Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T....
Transcript of Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T....
![Page 1: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/1.jpg)
Data Encryption Standard (DES)
Nicolas T. CourtoisUniversity College London, UK
GA18
![Page 2: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/2.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 20072
DES history/standardisation/speed
![Page 3: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/3.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 20073
DES• Federal Standard FIPS 46-3
• Intended to be used to protect all US government communications… First and the only encryption algorithm known for many years.
• Adopted by all the other countries, (incapacity to design their own cryptographic algorithm that would not broken by the NSA ?).
– Russia: GOST, different S-boxes can be specified.
• Used by almost anyone… - a de facto industry standard.
• 3-DES still used a lot in banking/financial sector (e.g. in bank cards). Replaced by AES slowly, over 20 years (!).
![Page 4: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/4.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 20074
DES• July 26, 2004:
NIST announces withdrawal of DES.
• Withdrawn a bit late…Can be broken in 1 day now…
– Amateur: 255 * 400 cycles CPU,• Less than 1 year, 200 PCs, 3Ghz
– Smart: FPGA implementation • 1 year on FPGA, cost about 5000 $
• 1 month if we have 60 K$ etc…
– Large budget: ACICS, DES chips:• Few hours with a budget of about 1M $.
[Schneier reports that in the 80s Russia did order 100 000 DES chips from Eastern Germany Robotron]
![Page 5: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/5.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 20075
DES Speed
In cycles on Pentium 3.
• key setup: 883
• encrypt: 472
(59 cycles per byte, cf. AES-128 = 25 cycles per byte)
![Page 6: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/6.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 20076
Cost of Exhaustive Search ?
255 * 472 cycles on Pentium 3.
Gives 264 cycles (CPU clocks) !
2 GHz => 231 cycles per second.
243 cycles per hour.
247 cycles per day
255 cycles per year, still not enough.
=> Even today we need 29 500 PCs to break DES in 1 year. (much faster with FPGAs…)
![Page 7: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/7.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 20077
DES Speed – Smart Cards (1)
Low-end smart card:
• Software DES - about 50 ms
• Software 3-DES – about 150 ms
(cf. software AES-128 – about 120 ms)
Most cards have Hardware DES
Few µs !!! (even on low-end).
![Page 8: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/8.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 20078
DES Speed – Smart Cards (2)
SLE-66CX680PE, 8051-based.
• Hardware DES - 3.5 µs
• Hardware 3-DES - 5.3 µs
(and hardware AES-128 - 85 µs on recent ST22)comparatively slow, AES requires much more surface that DES !!! )
=> Several times more (2,3,5,10 times…) if side-channel attacks are taken into consideration !!
![Page 9: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/9.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 20079
DES
basics
![Page 10: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/10.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200710
DES basics
• 64-bit blocks (8 bytes)
• effective key size: 56 bit (reduced on purpose by the NSA)
• key written as 64 bits: use 7 bits / byte,
One parity bit.
• Most authors use incompatible bit numberings…
– (FIPSPUB-46) = 32 – (Matsui numbers)
![Page 11: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/11.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200711
Outline• Left:
encryption channel
• Right:
Key scheduling:
![Page 12: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/12.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200712
Outline• Left:
encryption channel
• Right:
Key scheduling:
16*48 subsets of 56 bits.
![Page 13: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/13.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200713
16*48 subsets of 56 bits.
Key Scheduling Details
![Page 14: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/14.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200714
*Self-Similarity in Key Schedule• Can DES key be periodic?
• After step 1= key for R1
• After step 8=key for R8
• After step 15=key for R15
• We have a pattern Gof length 7 which repeats twice.
• Unhappily G = + 13 mod 28,
• Does NOT have many fixed points.
R1 R8 R15
![Page 15: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/15.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200715
*******another description [Vaudenay,MOV,etc]
![Page 16: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/16.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200716
Irregular SwapAt last round:
• encryption and decryption
are identical -
except order of keys.
