1 © Information Security Group, ICU
Differential Cryptanalysis
2 © Information Security Group, ICU
DC(Differential Cryptanalysis)Introduction
Biham and Shamir : CR90, CR92 Efficient than Key Exhaustive Search Chosen Plaintext Attack O(Breaking DES16) ~ 247
Utilize the probabilistic distribution between input XOR and output XOR values Iteratively
Stimulate to announce hidden criteria of DES [Cop92] Apply to other DES-like Ciphers * E.Biham, A. Shamir,”Differential Cryptanalysis of the Data Encryption Standard”, Springer-
Verlag, 1993
3 © Information Security Group, ICU
Eli Biham
Eli biham (http://www.cs.technion.ac.il/~biham/) is an Israeli cryptographer and cryptanalyst, currently a professor at the Technion Israeli Institute of Technology Computer Science department. biham received his Ph.D. for inventing (publicly) differential cryptanalysis, while working under Adi Shamir. It had, it turned out, been invented at least twice before. A team at IBM discovered it during their work on DES, and was requested/required to keep their discovery secret by the NSA, who evidently knew about it as well.
In addition to his many contributions to cryptanalysis, biham has taken part in the design of several new cryptographic primitives: Serpent (with Ross Anderson and Lars Knudsen), a block cipher which
was one of the final five contenders to become the Advanced Encryption Standard
Tiger (with Ross Anderson), a hash function fast on 64-bit machines, and
Py (with Jennifer Seberry), a fast stream cipher which has some cryptanalytic claims against it.
4 © Information Security Group, ICU
DC of DES Discard linear components(IP, FP)Properties of XOR (X’ = X X* )
{E,P,IP} : (P(X))’=P(X) P(X*)=P(X’) XOR : (X Y)’=(X Y) (X* Y*)=X’ Y’ Mixing key : (X K)’=(X K) (X* K)=X’Differences(=xor) are linear in linear operation and
in particular the result is key independent.
5 © Information Security Group, ICU
XOR Distribution Table(I)
X’ = {0,1,…63}, Y’= {0,1,…15} For a given S-box, pre-compute the number of count of X’ and Y’ in a table * % of entry in DES S-boxes : 75 ~ 80%
X X*
Si-box
Y Y*
Y’
X’
XDTSi-box
6 © Information Security Group, ICU
XOR Distribution Table(II)
XDT of S-boxes in DESAt the first row (X’=0), Y’=0 for all 64 pairs The remaining rows : average= 4, sum 64, range= 0
~16 (only even entries. Why?)If the value is “0”, there are no corresponding X’ and
Y’If the value is “16”, it occurs with probabilty 16/64 Denoted as X’ --> Y’ with p1
Use 0--> 0 with 1 or “16” (highest value) for DC How to design a S-box with “good” XDT?
7 © Information Security Group, ICU
XOR Distribution Table of S4 box
8 © Information Security Group, ICU
Differential Characteristic
2-round characteristic in S1 box (0Cx --> Ex with 14/64)
F
(00 80 82 00 60 00 00 00x)
F
(60 00 00 00 00 00 00 00x)
a’=60000000x p=14/64A’=00808200x
=P(E0000000x)
b’=0xB’=0x p=1
0110 0C=001100 E=1110
9 © Information Security Group, ICU
3-round characteristic
F
(40 08 00 00 04 00 00 00x)
F
(40 08 00 00 04 00 00 00x)
a’=04000000x p1=16/64A’=40080000x
b’=0xB’=0x p2=1
Fc’=04000000xC’=40080000x p3=16/64
Holding Probability = p1 p2 p3 = 1/16
10 © Information Security Group, ICU
Searching Way for round keys
(1) Choose suitable Plaintext (Pt) XOR.(2) Get 2 Pts for a chosen Pt and obtain the corresp
onding Ct by encryption (3) From Pt XOR and pair of Ct, get the expected ou
tput XOR for the S-boxes of final round.(4) Count the maximum potential key at the final rou
nd using the estimated key (5) Right key is a subkey of having large number of
pairs of expected output XOR
11 © Information Security Group, ICU
Iterative CharacteristicSelf-concatenating probability Best iterative char. of DES
F
(19 60 00 00 00 00 00 00x)
F
(00 00 00 00 19 60 00 00x)
a’=0x p1=1A’=0x
b’=19 60 00 00x
E(b)=03 32 2C 00 00 00 00 00x
B’=0x p2 =14 x 8 x 10 / 643
= 1/234
Compare with the previous 3 round characteristics
12 © Information Security Group, ICU
13 © Information Security Group, ICU
DC of DES16 (I)
1st round : --> Till 13 round: using 2-round best iterative
characteristics 6.5 times yields prob. =(1/234)6 2-47.2
Final 2 rounds (2R attack): compute 13 round values from ciphertext in the reverse direction ->no effect to overall prob.
