block ciphers 2 session 4. contents linear cryptanalysis differential cryptanalysis 2/48

Block ciphers 2

Session 4

Contents

• Linear cryptanalysis• Differential cryptanalysis

2/48

Linear cryptanalysis

• Known plaintext attack– The cryptanalyst has a set of plaintexts and the

corresponding ciphertexts– The cryptanalyst has no way of guessing which

plaintext and the corresponding ciphertext were used

3/48


• Linear cryptanalysis– Tries to take advantage of high probability

occurrences of linear expressions involving plaintext bits, ciphertext bits (or round output bits) and subkey bits

– The basic idea is to approximate the operation of a portion of the cipher with a linear expression

– The approach is to determine such expressions with high or low probability of occurrence

4/48


• Example

– Here, i and j are the numbers of the rounds from which the bits of the input vector X and the output vector Y are taken, respectively

– u bits from the vector X and v bits from the vector Y are taken

– Example• i=1 and j=5 means X is taken from the input to the first

round and Y is taken from the output of the 5th round

5/48

02121

vu jjjiii yyyxxx


• Linear probability bias (1)– If a block cipher displays a tendency for such linear

equations to hold with a probability much higher (or much lower) than 1/2, this is evidence of the cipher’s poor randomization abilities

– The deviation (bias) from the probability of 1/2 for such an expression to hold is exploited in linear cryptanalysis

– This deviation is called linear probability bias

6/48


• Linear probability bias (2)– Let the probability that the given linear equation

holds be pL

– The higher the magnitude of the linear probability bias pL-1/2, the better the applicability of linear cryptanalysis with fewer known plaintexts required in the attack

7/48


• Linear probability bias (3)– pL=1 : catastrophic weakness – there is always a

linear relation in the cipher– pL=0 : catastrophic weakness – there is an affine

relationship in the cipher (a complement of a linear relationship)

8/48


• Linear probability bias (4)– Consider two random variables, X1 and X2

• X1X2=0 a linear expression – equivalent to X1=X2

• X1X2=1 an affine expression – equivalent to X1X2

– Assume the following probability distributions

9/48

11

0

11

0

2

22

1

11

i,p

i,piXPr

i,p

i,piXPr


• Linear probability bias (5)– If X1 and X2 are independent, then

10/48

1111

011

101

00

21

21

21

21

21

j,i,pp

j,i,pp

j,i,pp

j,i,pp

jX,iXPr


• Linear probability bias (6)– It can easily be shown that

11/48

.pppp

X,XPrX,XPr

XXPrXXPr

2121

2121

2121

11

1100

0


• Linear probability bias (7)– With the probability bias introduced

p1=1/2+1

p2=1/2+2

-1/2 1, 2 1/2

we have

12/48

212121 2

12

2

10 ,XXPr


• Linear probability bias (8)– Extension to n random binary variables – the

piling-up lemma – Matsui, 1993• For n independent random binary variables, X1, X2,…, Xn

or equivalently

13/48

n

ii

nnXXPr

1

11 2

2

10

.n

ii

nn,,,

1

121 2


• Linear probability bias (9)– If pi=0 or 1 for all i, then or 1

– If only one pi=1/2, then

– In developing the linear approximation of a cipher, the Xi values actually represent linear approximations of the S-boxes

14/48

001 nXXPr

2

101 nXXPr


• Example (1)– Three random binary variables, X1, X2, and X3 – Let and

– Let us derive the expression for the sum of X1 and X3 by adding

15/48

2121 2

10 ,XXPr 3232 2

10 ,XXPr

.XXXXPrXXPr 00 322131


• Example (2)– Since we can consider X1X2 and X2X3 to be

independent, we can use the piling-up lemma to determine

and consequently

16/48

322131 22

10 ,,XXPr

322131 2 ,,,


• Example (3)– The expressions X1X2=0 and X2X3=0 are analogous

to linear approximations of S-boxes – The expression X1X3=0 is analogous to a cipher

approximation where the intermediate bit X2 is eliminated

– A real analysis is much more complex, involving many S-box approximations

17/48


• The sources of vulnerabilities regarding linearity in block ciphers are S-boxes

• Example (1) – a 44 S-box

18/48


• Example (2) – The contents of the S-box

– We consider the following equationsX2X3=Y1Y3Y4

X1X4=Y2

X3X4=Y1Y4

19/48

Addr. 0 1 2 3 4 5 6 7 8 9 A B C D E FCont. E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7


• Example (3)

20/48


• Example (4) – The linear probability bias• First equation: 12/16-1/2=1/4• Second equation: 0• Third equation: 2/16-1/2=-3/8

– The success of the attack depends on the magnitude of the linear probability bias – the best approximation of the S-box is the third equation

21/48


• Linear approximation table (1)– For the attack, we must enumerate all linear

approximations of the S-box – linear approximation table

– Each element in the table represents the number of matches between the linear equation in the ”Input sum” column and the sum of the output bits represented in the ”Output sum” row

22/48


• Linear approximation table (2)– Dividing an element by 16 gives the probability

bias for the particular linear combination– The ”Input sum” and the ”Output sum” are given

in hexadecimal• a1X1a2X2a3X3a4X4

• b1Y1b2Y2b3Y3b4Y4

• ai,bi{0,1}• The hexadecimal value represents the binary value

a1a2a3a4, resp. b1b2b3b4

23/48


• Linear approximation table (3)