Cheaper to implement in HW (reuse the same circuit)
![Page 17: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/17.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200717
The Initial PermutationIP, FP = IP-1.
Legend: First output bit is input bit 58. (FIPSPUB numbering)
• Why IP is used ? Nobody really knows.
• Makes software implementation
harder and a bit slower…
• Makes no difference for the attacker and can be ignored.
![Page 18: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/18.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200718
Feistel Scheme• First described by Horst
Feistel in 1971.
• Invertible transformation.
• Luby-Rackoff theory:
Relative security proofs…
PRF => PRP
-in fact cannot be applied:
one round is NOT a PRF.
-avoids generic attacks.
![Page 19: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/19.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200719
Un-Twisted Feistel
![Page 20: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/20.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200720
FK
• Expansion
• XOR with key
• S-boxes
• Permutation
*1 Round (twisted)
Li -1 (32 bits)
Li (32 bits) Ri (32 bits)
Ri -1 (32 bits)
PE
S Box
PP
48 bits
32 bits
32 bits
![Page 21: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/21.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200721
FK
• Expansion
• XOR with key
• S-boxes
• Permutation
DES Round Function
![Page 22: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/22.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200722
Another view:1
02244
32
321
1 2 3 4 5 6
1 2 3 4
A B C D E F
W X Y Z
![Page 23: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/23.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200723
DES
design
![Page 24: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/24.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200724
8 DES S-Boxes
6 bits
4 bits
S1
![Page 25: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/25.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200725
DES Boxes – S-box 1 / 8
6 bits
4 bits
S1
![Page 26: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/26.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200726
DES Design
• IBM S-boxes were designed by IBM. Design criteria published,and re-published by Coppersmith etc. Presumably incomplete.
• Real S-boxes were done by the NSA, acknowledged publicly in 2000 by Coppersmith (I was there).
![Page 27: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/27.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200727
DES Boxes8 S-boxes IBM, modified by the NSA.
• The whole DES should be implemented on a single IC [with 1974 technology].
=> Each S-box should be implemented with 47 gates [NAND gates? 47??? NEVER SEEN one].
Fix two outer bits – permutation.
• No output should be too close to a linear function of inputs. [LC]. Coppersmith[C’2000]: A better criterion would be “no linear combination of outputs…”
![Page 28: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/28.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200728
S-boxes S1-S4 [Matthew Kwan]
![Page 29: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/29.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200729
S-boxes S5-S8 [Matthew Kwan]
![Page 30: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/30.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200730
***DES Implementation [2013]
• 17% less gates still, by Roman Rusakov
• Bitslice
– average of 44.125 gates per S-box (NB. they found several solutions with the same gate count)
– vs. 53.375 for Kwan (his XNOR=>2gates).
– cf. www.openwall.com/lists/john-users/2011/06/22/1
– or the source code of John the Ripper
![Page 31: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/31.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200731
DES Boxes• Change one bit in the input => at least two
outputs change.
• Same for S(x) and S(x+001100).
• Some other…
Coppersmith 2000:preventing annihilation of differential perturbations!
![Page 32: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/32.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200732
DES Design
• NSA trapdoor ? Never found. Maybe did not know how to embed one in such a construction.
• Is DES a group? Not at all.
![Page 33: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/33.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200733
DES
early attacks
![Page 34: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/34.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200734
Chronology on DES
• Complementation property.
• No real attacks, lots of speculations until 1991 (work has been classified?).
• Davies-Murphy attack [1982-1995] …….LC
• Shamir Paper [1985]………LC
• Differential Cryptanalysis [1991]
• Linear Cryptanalysis: Gilbert and Matsui [1992-93]
![Page 35: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/35.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200735
Weak key of DES
• Does not matter.
• Tells us things about structure of DES.
• 4 weak keys:
– 0101 0101 0101 0101
– FEFE FEFE FEFE FEFE
– 1F1F 1F1F 1F1F 1F1F
– E0E0 E0E0 E0E0 E0E0
• For each of these there are 232 fixed points.
