipherFour with 5 rounds and the 4-roundcharacteristic
(0, 0, 2, 0)1r→ (0, 0, 2, 0)
1r→ (0, 0, 2, 0)1r→ (0, 0, 2, 0)
1r→ (0, 0, 2, 0)
with a (conjectured) probability of ( 616
)4 ≃ 1/51
In attack only first and last occurrence of (0, 0, 2, 0) is used. In ourexample, what was used is, in fact
(0, 0, 2, 0)1r→ (∗, ∗, ∗, ∗) 1r→ (∗, ∗, ∗, ∗) 1r→ (∗, ∗, ∗, ∗) 1r→ (0, 0, 2, 0),
where asterisks represent “any value”. Such a structure is called adifferential
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - differentials
(0, 0, 2, 0)1r→ (0, 0, 2, 0)
1r→ (0, 0, 2, 0)1r→ (0, 0, 2, 0)
1r→ (0, 0, 2, 0),
(0, 0, 2, 0)1r→ (0, 0, 0, 2)
1r→ (0, 0, 0, 1)1r→ (0, 0, 1, 0)
1r→ (0, 0, 2, 0),
(0, 0, 2, 0)1r→ (0, 0, 0, 2)
1r→ (0, 0, 1, 0)1r→ (0, 0, 2, 0)
1r→ (0, 0, 2, 0),
(0, 0, 2, 0)1r→ (0, 0, 2, 0)
1r→ (0, 0, 0, 2)1r→ (0, 0, 1, 0)
1r→ (0, 0, 2, 0),
are four 4-round characteristics: (0, 0, 2, 0) → (0, 0, 2, 0)
all four characteristics have a (conjectured) probability of 1/51
one should think Pr((0, 0, 2, 0)4r→ (0, 0, 2, 0)) ≥ 4/51
with Np = 3 ⇒ N = 3 ∗ 4/51 ≈ 40 pairs of plaintexts
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis in general
Definition
An s-round characteristic is a series of differences defined as an(s + 1)-tuple
Ω : α0, α1, . . . , αs,where ∆m = α0, ∆ci = αi for 1 ≤ i ≤ s
Probability
Pr(Ω) = Pr(∆cs = αs , .....,∆c1 = α1|∆m = α0).Probability is taken over all possible plaintexts and keys
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differential cryptanalysis in general
Find (r − 1)-round characteristic determining ∆cr−1 with prob. pRepeat
1 choose pairs of plaintexts with difference ∆m
2 get the pairs of ciphertexts c and c∗
3 for i = 0, . . . , 2k − 1 do:
decrypt ciphertexts one round using guess kr = i ,
if expected difference ∆cr−1 is obtained, counter for iincremented
until one counter has value significantly different from othercounters
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Key recovery part
· · · −→ g −→kr−1
↓
⊕ −→ y −→ g −→kr↓
⊕−→ c −→i
↓
⊕−→ g−1 −→ c
kr = i ⇒ c = y
kr 6= i ⇒ c =?
Hypothesis of random-key randomization (standard)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Filtering
Definition (Right pair)
A right pair is a pair of plaintexts with intermediate ciphertextsfollowing the characteristic
Definition (Wrong pair)
A wrong pair is a pair which is not a right pair
right pairs always suggest the correct value of the key
strategy: minimise the number of wrong pairs
often possible from ciphertexts alone to determine that a pairis wrong; in that case the pair is filtered out (not used) in theanalysis
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Signal to noise ratio
S/N =prob. correct key is counted
prob. a random key is counted
k number of key bits to findp probability of characteristicm number of pairs requiredβ ratio of used pairs to all pairsα # keys suggested by each used pair
S/N =m · pm·β·α2k−1
=p · (2k − 1)
α · β
If S/N 6= 1 repeat attack until correct key “sticks out”
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Complexity
chosen plaintexts needed roughly c × 1/pΩ, wherepΩ probability of characteristic Ω used,c ≥ 1 a function of S/N (usually small)
increase S/N ratio: filter out wrong pairs
success of differential attacks depends on
probability of characteristic
number of counters required
S/N ratio
filtering
time to run the attack
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Iterative characteristics
Problem: for t big, t-round characteristics hard to find
Definition
An s-round iterative characteristic has the form
Ω : αi , αi+1, . . . , αi+s+1,
where αi = αi+s+1.
