[communications in computer and information science] networked digital technologies volume 87 ||...

F. Zavoral et al. (Eds.): NDT 2010, Part I, CCIS 87, pp. 321–332, 2010. © Springer-Verlag Berlin Heidelberg 2010

Genetic Cryptanalysis

Abdelwadood Mesleh, Bilal Zahran, Anwar Al-Abadi, Samer Hamed, Nawal Al-Zabin, Heba Bargouthi, and Iman Maharmeh

Computer Engineering Department, Faculty of Engineering Technology, Al-Balqa‘ Applied University, Amman, Jordan

[email protected]

Abstract. In this work, Elitism Genetic Algorithm cryptanalysis for the basic substitution permutation network is implemented. The GA cryptanalysis algo-rithm gets the entire key bits. Results show the robustness of the proposed GA cryptanalysis algorithm.

Keywords: Cryptanalysis, Elitism GA.

1 Introduction

Security [1] is always a concern of all the organizations with assets that are managed by computer systems. Because of the popularity of the data encryption standard (DES) and the advanced encryption standard (AES) as encryption schemes in security systems, there are always interests to find cryptanalysis attacks on DES and on AES.

A typical cipher [1] takes the plaintext and some known key as its input and pro-duces the ciphertext. Cryptanalysis is the process of recovering the plaintext and/or the key from a cipher. A cryptographic system has a finite key space and, hence, is vulnerable to an exhaustive key search attack. Yet, a typical cipher remains secure because the size of the key space is such that the time and resources for a search are not available. A random search through a finite but large key space is not usually an acceptable cryptanalysts tool. Differential cryptanalysis [2] and linear cryptanalysis [3] are the two most powerful cryptanalysis approaches.

In this work, cryptanalysis is viewed as the process of recovering the key from a cipher. In machine learning, this process can be studied as a search problem (a space of keys is searched to find the right key). It is known that an exhaustive based search (attack) may try every possible key on a piece of ciphertext until an intelligible trans-lation into plaintext is obtained. Because the key space is always extremely large, the key search process is always expensive (time consuming) and the exhaustive based search methods are impractical. On the other hand, it is known that GA [4] is an op-timization algorithm that has proven its robustness, moreover, it is known that GA offers powerful and domain independent search capabilities that can be used in many learning tasks (such as the key search process). For these reasons, machine learning community has been motivated to study the key search (attack) process as a search problem (GA optimization problem) [5, 6, 7, 8, 9, 10, 11]. In this work, elitism GA is used to search the key space.

322 A. Mesleh et al.

The rest of this paper is organized as follows. Section 2 presents the SPN. Section 3 describes the GA Cryptanalysis. Experimental results and conclusion are discussed in sections 4 and 5 respectively.

2 SPN

Substitution-permutation networks (SPNs) [12] evolved from the work of Claude Shannon [13], where he proposed the well-known principles of “confusion” and “dif-fusion”. Confusion is the obscuring of the relationship between elements of the plain-text and the elements of the ciphertext. On the other hand, diffusion is the spreading of the influence of plaintext elements over the ciphertext. These two principles are achieved through the use of “mixing transformation” involving a number of rounds (each round consists of a substitution operation followed by an invertible linear trans-formation). Feistel [14] realized Shannon’s mixing transformation through the use of substitution permutation networks (SPNs). As a result, SPNs form the foundation for many modern private key block cryptosystems such as DES and AES. Such crypto-systems obtain their cryptographic strength by iterating a cryptographic operation several times.

The basic SPN consists of a number of rounds of nonlinear substitutions (S-Boxes) connected by bit position permutations. The substitutions are performed by dividing the block of bits into small sub-blocks and using a mapping stored as a table lookup and referred to as an S-box. The basic SPN structure is used to construct ciphers which possess good cryptographic properties such as completeness [15] and resis-tance to differential and linear cryptanalysis [16, 17].