![Page 36: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/36.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200736
“Early LC” - Shamir 1985
Mystery thing.
Related to LC published 8 years later.
![Page 37: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/37.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200737
** Shamir 1985
![Page 38: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/38.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200738
Shamir 1985
x_2 y_1 y_2 y_3 y_4 .
Common to all S-boxes !!!!
Mystery only partially explained by Coppersmith...
S5: the strongest linear bias in DES, used in LC.
![Page 39: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/39.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200739
Davies-style attacks
![Page 40: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/40.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200740
Davies-Murphy
![Page 41: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/41.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200741
Davies-Murphy - example
![Page 42: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/42.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200742
DES
and LC
![Page 43: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/43.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200743
Linear Cryptanalysis = LC
Not known by Coppersmith/NSA ?
• [Gilbert and Tardy-Corfdir, FEAL, Crypto’92]
• [Matsui and DES, EuroCrypt’93]
• Biham at Eurocrypt’94: shows that the earlier Davies and Murphy DES attack method [1982-1995] is “essentially” a linear attack (!).
• Shamir [Crypto’85]: already exhibits a strong linear characteristic for each DES S-box.
![Page 44: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/44.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200744
Linear Cryptanalysis
Combine I/O Equations.
F(x1,…)
G(y1,…) G(y1,…)
H(z1,…)
identical
![Page 45: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/45.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200745
Linear Cryptanalysis
Add I/O Equations => get another I/O Equation.
F(x1,…)G(y1,…) =0 with P=…
G(y1,…)H(z1,…) =0 with P=…
F(x1,…)H(z1,…) =0 with P=…
![Page 46: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/46.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200746
Linear Cryptanalysis
Piling-up Lemma [Matsui]
p = p1 p2 + (1-p1)(1-p2) = ½ + 2(p1 – ½) (p2 – ½)
Imbalances : I = 2 | p1 – ½ |
They do multiply !!!
![Page 47: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/47.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200747
Search for LC – Matsui 1993
Table of size
26 * 24
find the strongest bias
![Page 48: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/48.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200748
Matsui’s Favourite
![Page 49: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/49.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200749
LC Example: (Untwisted)
![Page 50: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/50.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200750
Two “Magical” Rules
IDEM XOR
IDEM XOR
XOR IDEM
00000000000000001000000000000000
00000000000000001000000000000000
00000000000000000000000000000000
![Page 51: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/51.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200751
Complexity of LCDecision by majority. Bias = .
The signal must be stronger than “noise”.
The law of the random walk.
(average N/2, std. dev=N)
=> N N
# KP (1 / bias)2
#1
#0
NN/2-N
N/2
![Page 52: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/52.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200752
Best DES Approximation(Matsui, 1993)
• cyclic; 14 rounds
• 2-R methodf
f3,8,14,25 17
f
8,14,25 17
3 17
f
f
f8,14,25 17
f3,8,14,25 17
3 17
f
f8,14,25 17
...
......
...
D
C
A
—
A
C
D
—
D
![Page 53: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/53.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200753
Linear Cryptanalysis• A statistical known plaintext attack
• Correlation among pt, ct, key bits are exploited:– Find a binary equation of pt, ct, key bits (“linear
approximation”) which shows a non-trivial correlation among them (“bias”).
– Collect a large pt-ct sample.
– Try all key values with the collected pt-ct in the eq.(hence, relatively few key bits must be involved.)
– Take the key that maximizes the bias as the right key.
• The remaining key bits can be found by brute force or by another LC attack.
![Page 54: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/54.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200754
Improvements
Apply LC to 16-1 rounds.
Guess some key bits in the last round.
See if the results confirm the guess.
This is called 1R method.
Possible because the “Linear Characteristics”used uses very few I/O bits, that involve very few bits in the last round.