Construct ts-round characteristics by concatenating Ω with itself ttimes.
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Probability of characteristics
for attack (k is secret key)
PrM(∆ci = αi , .....,∆c1 = α1|∆m = α0, k is key)
but k is unknown? Average over all keys:
PrM,K (∆ci = αi , .....,∆c1 = α1|∆m = α0)
proposal:
PrM,K (∆ci = αi , .....,∆c1 = α1|∆m = α0) =s
∏
i=1
PrM,K (∆c1 = αi |∆m = αi−1) ????
Requires that individual rounds are independent.......L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Probability of characteristics (2)
Definition
An iterated cipher is a Markov cipher, with respect to the defineddifference, if
PrK (∆c1 = β | ∆c0 = α, c0 = γ)
is independent of γ for all α, β
For Markov ciphers with independent round keys
PrM,K (∆cs = αs , .....,∆c1 = α1|∆m = α0) =
PrK (∆cs = αs , .....,∆c1 = α1|∆m = α0) =s
∏
i=1
PrK (∆c1 = αi |∆m = αi−1)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Probability of characteristics (3)
Fact
DES and AES are Markov ciphers with difference defined by ⊕
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differentials
In attacks based on basic differential cryptanalysis intermediatedifferences (usually) not used
characteristic Φ = (∆m,∆c1, . . . ∆cr−2,∆cr−1)
differential Ω = (∆m,∆cr−1)
Pr(Ω) ≥ Pr(Φ)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differentials - probability
probability of characteristic (Markov ciphers)
Pr(∆cs = αs , .....,∆c1 = α1|∆m = α0) =s
∏
i=1
Pr(∆c1 = αi |∆m = αi−1)
probability of differential (Markov ciphers)
Pr(∆cs = βs | ∆m = β0) =
∑
β1
· · ·∑
βs−1
s∏
i=1
Pr(∆ci = βi | ∆ci−1 = βi−1)
where ∆c0 = ∆m
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Differentials and probabilities
probability of differentials taken over all plaintexts and keys
for Markov cipher only over all keys
probability is an average over all keys
in attack, one key is used. Probability?
Definition (Hypothesis of stochastic equivalence)
For virtually all high probability s-round differentials (α, β)
PrM(∆cs = β | ∆m = α, K = k) ≈PrM,K (∆cs = β | ∆m = α)
holds for substantial fraction of key values k
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Linear cryptanalysis (Matsui 1993)
Known plaintext attack
Uses linear relations between bits of m, c = ek(m) and k
Suppose with probability p 6= 12
(m · α) ⊕ (c · β) = 0 (∗)
Collect N pairs of plaintext/ciphertext (using same key!)
T : number of times left side of (*) is 0
If p > 1/2, E (T ) > N/2
If m and c independent, T ≃ N/2.