Fig. 1 shows a 16-bit SPN that consists of 4 rounds of 4 x 4 S-Boxes. The 16-bit plaintext block (p1,…,p16) is divided into four 4-bit sub-blocks; these sub-blocks form inputs for the S-Boxes. Each S-Box is defined as an a 4-bit bijective mapping S: P C, where P = [p1,…, p4] and C = [ c1,…, c4]. Before each round of substitution, a 4-bit key (K=[k1,…,k4]) is XORed with the 4-bit input sub-block (X=[x1,…, x4]). Sub-stitution is implemented with a lookup-table (see Table 1) and the mapping is chosen from the DES S-Boxes (see Table 2). In all rounds except the last, a permutation (see Table 3) of the bits then follows. In the last round, the data is typically XORed with a final round key instead. As a result, a cipher text is produced C= [c1,…,c16]. Decryp-tion implemented in a reverse order through the SPN. For input P and output C, the input difference is '''

ii PPP ⊕=Δ and the corresponding output difference is '''

ii CCC ⊕=Δ , it is observed that the difference between two ciphertexts is a function

of the difference between the corresponding plaintexts. Each entry in Table 4 is the number of pairs of S-box inputs with input difference

corresponding to the row that maps to pairs with the column’s output difference. By joining together the differential characteristics, one may obtain a differential for the rounds in which they feature, (∆P, ∆C). We need to choose and link differential char-acteristics so that ∆C will be the output difference for those P bits significantly more often than 1/2y of the time, given that the input difference is ∆P. From the difference distribution table (see Table 4), B (1011) corresponds to 2 (0010) with 8/16 probabil-ity. Similarly, 4 (0100) corresponds to 6 (0110) with 6/16 probability.

Genetic Cryptanalysis 323

Fig. 1. 16-bit SPN that consists of 4 rounds of 4 x 4 S-Boxes


Table 1. S-Box Hexadecimal representation

Input 0 1 2 3 4 5 6 7 8 9 A B C D E F

Output E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

Table 2. S-Box used in the SPN

Input 0 1 2 3 4 5 6 7 8 9 A B C D E F

S11 E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

S12 0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8

S13 4 1 E 8 D 6 2 B F C 9 7 3 A 5 0

S14 F C 8 2 4 9 1 7 5 B 3 E A 0 6 D

S21 F 1 8 E 6 B 3 4 9 7 2 D C 0 5 A

S22 3 D 4 7 F 2 8 E C 0 1 A 6 9 B 5

S23 0 E 7 B A 4 D 1 5 8 C 6 9 3 2 F

S24 D 8 A 1 3 F 4 2 B 6 7 C 0 5 E 9

S31 A 0 9 E 6 3 F 5 1 D C 7 B 4 2 8

S32 D 7 0 9 3 4 6 A 2 8 5 E C B F 1

S33 D 6 4 9 8 F 3 0 B 1 2 C 5 A E 7

S34 1 A D 0 6 9 8 7 4 F E 3 B 5 2 C

S41 7 D E 3 0 6 9 A 1 2 8 5 B C 4 F

S42 D 8 B 5 6 F 0 3 4 7 2 C 1 A E 9

S43 A 6 9 0 C B 7 D F 1 3 E 5 2 8 4

S44 3 F 0 6 A 1 D 8 9 4 5 B C 7 2 E

Table 3. Permutation

Input 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Output 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16

As a result, the total probability is 8/16 * 6/16 = 3/16. Finally, 2 (0010) corre-

sponds to 5 (0101) with 6/16 probability and the total probability is 3/16 * 6/15 * 6/16 = 27/1024. So the attacker can partially guess the target key.

3 GA Cryptanalysis

GA [4] is an optimization algorithm based on both stochastic and probabilistic meas-ures; it inspects the solution space (key space – candidate keys) for an optimal solu-tion (target key).


Table 4. Difference distribution table for the 4 x 4 S-Box

Output Difference

0 1 2 3 4 5 6 7 8 9 A B C D E F

0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1 0 0 0 2 0 0 0 2 0 0 4 0 4 2 0 0