24/48


• Example– The probability bias of the linear equation

X3X4=Y1Y4 (hex input 3 and hex output 9) is -6/16=-3/8

– The probability that this linear equation holds true is 1/2-3/8=1/8

25/48


• Once the linear approximation information has been compiled for the S-boxes, we proceed by determining linear approximations for the overall cipher (if possible) or for certain number of rounds

• Once an R-1 round linear approximation is discovered for a cipher of R rounds with a suitably large overall probability bias, it is possible to recover bits of the last subkey

26/48


• Complexity of the attack– In the context of linear (and differential)

cryptanalysis, this means the number of plaintext- ciphertext pairs necessary to carry out the attack

– Matsui showed that the number of such pairs NL could be given by• NL1/2, where is the overall probability bias for the

whole cipher (or the rounds to be cryptanalyzed)

27/48


• Providing security against linear cryptanalysis– Minimize the largest S-box bias– Find structures to maximize the number of S-

boxes involved in the overall cipher approximation

28/48

Differential cryptanalysis

• Differential cryptanalysis– Exploits high probability of certain occurrences of

plaintext differences and differences in the last round of a block cipher

– Example (1)• Input: X=[X1,X2,…,Xn]

• Output: Y=[Y1,Y2,…,Yn]• Consider two inputs X ’ and X ’’ with corresponding

outputs Y ’ and Y ’’

29/48


– Example (2)• The input difference

– X=X ’X ’’=[X1,X2,…,Xn]

• The output difference– Y=Y ’Y ’’=[Y1,Y2,…,Yn]

• In an ideally randomized cipher, the probability that a particular output difference Y occurs given a particular input difference X is 1/2n

30/48


• Differential cryptanalysis seeks to exploit a situation in which a particular Y occurs given a particular X with a very high probability pD (>>1/2n)

• The pair (X,Y ) is called a differential• The attacker selects pairs of inputs, X ’ and X ’’

to satisfy a particular X for which a particular Y occurs with high probability

31/48


• We construct a differential (X,Y) involving– Plaintext bits (as represented by X)– Input to the last round (as represented by Y)

• This is carried out by examining highly likely differential characteristics

32/48


• Differential characteristic– A sequence of input and output differences to the

rounds• Output difference from one round corresponds to the

input difference for the next round

• Using the highly likely differential characteristic enables exploiting information coming into the last round

33/48


• To construct highly likely differential characteristics, we examine the properties of individual S-boxes

• We then use these properties to determine the complete differential characteristic

34/48


• We consider the input and output differences of the S-boxes in order to determine a high probability difference pair.

• Then we combine S-box difference pairs from round to round so that the non-zero output difference bits from one round correspond to the non-zero input difference bits of the next round

35/48


• This enables finding a high probability differential consisting of the plaintext difference and the difference of the input to the last round

• The subkey bits disappear from the difference expression because they are involved in both data sets

36/48


• Example (1)

37/48


• Example (2)– The contents of the S-box

– Input: X=[X1,X2,X3,X4]– Output: Y=[Y1,Y2,Y3,Y4]

38/48

Addr. 0 1 2 3 4 5 6 7 8 9 A B C D E FCont. E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7


• All difference pairs of an S-box (X,Y) can be examined and the probability of Y given X can be derived by considering input pairs (X’,X’’) such that X’X’’=X

• Ordering of the pair is not relevant– For a 44 S-box we need only consider all 16

values for X’ and derive X’’=X’X

39/48


• ExampleX=1011 (hex B)X=1000 (hex 8)X=0100 (hex 4)

• Given X and X and having the S-box truth table, for the pair (X,XX) we get the pair (Y,YY)

• Then we easily get Y

40/48


41/48


• Example– The number of occurrences of Y=0010 for

X=1011 is 8 out of 16 possible values (i.e. a probability 1/2)

– The number of occurrences of Y=1011 for X=1000 is 4 out of 16 possible values (i.e. a probability 1/4)

– The number of occurrences of Y=1010 for X=0100 is 0 out of 16 possible values (i.e. a probability 0)

42/48


• An ”ideal” S-box would have the number of occurrences of difference pair values all 1, to give a probability of 1/16 of the occurrence of a particular Y given X

• It turns out that such an ”ideal” S-box does not exist

43/48


• Difference distribution table– The rows represent X values (in hex)– The columns represent Y values (in hex)– Each element of the table represents the number

of occurrences of the corresponding output difference Y given the input difference X

44/48


45/48


• Once the differential information has been compiled for the S-boxes, we proceed by determining differential characteristic for the overall cipher (if possible) or for certain number of rounds.

• Once an R-1 round differential characteristic is discovered for a cipher of R rounds with a suitably large overall probability, it is possible to recover bits of the last subkey

46/48


• Complexity of the attack– This means the number of plaintext-ciphertext

pairs necessary to carry out the attack– The number of such pairs ND could be given by• NDc/pD, where pD is the overall differential

characteristic probability for the whole cipher (or the rounds to be cryptanalyzed) and c is a small constant

47/48


• Providing security against differential cryptanalysis– Minimize the differential pair probability of an S-

box– Find structures to maximize the number of S-

boxes with a non-zero differential

48/48

block ciphers 2 session 4. contents linear cryptanalysis differential cryptanalysis 2/48

Documents