Upload
easter
View
75
Download
6
Embed Size (px)
DESCRIPTION
DIFFERENTIAL CRYPTANALYSIS. Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication channels. Known-plaintext attack. The adversary can access not only the communication channels but also parts of plaintext. - PowerPoint PPT Presentation
Citation preview
DIFFERENTIAL CRYPTANALYSIS
Chapter 3.4
Ciphertext only attack. The cryptanalyst knows the cryptograms.
This happens, if he can eavesdrop the communication channels.
Known-plaintext attack. The adversary can access not only the
communication channels but also parts of plaintext.
Chosen-plaintext attack. This is a known plaintext attack for which the
cryptanalyst may choose messages and corresponding cryptograms.
Chosen-ciphertext attack. The enemy selects his own cryptogram and
corresponding message and then tries to find the secret key of the cryptosystem.
The function to transfer the input string of an S-box.
such that and then or where
mnf :
3.4.1 XOR profiles
nss 21,msfsf )(),( 21
mss *2
*1 ,
).(),( 2*21
*1 sfssfs
Define and four-tuples and denote the number of four-tuples in the
set. For example,
and
*2
*121 , ssss
)},(|),,;,{( *2
*121
*2
*121 ssssssssS
)},,3,3(),,9,17,2()9,,2,17(),,,3,3{(3
2
FDFBBBBDFFS C
.4S
S
kSÅ
1
1S
k1S
*1S
2SkS
Å2
*2S
k2S
f
The XOR profile of an S-box defined by is a table which has 2n rows and 2m
columns. Each row and column is indexed by and respectively. Each entry (, ) of the table shows the number of elements in the set
mnf :
S
The example of an element of XOR profiles If the set is
Then the element (19, 1) in the table of XOR profile is
)}.1,0;22,3(),2,3;2,35(),3,2;35,2(),0,1;3,22(
),4,5;2,1(),5,4;1,2{(191
xxxxxxxx
xxxxxxxx
xxxxxxxx
BCCB
BBS x
x
6S
The properties of XOR profiles All entries in the table are zeroes or positive
even integers. The row for = 0 has only one nonzero entry
equal to 2n (n is the number of input bits of the S-box).
The sum of entries in each row is equal to 2n. An input difference may cause output
difference with probability . If an entry (, ) is zero, then the input
difference cannot cause the difference on the output.
np2
What can we say about value of the input?
The XOR profile does not depend on the cryptographic key used. What can we say about the key?
2121 )()( ssksks
},,{ 111ssssk
jii
Example: Let an input have the output
difference .
The set
)38,21()( 2,1 xxss
x1
)}.1,0;22,3(),2,3;2,35(),3,2;35,2(),0,1;3,22(
),4,5;2,1(),5,4;1,2{(191
xxxxxxxx
xxxxxxxx
xxxxxxxx
BCCB
BBS x
x
19011001111000100001
The input is
The applied key must be in the set
that is
The following demonstrate how to calculate the bit-to-bitaddition.
211 ss
}14,,1,3,3,23{1 xxxxxx DAA
23100011000010100001221
}.35,2,3,22,1,2{ xxxxxx CBB
If the second input is and Then the set is as following.
140101001101011000013521001101101100100001221
1011010111011100001321
DCAB
AB 3111010011011100001121
30000111000101000012221
xxxss 37),23,14()( 2,1
x2 x
xS 37
2
)}8,;,39(),1,3;,38(),5,7;18,2(),9,;19,2(),,8;11,26(),,8;12,25(),,9;2,19(),7,5;2,18(),8,;25,12(),8,;26,11(
),3,1;38,(),,8;39,{(372
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
xxxxxxxx
AEFFBE
AABEF
AAFAES x
x
The set of input is
The key set is
Take another observation,
}2,19,2,18,25,12,26,11,38,,39,{
xxxx
xxxxxxxx
EFFE
},3,,3,6,31,5,32,1,2,2,1{2
xxxx
xxxxxxxx
DACBBCDA
xxx Css 9),1,14()( 2,1
and then and
The key must be contained in the three set, so the key is
}2,25,28,20,,6{ xxxxxx DE
}39,31,3,34,1,12{3 xxxxxx CA
}1{321 xA
The XOR profile of an S-box with the secret key XORed with the input is identical to the XOR profile of the S-box without the key.