2 0 0 0 2 0 6 2 2 0 2 0 0 0 0 2 0

3 0 0 2 0 2 0 0 0 0 4 2 0 2 0 0 4

4 0 0 0 2 0 0 6 0 0 2 0 4 2 0 0 0

5 0 4 0 0 0 2 2 0 0 0 4 0 2 0 0 2

6 0 0 4 0 4 0 0 0 0 0 0 0 2 2 2 2

7 0 0 2 2 2 0 2 0 0 2 2 0 0 0 0 4

8 0 0 0 0 0 0 2 2 0 0 0 4 0 4 2 2

9 0 2 0 0 2 0 0 4 2 0 2 2 2 0 0 0

A 0 2 2 0 0 0 0 0 6 0 0 2 0 0 4 0

B 0 0 8 0 0 2 0 2 0 0 0 0 0 2 0 2

C 0 2 0 0 2 2 2 0 0 0 0 2 0 6 0 0

D 0 4 0 0 0 0 0 4 2 0 2 0 2 0 2 0

E 0 0 2 4 2 0 0 0 6 0 0 0 0 0 2 0

Input Difference

F 0 2 0 0 6 0 0 0 0 4 0 2 0 0 2 0

GA (see Fig. 2) starts with a randomly selected “population” of possible solutions for the target problem (key search) and lets them “evolve” over multiple generations to find better solutions (better keys). The GA algorithm is mainly based on the “sur-vival of the fittest” principle (organisms that best “fit” their environment have the best chance of survival). While executing GA, new population individuals are “born” while others “die”. In GA, a stochastic process, Crossover, takes two (or more) parent nodes that may generate offspring nodes (possible better solutions – better keys) by exchanging “chromosomes” between parent nodes. As a result, new individuals (bet-ter solutions – better keys) may be created in the next population. Mutation is another stochastic transformation of individuals that may modify their genotypes. Individuals are selected for “crossover” based on their fitness values (goodness of selected subset of features). Better goodness features are more likely able to reproduce (survive).

Fig. 2. Genetic Algorithm main steps: Candidate key selection, Crossover and Mutation

Candidate Keys

New Solution Member

Mutation Crossover Selecting using Key goodness

Target Key


The basic steps of GA are given below. These steps are general enough to govern many flavors of GA implementations [4]:

Initialization step:

Randomly generate an initial population of N chromosomes and evaluate the fitness for each of them.

Parent Selection step:

If not using elitism GA flavor, then set M=0; Else Set M: (0<M<N) Select with replacement N-M parents from the full population. The parents are selected according to their fitness, i.e. chromosomes whose fitness values are high are selected more often.

Crossover step:

For each pair of parents selected in the parent selection step, perform cross-over on the parents at a randomly chosen splice point with a crossover prob-ability Pc. If no crossover takes place, then form two offspring that are exact copies of the two parents.

Mutation step:

While retaining the M best chromosomes from the previous generation, re-place the remaining N-M chromosomes with the current population of off-spring from crossover step. Mutate the individual bits with probability Pm.

Stopping criterion step:

Compute the fitness values for the new population chromosomes. Terminate the GA process if the stopping criterion is met or If the budget of fitness function evaluations is exhausted; Otherwise return to parent selection step.

As a matter of fact, elitism [18,19] provides a means for reducing the genetic drift1 by ensuring that the M best chromosomes are allowed to pass to the next generation. Therefore, it is important to maintain adequate selection pressure in order to avoid genetic drift by using some form of elitism. As a result, elitism improves GA per-formance in many applications. In this work, we used the elitism GA (where M is 0<M<N ) in the SPN cryptanalysis. GA randomly generates candidate keys that shall be directed to match the target key. A fitness function measures the goodness of a candidate key; we used a fitness function based on the differential characteristic of a cipher. GA tries to reduce the complexity of the Attack by generating new keys di-rected to the correct target key by using the match of the candidate sub-key differen-tial characteristics and that of the system as the fitness measure. Binary bits were used

1 Genetic drift is used to measure the stochastic changes in gene frequency through random

sampling of the GA population. Some genes of chromosomes may become more important to the final solution than others. The genetic drift can be stalled when the chromosomes repre-senting decision variables that have a reduced “salience” to the final solution do not experi-ence sufficient selection pressure.


to represent chromosomes and also the key. Crossover and mutation processes were applied at the candidate keys to generate new ones.

Differential characteristics are used as fitness measures. Following Albassal & Wahdan [5], fitness function is represented as a count: F= d/L, where d is the count for each partial sub-key value and L is the total number of plaintext pairs that are used in evaluation. The count F is incremented whenever the difference for the input at the last round corresponds to the expected value from the differential characteristic. The maximum number of generations has been chosen so that the total number of keys in all generations (S) will not exceed half of all possible sub-key values: S < (1/2) * 2n. This serves as the GA stopping criterion.

In this work, GA inspects the solution space (key space) for an optimal solution (a target/right key), the main steps of GA as a target key search method can be summa-rized as follows:

Step 1: A random key population is generated, the population consists of a predefined key length (number of bits) (chromosomes), each individual solution (candidate key) is represented as a vector, and the vector length represents the number of bits in the target key.

Step 2: The fitness of each solution (candidate key) is computed, fitness uses a spe-cific evaluation function to measure the goodness of each solution (the goodness of each candidate key).