![Page 55: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/55.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200755
1R MethodA linear approximation of r-1 rounds:
P[i1...ia] Xr-1[j1...jb] = K[m1...mc]
with p ≠ ½. (p =1 usually not possible)
• |p – ½|: the “bias” of the approximation
• (notation: Xi: ciphertext after i rounds; S[...]: xor of the specified bits of the string S.)
Expressed in terms of the ciphertext:
P[i1...ia] F(C, Kr)[j1...jb] = K[m1...mc]
where F is related to the last round’s decryption.
![Page 56: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/56.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200756
1R Method• Approximation:
P[i1...ia] F(C, Kr)[j1...jb] = K[m1...mc] (1)
• Collect a large number (N) of pt-ct blocks
• For all possible Kr values, compute the left side of (1). T(i) denoting the # of zeros for the ith
candidate, take the Kr value that maximizes the “sample bias” | T(i) – N/2 | as the right key.
• Another bit of key information (that is, K[m1...mc]) can be obtained comparing the signs of (p – ½)and (T(i) – N/2).
![Page 57: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/57.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200757
1R Improved
• 1 bit in the equation => 6 key bits/eqs
• 1 S-box => then 12 key bits / equation.
• 24 due to the symmetry: scrap 1 at the end and at the beginning…
• Remaining: exhaustive search !
• False positives ?
– E.g. 5* 2(56-24) = easy !
![Page 58: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/58.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200758
LC of DES
• 8 rounds: 221 known plaintexts12 rounds: 233 known plaintexts16 rounds: 243 known plaintexts
• First experimental cryptanalysis of the 16-round DES (Matsui, 1994).
• Ordering of the S-boxes were far from optimal against LC.
![Page 59: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/59.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200759
GLC
![Page 60: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/60.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200760
Generalised Linear Cryptanalysis= GLC =
[Harpes, Kramer and Massey, Eurocrypt’95][related work: Harpes, Jakobsen…]
Concept of non-linear I/O sums.
F(inputs) = F’(outputs)with some probability…
![Page 61: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/61.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200761
GLC
[Eurocrypt’95]
Proof of Concept for SPN-type ciphers:
Exhibit a cipher very secure w.r.t. LC but very weak w.r.t. to GLC.
![Page 62: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/62.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200762
Can be Seen as GLC
[Jakobsen and Knudsen polynomial approximation attacks, Crypto’98, JoC’01]
Another proof of concept for SPNs.
Contrived ciphers secure w.r.t. to all known attacks but in fact very weak…
![Page 63: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/63.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200763
GLC and Feistel Ciphers?
[Knudsen and Robshaw, EuroCrypt’96]
For some reason decided that…GLC was
impossible for Feistel Ciphers. Write that:
“one-round approximations that are non-linear […] cannot be joined together”…
• Content themselves with using non-linear approximations for the first and last round…[cf. also Kaneko and Shimoyama, Crypto’98].
![Page 64: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/64.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200764
BLC – Courtois 2004
1. Proof of concept: ciphers resistant to DC, LC etc. yet extremely weak w.r.t. the new attack.
2. New non-trivial attacks on DES. Some do slightly beat Matsui’s best equation.
![Page 65: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/65.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200765
GLC and Feistel Ciphers.
Main Claim:
The structure of Feistel ciphers makes them predisposed to a special subclass of GLC.
BLC = Bi-Linear Cryptanalysis.
![Page 66: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/66.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200766
Bi-linear Cryptanalysis over GF(2n)
![Page 67: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/67.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200767
Bi-linear Cryptanalysis – Example:
Round function:
Then for every round:
![Page 68: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/68.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200768
Sum-Up:
![Page 69: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/69.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200769
Example - contd.
Whole cipher:
Broken even for 2n rounds !
![Page 70: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/70.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200770
What we get:• Insecure Feistel cipher based on Inverse in
GF(2)n.
• Mixes 3 different group operations.
• High non-linearity.
• Satisfies all design criteria.