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Linear attack: Complexity
T binomial random variable which is 0 with p > 1/2
Pr(T > N/2) = 1 − Pr(T ≤ N/2) ≃ 1 − Φ(N/2 + 1/2 − Np√
p(1 − p) ×√
N)
≃ 1 − Φ(−2√
N |p − 1/2|)= Φ(2
√N |p − 1/2|)
where Φ is the normal distribution function
With N = |p − 1/2|−2 probability is about 97.72%
|p − 1/2| called the bias
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Joining linear approximations
Random, independent boolean variables X ,Y , and ZIf α · X = β · Y with probability p1
and β · Y = γ · Z with probability p2
then α · X = γ · Z with probability 12
+ 2(p1 − 1/2)(p2 − 1/2)
Piling Up-Lemma
Let Zi , 1 ≤ i ≤ n, be independent random boolean variables,which are 0 with probability pi . Then
Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) = 1/2 + 2n−1
n∏
i=1
(pi − 1/2)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Joining linear approximations
Piling Up-Lemma
Let Zi , 1 ≤ i ≤ n, be independent random boolean variables,which are 0 with probability pi . Then
Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) = 1/2 + 2n−1
n∏
i=1
(pi − 1/2)
or similarly
2Pr(Z1 ⊕ Z2 ⊕ .... ⊕ Zn = 0) − 1 =n
∏
i=1
(2pi − 1)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Linear cryptanalysis - iterated ciphers
ci −→k
↓
⊕−→ x −→ f −→ ci+1
(α · ci) ⊕ (α · x) = (α · k)
(α · x) = (β · ci+1) with pi 6= 1/2
(α · ci )⊕ (β · ci+1) = 0 with bias |pi − 1/2| (whatever value of(α · k))
linear characteristic (δi , δi+1) with bias |pi − 1/2| means that
(δi · ci ) ⊕ (δi+1 · ci+1) = 0
with bias |pi − 1/2|L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Linear characteristics - iterated ciphers
· · · ci −→ki↓
⊕−→ g −→ ci+1 −→ki+1
↓
⊕ −→ g −→ ci+2 · · ·
assume that
(δ0 · c0) ⊕ (δ1 · c1) = 0 with bias |p1 − 1/2|(δ1 · c1) ⊕ (δ2 · c2) = 0 with bias |p2 − 1/2|
. . . . . . . . . . . . . . . . . .
(δs−1 · cs−1) ⊕ (δs · cs) = 0 with bias |ps − 1/2|
then (u.s.a.) (δ0, δ1, . . . , δs) is called an s-round linearcharacteristic with bias 2s−1
∏si=1 |pi − 1/2| (piling up biases)
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Linear attack - r-round iterated cipher
m −→k0↓
⊕−→ g −→k1↓
⊕−→ g −→ · · · · · · −→kr−1
↓
⊕ −→ g −→kr↓
⊕−→ c
consider r -round characteristic (δ0, . . . , δr−1) with bias b(m · δ0) ⊕ (cr−1 · δr−1) = 0
consider for some value of i :(m · δ0) ⊕ (g−1(c , i) · δr−1) = 0 (*)
with i = kr , (*) is characteristic for r − 1 rounds
Assumption
For i 6= kr , (*) is random approximation with bias ≃ 0
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Linear attack (2)
m −→k0↓
⊕−→ g −→k1↓
⊕−→ g −→ · · · · · · −→kr−1
↓
⊕ −→ g −→kr↓
⊕−→ c
assume kr has κ bits
for i = 0, . . . , 2κ − 1 compute bias of
(m · δ0) ⊕ (g−1(c , i) · δr−1) = 0
using N known plaintexts
guess kr = i , for value of i which produces bias closest toexpected
complexity N ≃ c · |p − 1/2|−2, c small constant
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Probability of linear characteristics
For attack (k is secret key)
PrM((cr−1 · δr−1) ⊕ (m · δ0) = 0 | k is key)
But k unknown? Average over all keys:
PrM,K ((cr−1 · δr−1) ⊕ (m · δ0) = 0)
can be hard to calculate
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Probability of linear characteristics
Assume that
|PrK ((ci · δi ) = (ci−1 · δi−1) | ci−1 = γ) − 1/2|
is independent of γand
assume that round keys are independent, then bias of
|PrM,K ((cr−1 · δr−1) ⊕ (m · δ0) = 0) − 1/2|
can be calculated from one-round biases and the Piling-up Lemma
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Example: CipherFour: block size 16, r rounds
Round keys independent, uniformly random. One round:
1 exclusive-or round key to text2 split text, evaluate each nibble via S-box
x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 6 4 c 5 0 7 2 e 1 f 3 d 8 a 9 b
and concatenate results into 16-bit string y = y0, . . . , y15
3 permute bits in y according to:
y 0 1 2 3 4 5 6 7 8 9 a b c d e f
P(y) 0 4 8 c 1 5 9 d 2 6 a e 3 7 b f
So, P(y) = y0, y4, . . . , y11, y15.