Step 3: Repeat until a certain stopping criterion is met:

• The solution (key) with best fitness is stored. • Then a new key population is generated: • Select two parents from key population • Crossover the parents. • Mutate new children (“offsprings”). • Place the new generated “offsprings” to the population and randomly select a

new population for a further run of the GA algorithm.

Step 4: Return the best solution (the target key).

4 Experimental Results

To implement the GA cryptanalysis attack on the SPN, 5000 pairs of plaintext with a specific difference (00F0) are generated, then the most probable difference is calcu-lated through the SPN (The differential probability of the SPN with input difference 00F0 is 3/1024). The GA cryptanalysis attack is implemented by generating inde-pendent 5 sub-keys (16-bit sub-key) to represent the target key. The attack starts by generating a set of random keys (GA first generation), for each generated candidate key, the fitness is set to zero, then all the test pairs are used and the output difference is compared to the expected differential probability. If the correct difference is found, the fitness value is incremented and finally normalized to the total number of pairs.


The GA then evolves to regenerate a new generation: the survive (selection) percent is 50% (Set M to 0.5), Crossover and mutate the new individuals.

The GA parameters were initially set as follows: key size = 16 bits, maximum number of generations = 16, crossover probability = 20% and mutation probability = 1%, population size = 1024. The mentioned GA parameters are empirically set. For a randomly chosen target key (2CD9), we have conducted many experiments using different crossover probability values (0.15, 0.20, 0.25, 0.30, and 0.35) to decide the best crossover probability (Pc), and finally concluded that the best crossover probabil-ity is 20%. In Fig. 3, it is clear that GA converges at the fourth generation when Pc=0.20, i.e. the algorithm gets the entire key bits at the fourth generation (the algo-rithm does not stop searching until the sixteenth iteration for simulation purposes). It worths mentioning that the mutation probability (Pm) is set to 0.01, other Pm values does not significantly affect the results.

Fig. 3. Fitness values against generation for some randomly chosen key (2CD9) using different crossover probabilities

The attack had been tested several times on different keys; the GA cryptanalysis algorithm was able to find the target keys in all experiments. Tables 5, 6, 7 and 8 show the 16 GA generations to find 4 keys (5DC3, 75E7, 2C19 and 2CD9). Each table (see Tables 5, 6, 7 and 8) lists the best solution (best candidate key so far) and the corresponding normalized GA fitness. For all the many experiments that we have conducted, results reveal that the elitism GA algorithm gets the entire key bits. Major-ity of keys (as shown in the Tables 5, 6, 7 and 8) were gotten at the fourth generation.


Table 5. Best Solutions (Candidate keys) and the corresponding normalized fitness values to find the target key: 5DC3

GA Generation Number Best Candidate Key Normalized Fitness

1 3A2D 16.67%

2 5D83 50%

3 5D83 50%

4 5DC3 100%

5 5DC3 100%

6 5DC3 100%

7 5DC3 100%

8 5DC3 100%

9 5DC3 100%

10 5DC3 100%

11 5DC3 100%

12 5DC3 100%

13 5DC3 100%

14 5DC3 100%

15 5DC3 100%

16 5DC3 100%

Table 6. Best Solutions (Candidate keys) and the corresponding normalized fitness values to find the target key: 75E7


1 75EF 33.34%

2 75EF 33.34%

3 75E7 100%

4 75E7 100%

5 75E7 100%

6 75E7 100%

7 75E7 100%

8 75E7 100%

9 75E7 100%

10 75E7 100%

11 75E7 100%

12 75E7 100%

13 75E7 100%

14 75E7 100%

15 75E7 100%

16 75E7 100%


Table 7. Best Solutions (Candidate keys) and the corresponding normalized fitness values to find the target key: 2C19


1 2C49 41.17%

2 2C49 41.17%

3 2C19 100%

4 2C19 100%

5 2C19 100%

6 2C19 100%

7 2C19 100%

8 2C19 100%

9 2C19 100%

10 2C19 100%

11 2C19 100%

12 2C19 100%

13 2C19 100%

14 2C19 100%

15 2C19 100%

16 2C19 100%

Table 8. Best Solutions (Candidate keys) and the corresponding normalized fitness values to find the target key: 2CD9


1 2C49 22.23%

2 2B09 33.34%

3 2C19 72.23%

4 2CD9 100%

5 2CD9 100%

6 2CD9 100%

7 2CD9 100%

8 2CD9 100%

9 2CD9 100%

10 2CD9 100%

11 2CD9 100%

12 2CD9 100%

13 2CD9 100%

14 2CD9 100%

15 2CD9 100%

16 2CD9 100%


5 Conclusions

In this paper, the elitism GA was used in the SPN cryptanalysis. The GA fitness is related to the differential characteristic of the cipher. In the worst case, the GA crypt-analysis was able to get the entire key bits at the tenth generation. Majority of keys were gotten at the fourth generation. Results reveal the robustness of the proposed cryptanalysis - elitism GA cryptanalysis. A good reduction in time was achieved (at the tenth generation, the GA cryptanalysis algorithm has not tried half the possible sub-key value).