• Provably secure against DC and LC.
• Yet broken even for 2n rounds !
![Page 71: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/71.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200771
DES S-boxes and BLC
![Page 72: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/72.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200772
1st Example for DES
![Page 73: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/73.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200773
3 Rounds:
Happens to work also for EVERY OTHER KEY !
Bias varies slightly…
![Page 74: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/74.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200774
r rounds:
Biased for:
• any key
• any number of rounds 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, …
![Page 75: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/75.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200775
What we get:
An invariant-based bi-linear attack for DES, for any key, and any number of rounds.
The strongest known invariant attack on DES.
![Page 76: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/76.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200776
How good it is ?
• Always worse than some other Matsui’s equation.
• But never much worse.
• In fact closely related to some prominent equations of Matsui –their difference is a biased Boolean function.
![Page 77: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/77.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200777
How good is BLC ?Conjecture: BLC cannot be much better than some existing linear attack. Heuristic, detailed argumentation in the extended version of the paper.
----- BUT ------
BLC can be strictly better than LC.
![Page 78: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/78.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200778
BLC better than LC for DES
Better than the best existing linear attack of Matsui
for 3, 7, 11, 15, … rounds.
Ex: LC 11 rounds:
BLC 11 rounds:
![Page 79: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/79.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200779
DC
of DES
![Page 80: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/80.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200780
DC
Differential Cryptanalysis = DC. [1991]
– Very powerful
– Known by Coppersmith, optimised against, random S-boxes are weak !
– Shamir’s disturbing remark to Coppersmith…
– Russian Des: GOST. S-boxes not published.
![Page 81: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/81.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200781
DES vs. DC
Critical property: a differential with 4 bits in the middle ‘active’ cannot happen with P<=1/256 or so.
• BTW. If we use outer bits => other boxes will be affected.
![Page 82: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/82.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200782
Why?1
02244
32
321
1 2 3 4 5 6
1 2 3 4
A B C D E F
W X Y Z
![Page 83: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/83.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200783
DES vs. DC
Consequences:
• DES with random S-boxes would be very weak w.r.t. DC.
• Best differentials for DES use 3 S-boxes.
![Page 84: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/84.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200784
DC example
![Page 85: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/85.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200785
DC complexity
Plaintexts = 1 / probability
No “noise”, Looking for an exceptional event the almost never happens by itself.Very strong property that gives a lot of information !
![Page 86: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/86.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200786
DES and Algebraic Attacks
[recent work]
![Page 87: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/87.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200787
Results on DES
Nicolas T. Courtois and Gregory V. Bard:
“Algebraic Cryptanalysis of the D.E.S.”.
In IMA Cryptography and Coding 2007
18-20 December 2007, Cirencester, UK
eprint.iacr.org/2006/402/
![Page 88: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/88.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200788
What Can Be Done ?
As of today, we can:
Idea 1+ Method 1:
Recover the key of 5-round DES with 3 known plaintexts faster than brute force.
Idea 2 + Method 2:
Key recovery for 6-round DES !
1 known plaintext (!).
![Page 89: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/89.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200789
GOST
![Page 90: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/90.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200790
GOST 28147-89• 64-bit block, 256-bit key, 32 rounds
• Slow diffusion,
– lack of P-box
• Ultra-simple key schedule
– 3xdirect, 1xreversed
• 8 secret S-boxes. (354 bits of info)
– Central Bank of Russia uses these:
![Page 91: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/91.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200791
So What?
![Page 92: Data Encryption Standard (DES) - nicolascourtois.com · Data Encryption Standard (DES) Nicolas T. Courtois University College London, UK GA18](https://reader031.fdocuments.us/reader031/viewer/2022020120/5b84beba7f8b9ab7618c49be/html5/thumbnails/92.jpg)
Security of DES (overview)
Nicolas T. Courtois, September 200792
Summary
Never was “really” broken [Coppersmith Crypto 2000]