Exclusive-or round key to output of last roundL.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Example cipher - linear attack
Linear approximation table for S (entries are (p − 1/2) · 16)1 2 3 4 5 6 7 8 9 a b c d e f
1 2 2 . 4 -2 2 . 2 . -4 -2 2 . . 22 2 . 2 . 2 4 -2 2 . 2 . -2 -4 2 .3 . 2 -2 . . 2 6 . . 2 -2 . . 2 -24 -2 2 . -4 -2 -2 . 2 . . -2 2 -4 . 25 . -4 . . -4 . . . -4 . . . . 4 ... .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..9 2 -2 . . 2 -2 . -2 4 . -2 2 . 4 2a -2 . 2 . -2 . 2 2 4 -2 4 -2 . 2 .b . -2 -2 . . 2 2 . . 2 2 . . -2 6c 2 2 . . -2 -2 . -2 . . -2 -6 . . 2d . . . -4 . 4 . -4 . -4 . . . . .e 4 -2 -2 . . -2 2 . . -2 2 . -4 -2 -2f -2 -4 2 . 2 . 2 2 . -2 -4 -2 . -2 .
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - linear characteristic
entry (cx , cx), value ‘-6’: bias 616
, probability − 616
+ 12
= 216
thus (0 0 0 cx )S→ (0 0 0 cx ) has bias 6
16
since P is linear, (0 0 0 cx )1r→ (1 1 0 0x ) is one-round
characteristic of bias 38
also, (1 1 0 0x )S→ (4 4 0 0x ), has bias 2( 4
16)( 4
16) = 1
8
so (u.s.a.) (0 0 0 cx )2r→ (0 0 c 0x) is two-round characteristic of
bias 2(38)(1
8) = 3
32
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - linear iterative characteristic
Better approach for CipherFour:
(8 0 0 0x )S→ (8 0 0 0x )
has bias 416
and therefore
(8 0 0 0x )1r→ (8 0 0 0x )
is a one-round characteristic of bias 14
Use it to build t-round characteristics
(8 0 0 0x )t r→ (8 0 0 0x )
of bias 2t−1(1/4)t = 2−1−t
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
CipherFour - a linear attack
consider CipherFour with 5 rounds and the four-roundcharacteristic
(8 0 0 0x )1r→ (8 0 0 0x )
1r→ (8 0 0 0x )1r→ (8 0 0 0x )
1r→ (8 0 0 0x )
which (u.s.a.) has bias of 2−1−4 = 1
32according to Piling-up
Lemma
for all values of four bits in last-round key, (partically) decryptciphertexts one round, compute bias
value of key which produces bias of 1
32is taken as value of
secret key
N = c · |p − 1/2|−2 = c · 210 known plaintexts required to findfour bits of last-round key
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Linear attack on DES
iterative 4-round characteristic
build 14-round characteristic with bias 1.2 × 2−21
guess on six round key bits in both first and last rounds
potential to find 12 key bits
swap role of plaintext and ciphertext, repeat attack
in total, potential to find 24 bits of key information
find remaining 32 bits by an exhaustive search
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Linear attack on DES
estimate - with 245 known plaintexts a DES key can berecovered with 98.8% success rate
Matsui-test:
January, 1994
key found in 50 days on 12 HP9735 workstations (120 Mips)
243 known plaintexts
ciphertext only attack possible, assuming English plaintextsencoded in ASCII
L.R. Knudsen Block Ciphers - The Basics
IntroAttack on iterated ciphers
Differential cryptanalysisLinear cryptanalysis
Rounding off
intro to block ciphers
differential cryptanalysis
characteristics
differentials
linear cryptanalysis
linear hulls equivalent to differential
two most general attacks on block ciphers
good knowledge of how to protect against these attacks, seeAES
L.R. Knudsen Block Ciphers - The Basics