Every input observation (s1, s2) and the corresponding output difference enable the cryptanalyst to find the set of key candidates.
The analysis of differences for a single S-box allows one to retrieve the key that is XORed to the input of a S-box.
3.4.2 DES Round Characteristics
An m-round characteristic of a Feistel-type cryptosystem is a sequence
Where in and out are input and output differences. The pairs are consecutive input and output difference for the round fk.
Let input sequences be and .
),,(),,,,,,( 11 outinoutmmin
,,,1);,( miii
)0,( 1A )0,( 2A
A single round characteristic of DES
)0,( Ain
f01 01
)0,( Aout
The first part of difference is A and the second part is 0.
Our goal is to find a characteristic that feeds a nonzero input difference in to S1 while other input differences of S2 … S8 are set to zero and
the characteristic should work with a high probability.
Another single round characteristic of DES
)00000060,( XAin
X008280001 X000000601
f
)00000060,00828000( XXAout
The input difference in = (A, 60 00 00 00x). The binary string (00 80 82 00x) obtained by
permuting (E0 00 00 00x) using permutation block P For this case, the pair of difference (Cx, Ex) happens
with probability 14/64. And then we get the output
)00000060,00828000( XXAout
Any characteristic has a probability attached to it. Let the m-round characteristic be
Then its probability
where is the probability that input difference i
causes the output difference i for the function fk in the ith round.
),,,,,,( 11 outmmin
m
i
i
ipP
1)(
i
ip
A two-round characteristic of DES
)00000060,00828000( XXin
X008280001 X000000601 f
02 02 f
Xout )00000000,00000060(
The probability of the second round happening is one.
3.4.3 Cryptanalysis of 4-Round DES
Our purpose is to recover the key. To concentrate on the last round of the DES.
In last figure, we use characteristic A= (20 00 00 00x), which works always (p=1).
In the last round 124 out
Four round DESInput Difference
f
f
f
f
1
2
3
4
1
2
3
4
),( 4outOutput Difference
1 = 0 and 1 = 0. So the input difference becomes (001000) on S1 and all other 7 S-boxes are zero. Thus 28-bits of 2 are known. From the last equation, 28-bits of 4 are known. Another characteristic A = (04 44 44 44x). The the missing part of key is recovered by the differential
analysis of S1.
Finding the partial key k4.
Strip off the last round and find k3.
Then k2.
Input Difference
Output Difference
Six-round DES
1
5
6
1
5
6
f
f
f
f
First 3-Round Characteristic
f
f
f
xin 00000004000008401
xout 00000004000008401
x00000840 x00000004
x0 x0
x00000840 x00000004
41
41
)1(
Second 3-Round Characteristic
f
f
f
xin 00040000080020002
x08002000 x00040000
x0 x0
41
41
)1(
xout 00040000080020002
x08002000 x00040000
3.4.5 The main features of differential analysis
The differential analysis can be applied to Feistal cryptosystems with t rounds,where it is possible to use input to the round functionand deduce or guess the corresponding outputdifferences
Characteristics are useful in guessing the correct output differences of the round function. It is enough to have (t-3)-round characteristic to find out outputdifferences in the t-round Feistel cryptosystem.
As the differential analysis enables to find keys applied in the last round function, it by-passes the key schedule.It works under the assumption that round keys are statistacallyindependent.
Once the key in the last round is found, the last round can be stripped off by applying the extra round.
Feistel cryptosystem immune against the differential analysis:
The XOR profile must not have entries with large number.
The best (t-3)-round characteristics should work with the probability
smaller than the probability of guessing the right key (t is the number
of rounds in the cryptosystem).
The S-boxes should depend upon the secret key in a nonlinear way.
This will cause that XOR profile of S-boxes become more complex.
One way of implementation of this idea would be an on-the-fly
selection of S-boxes depending on the round key.