It is obvious that using elitism GA in cryptanalysis is always useful. However, us-ing GA cryptanalysis to attack different encryption algorithms and comparing the elitism GA cryptanalysis to other GA flavors are still open for future work.

References

1. Stallings, W.: Cryptography and Network Security Principles and Practices, 4th edn. Pren-tice Hall, Englewood Cliffs (2005)

2. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of cryptography 4(1), 3–72 (1991)

3. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)

4. Goldberg, D.: Genetic Algorithms in Search, Optimization and Machine Learning. Addi-son-Wesley Publishing Company Inc., Reading (1989)

5. Albassal, A., Wahdan, A.: Genetic algorithm cryptanalysis of the basic substitution permu-tation network. In: Proceedings of the 2003 IEEE Midwest International Symposium on Circuits and Systems (MWSCAS ’03), December 2003. IEEE, Los Alamitos (2003)

6. Hernández-Castro, J., Isasi, P.: New results on the genetic cryptanalysis of TEA and re-duced round versions of XTEA. In: Proceedings of the 2004 IEEE Congress on Evolution-ary Computation (CEC 2004), June 2004, vol. 2(2), pp. 2124–2129 (2004)

7. Dozier, G., Garrett, A., Hamilton, J.: A comparison of genetic algorithm techniques for the cryptanalysis of TEA. International Journal of Intelligent Control and Systems (IJICS) 12(4), 325–330 (2007)

8. Toemeh, R., Arumugam, S.: Applying Genetic Algorithms for Searching Key-Space of Polyalphabetic Substitution Ciphers. The International Arab Journal of Information Tech-nology 5(1) (January 2008)

9. Bergmann, K., Jacob, C., Scheidler, R.: Cryptanalysis using genetic algorithms. In: Kei-jzer, M. (ed.) Proceedings of the 2008 Genetic and Evolutionary Computation Conference (GECCO 2008), July 2008, pp. 1099–1100 (2008)

10. Gorodilov, A., Morozenko, V.: Genetic Algorithm for finding the keys length and crypt-analysis of the permutation cipher. International Journal Information Theories & Applica-tions 15, 94–99 (2008)

11. Husei, H., Bayoumi, B.: A Genetic Algorithm for Cryptanalysis with Application to DES-like Systems. International Journal of Network Security 8(2), 177–186 (2009)

12. Heys, H.: A Tutorial on Linear and Differential Cryptanalysis, Technical Report CORR 2001-17, Centre for Applied Cryptographic Research, Department of Combinatorics and Optimization, University of Waterloo (March 2001); Also appears in Cryptologia, vol. XXVI(3), pp. 189–221 (2002)


13. Shannon, C.: Communication theory of secrecy systems. Bell System Technical Jour-nal 28, 656–715 (1949)

14. Feistel, H.: Cryptography and computer privacy. Scientific American 228(5), 15–23 (1973) 15. Kam, J., Davida, G.: A structured design of substitution-permutation encryption networks.

IEEE Transactions on Computers 28(10), 747–753 (1979) 16. O’Connor, L.: On the distribution of characteristics in bijective mappings. In: Helleseth, T.

(ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 360–370. Springer, Heidelberg (1994) 17. Heys, H., Tavares, S.: The design of product ciphers resistant to differential and linear

cryptanalysis. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773. Springer, Heidel-berg (1994)

18. Reed, P., Minsker, B., Goldberg, D.: The practitioner’s role in competent search and opti-mization using genetic algorithms. Presented at the World Water and Environmental Re-sources Congress, Washington, DC (2001)

19. Rogers, A., Bennett, A.: Genetic drift in genetic algorithm selection schemes. IEEE Trans-action Evolutionary Computation 3, 298–303 (1999)

[communications in computer and information science] networked digital technologies volume 87 ||...

Documents