Total complexity : (p)-1 247
14 © Information Security Group, ICU
DC of DES16 (II)
Round # of chosen plaintext 4 24
6 28
8 218 214
10 235 224
12 243 231
14 251 239
15 252 247
16 258 261 * 247
* Assume independent round key 1.“Differential Cryptanalysis of DES-like Cryptosystems”,Proc. of Crypto90, LNCS537, pp.2-212.“Differential Cryptanalysis of the full 16-round DES”,Proc. of Crypto’92, LNCS740,pp.487-496
CR901
CR922
15 © Information Security Group, ICU
Additional result of DES by DC
P Permutation : can’t strengthen DESChange the order of S-box : can weaken muc
h or strengthen only up to 248
Replacement XORs by addition : can weaken much in some cases
Modifying S-boxesrandom : 218 - 220
modifying one entry (i.e.,S(0) ->S(4)) : 233
uniform distribution table : 226
16 © Information Security Group, ICU
Linear Cryptanalysis
17 © Information Security Group, ICU
LC(Linear Cryptanalysis)
IntroductionMatsui : EC931, CR942
Known Plaintext AttackO(Breaking DES16) ~ 243
12 HP W/S, 50-day operation Utilize the probabilistic distribution between input
linear sum and output linear sum values IterativelyDuality to DC : XOR branch vs.three-forked branchApply to other DES-like cryptosytems1. M.Matsui,”Linear Cryptanalysis Method for DES Cipher”, Proc. Of Eurocrypt’93,LNCS765, pp.386-397
2. M.Matsui,”The First Experimental Cryptanalysis of the Data Encryption Standard”, Proc. Of Crypto’94,LNCS839, pp.1-11.
18 © Information Security Group, ICU
M. Matsui Mitsuru Matsui is a Japanese cryptographer and senior
researcher for Mitsubishi Electric Company. While researching error-correcting codes in 1990, Matsui was inspired by Biham and Shamir's differential cryptanalysis, and discovered the technique of linear cryptanalysis, published in 1993. Differential and linear cryptanalysis are the two major general techniques known for the cryptanalysis of block ciphers. The following year, Matsui was the first to publicly report an experimental cryptanalysis of DES, using the computing power of twelve workstations over a period of fifty days. He is also the author of the MISTY-1 and MISTY-2 block ciphers, and contributed to the design of Camellia and KASUMI.
19 © Information Security Group, ICU
Eurocrypt1992-Hungary
20 © Information Security Group, ICU
XOR branch vs. 3-forked branch
Fi
Y i
X i-1 X i
K i
X i-1 Yi Xi
XOR branch after f-ft. i.e., DC goes downstream through f-ft.Xi = Xi-2 Yi-1 (3 i n)with {i=1}
n pi
Xi : Xi’s Differential value
Xi
Y i
X i
Y i-1
Y i
Y i
K i
Yi-1Xi
3-forked branch before f-ft. i.e.,LC goes upstream through f-ft. Yi = Yi-2 Xi-1 (3 i n)with 2n-1{i=1}
n |pi -1/2| Xi-1 : Xi-1’s Masking value
Fi
DC LC
21 © Information Security Group, ICU
Basic principle of LC(Goal) : Find linear approximation
P[i1,i2,…,ia] C[j1,j2,…,jb]=K[k1,k2,…,kc]
with significant prob. p ( ½) where A[i,j,…,k]=A[i] A[j] … A[k]
(Algorithm)MLE(Maximum Likelihood Estimation)(Step 1) For given P and C, compute X=P[i1,i2,…,ia] C[j1,j2,…,jb],
let N = # of Pt given,(Step 2) if |X=0| > N/2 K[k1,k2,…,Kc]=0 else 1.
if |X=0| < N/2 K[k1,k2,…,kc]=1 else 0.
22 © Information Security Group, ICU
Linear Distribution Table(I)
For a S-box Sa,(a=1,2,…,8) of DESNSa(,)= #{x | 0 x < 64, parity(x) = parity(S(x))}
1 63 , 1 15, : dot product (bitwise AND)
Ex) NS5(16,15) =12 The 5-th input bit at S5-box is equal to the linear sum of 4 output bi
ts with probability 12/64. X[15] F(X,K)[7,18,24,29]=K[22] with 0.19 X[15] F(X,K)[7,18,24,29]=K[22] 1 with 1-0.19=0.81
(Note) least significant at the right and index 0 at the least significant bit (Little endian)
23 © Information Security Group, ICU
Linear Distribution Table(II)
Si-box
X
S(X)
NSa(,)• NSa(,) has even values.• If =1,32(20x), 33(21
x), NSa(, )=32• NSa(, ) varies from 0 to 64
24 © Information Security Group, ICU
3-round DES by LC
F1
F2
[15]
p1=12/64[7,18,24,29]
F3 p3=12/64
PPH
PL
K1
X1
K2
X2
[7,18,24,29] X3
K3[15]
[22]
[22]
C
X2[7,18,24,29] PH[7,18,24,29] PL[15] = K1[22] ---------- (1)
X2[7,18,24,29] CH[7,18,24,29] CL[15] = K3[22] ---------- (2)
CHCL
(1) (2) => X2[7,18,24,29] CH[7,18,24,29] CL[15] X2[7,18,24,29] PH[7,18,24,29] PL[15] = K1[22] K3[22] holding prob. = (p1 * p3 ) + (1 - p1) *(1-p3)* Discard IP and FP like DC
25 © Information Security Group, ICU
Piling-up lemma in LC
If independent prob. value, Xi ‘s ( 1 i n ) have prob pi to value 0, (1-pi) to value 1, p = {prob(X1 X2 … Xn ) = 0} is
p = 2n-1i=1n(pi - 1/2) +1/2.
The number of known pt req’d for LC with success prob. 97.7% is |p - 1/2|-2
26 © Information Security Group, ICU
LC of DES16 (I)(Preparation) Use the best iterative linear
iteration
(Search stage)Data Counting : count the effective number of pt
and ct and derive key : effective keys (13-bit + 13-bit)
Exhaustive Search : the remaining 30 bits of a key
27 © Information Security Group, ICU
LC of DES16 (II)
Round # of Known Plaintext 8 221
12 233
16 247 243
EC93
CR94
28 © Information Security Group, ICU
Strengthening DES
Key size expansionDouble Encryption
ek:E2(K2,E1(K1,P)), dk:D1(K1,D2(K2,C))Meet-in-the-middle attackNo effectiveness
Triple Encryption ek:E(K1,D(K2,E(K1,P))), dk:D(K1,E(K2,D(K1,C))) ek:E(K1,D(K2,E(K3,P))), dk:D(K3,E(K2,D(K1,C)))112 or 168 bits
29 © Information Security Group, ICU
Variations
30 © Information Security Group, ICU
Variation of DC/LC Multiple LC : Kaliski & Robshaw [CR94] Differential-Linear Cryptanalysis : Langford & Hellman [CR
94] Truncated and Higher order DC : Knudsen [FSE95] Nonlinear Approximation in LC : Knudsen [EC96] Partitioning Cryptanalysis : Harpes & Massey [FSE97] Interpolation Attack : Jakobsen & Knudsen [FSE97] Differential Attack with Impossible Characteristics : Biham
[EC99], etc. Related-key Attack : Kelsey, Schneier, Wagner [CR96]
31 © Information Security Group, ICU
Asiacrypt1996-Kyongju, Korea
32 © Information Security Group, ICU
Side Channel Attack
33 © Information Security Group, ICU
Traditional Cryptographic Model vs. Side Channel
Side Channel
Power Consumption / Timing / EM Emissions / Acoustic
Radiation / Temperature / Power Supply / Clock Rate, etc.
E() D()
Key
Attacker
Ke Kd
C
C=E(P,Ke)P=D(C,Kd)
Insecure channel
Secure channel
P D
34 © Information Security Group, ICU
Timing Analysis Paul C. Kocher, “Timing Attacks on Implementations of
Diffie—Hellman, RSA, DSS, and Other Systems”, Advances in Cryptology - CRYPTO '96, Springer-Verlag, 1996 , LNCS , Vol. 1109 , pp. 104-113.
Cryptosystems can take different amounts of time to process different inputs. Performance optimizations in software Branching/conditional statements Caching in RAM Variable length instructions (multiply, divide)
Countermeasures Make all operations run in same amount of time
Set all operations by the slowest one Add random delays Blind signature technique
35 © Information Security Group, ICU
Fault Analysis
D. Boneh, R. DeMillo, and R. Lipton, “On the importance of checking cryptographic protocols for faults”, Journal of Cryptology, Springer-Verlag, Vol. 14, No. 2, pp. 101--119, 2001
Aim to cause errors during the processing of a cryptographic device Simple Fault Analysis Differential Fault Analysis
Countermeasures Verify correctness of output before transmitting it to the external Make devices tamper resistant (strong shielding, detect supply
voltages and clock speeds)
36 © Information Security Group, ICU
Power Analysis Paul C. Kocher and Joshua Jaffe and Benjamin Jun
“Differential Power Analysis”, Advances in Cryptology -CRYPTO '99, Springer-Verlag, 1999 , LNCS , Vol.1666 , pp.388-397
The power consumed by a cryptographic device was analyzed during the processing of the cryptographic operation Simple Power Analysis Differential Power Analysis
Countermeasures Don’t use secret values in conditionals/loops Ensure little variation in power consumption between instructions Reducing power variations (shielding, balancing) Randomness (power, execution, timing) + counters on card Algorithm redesign (non-linear key update, blinding) Hardware redesign (decouple power supply, gate level design)
37 © Information Security Group, ICU
EM Emissions
D. Agrawal and B. Archambeault and J. R. Rao and P. Rohatgi“The EM Side-Channel(s)”, Cryptographic Hardware and Embedded Systems - CHES 2002, Springer-Verlag, 2003 , LNCS , Vol. 2523 , pp.29-45
1950s TEMPEST EM side channels include a higher variety of information
and can be additionally applied from a certain distance. Countermeasures
Redesign circuits Shielding EM noise
38 © Information Security Group, ICU
Acoustic Analysis
Acoustic Analysis Keyboard Acoustic Emanations, Dmitri Asonov and Rakesh Agr
awal, IBM Almaden Research Center, 2004. Acoustic cryptanalysis - On noisy people and noisy machines b
y Adi Shamir and Eran Tromer