Differential Cryptanalysis

1 © Information Security Group, ICU

Differential Cryptanalysis


DC(Differential Cryptanalysis)Introduction

Biham and Shamir : CR90, CR92 Efficient than Key Exhaustive Search Chosen Plaintext Attack O(Breaking DES16) ~ 247

Utilize the probabilistic distribution between input XOR and output XOR values Iteratively

Stimulate to announce hidden criteria of DES [Cop92] Apply to other DES-like Ciphers * E.Biham, A. Shamir,”Differential Cryptanalysis of the Data Encryption Standard”, Springer-

Verlag, 1993


Eli Biham

Eli biham (http://www.cs.technion.ac.il/~biham/) is an Israeli cryptographer and cryptanalyst, currently a professor at the Technion Israeli Institute of Technology Computer Science department. biham received his Ph.D. for inventing (publicly) differential cryptanalysis, while working under Adi Shamir. It had, it turned out, been invented at least twice before. A team at IBM discovered it during their work on DES, and was requested/required to keep their discovery secret by the NSA, who evidently knew about it as well.

In addition to his many contributions to cryptanalysis, biham has taken part in the design of several new cryptographic primitives: Serpent (with Ross Anderson and Lars Knudsen), a block cipher which

was one of the final five contenders to become the Advanced Encryption Standard

Tiger (with Ross Anderson), a hash function fast on 64-bit machines, and

Py (with Jennifer Seberry), a fast stream cipher which has some cryptanalytic claims against it.

http://www.cs.technion.ac.il/~biham/

http://www.cs.technion.ac.il/~biham/

http://222.122.84.166/wiki/Israel

http://222.122.84.166/wiki/Cryptographer

http://222.122.84.166/wiki/Cryptanalysis

http://222.122.84.166/wiki/Technion

http://222.122.84.166/wiki/Differential_cryptanalysis

http://222.122.84.166/wiki/Adi_Shamir



http://222.122.84.166/wiki/IBM

http://222.122.84.166/wiki/Data_Encryption_Standard

http://222.122.84.166/wiki/National_Security_Agency

http://222.122.84.166/wiki/Serpent_%28cipher%29

http://222.122.84.166/wiki/Ross_Anderson

http://222.122.84.166/wiki/Lars_Knudsen

http://222.122.84.166/wiki/Block_cipher

http://222.122.84.166/wiki/Advanced_Encryption_Standard_process

http://222.122.84.166/wiki/Tiger_%28hash%29

http://222.122.84.166/wiki/Ross_Anderson

http://222.122.84.166/wiki/Hash_function

http://222.122.84.166/wiki/Py_%28cipher%29

http://222.122.84.166/wiki/Jennifer_Seberry

http://222.122.84.166/wiki/Jennifer_Seberry

http://222.122.84.166/wiki/Stream_cipher


DC of DES Discard linear components(IP, FP)Properties of XOR (X’ = X X* )

{E,P,IP} : (P(X))’=P(X) P(X*)=P(X’) XOR : (X Y)’=(X Y) (X* Y*)=X’ Y’ Mixing key : (X K)’=(X K) (X* K)=X’Differences(=xor) are linear in linear operation and

in particular the result is key independent.


XOR Distribution Table(I)

X’ = {0,1,…63}, Y’= {0,1,…15} For a given S-box, pre-compute the number of count of X’ and Y’ in a table * % of entry in DES S-boxes : 75 ~ 80%

X X*

Si-box

Y Y*

Y’

X’

XDTSi-box


XOR Distribution Table(II)

XDT of S-boxes in DESAt the first row (X’=0), Y’=0 for all 64 pairs The remaining rows : average= 4, sum 64, range= 0

~16 (only even entries. Why?)If the value is “0”, there are no corresponding X’ and

Y’If the value is “16”, it occurs with probabilty 16/64 Denoted as X’ --> Y’ with p1

Use 0--> 0 with 1 or “16” (highest value) for DC How to design a S-box with “good” XDT?


XOR Distribution Table of S4 box


Differential Characteristic

2-round characteristic in S1 box (0Cx --> Ex with 14/64)

F

(00 80 82 00 60 00 00 00x)

F

(60 00 00 00 00 00 00 00x)

a’=60000000x p=14/64A’=00808200x

=P(E0000000x)

b’=0xB’=0x p=1

0110 0C=001100 E=1110


3-round characteristic

F

(40 08 00 00 04 00 00 00x)

F

(40 08 00 00 04 00 00 00x)

a’=04000000x p1=16/64A’=40080000x

b’=0xB’=0x p2=1

Fc’=04000000xC’=40080000x p3=16/64

Holding Probability = p1 p2 p3 = 1/16


Searching Way for round keys

(1) Choose suitable Plaintext (Pt) XOR.(2) Get 2 Pts for a chosen Pt and obtain the corresp

onding Ct by encryption (3) From Pt XOR and pair of Ct, get the expected ou

tput XOR for the S-boxes of final round.(4) Count the maximum potential key at the final rou

nd using the estimated key (5) Right key is a subkey of having large number of

pairs of expected output XOR


Iterative CharacteristicSelf-concatenating probability Best iterative char. of DES

F

(19 60 00 00 00 00 00 00x)

F

(00 00 00 00 19 60 00 00x)

a’=0x p1=1A’=0x

b’=19 60 00 00x

E(b)=03 32 2C 00 00 00 00 00x

B’=0x p2 =14 x 8 x 10 / 643

= 1/234

Compare with the previous 3 round characteristics



DC of DES16 (I)

1st round : --> Till 13 round: using 2-round best iterative

characteristics 6.5 times yields prob. =(1/234)6 2-47.2

Final 2 rounds (2R attack): compute 13 round values from ciphertext in the reverse direction ->no effect to overall prob.

Total complexity : (p)-1 247


DC of DES16 (II)

Round # of chosen plaintext 4 24

6 28

8 218 214

10 235 224

12 243 231

14 251 239

15 252 247

16 258 261 * 247

* Assume independent round key 1.“Differential Cryptanalysis of DES-like Cryptosystems”,Proc. of Crypto90, LNCS537, pp.2-212.“Differential Cryptanalysis of the full 16-round DES”,Proc. of Crypto’92, LNCS740,pp.487-496

CR901

CR922


Additional result of DES by DC

P Permutation : can’t strengthen DESChange the order of S-box : can weaken muc

h or strengthen only up to 248

Replacement XORs by addition : can weaken much in some cases

Modifying S-boxesrandom : 218 - 220

modifying one entry (i.e.,S(0) ->S(4)) : 233

uniform distribution table : 226


Linear Cryptanalysis


LC(Linear Cryptanalysis)

IntroductionMatsui : EC931, CR942

Known Plaintext AttackO(Breaking DES16) ~ 243

12 HP W/S, 50-day operation Utilize the probabilistic distribution between input

linear sum and output linear sum values IterativelyDuality to DC : XOR branch vs.three-forked branchApply to other DES-like cryptosytems1. M.Matsui,”Linear Cryptanalysis Method for DES Cipher”, Proc. Of Eurocrypt’93,LNCS765, pp.386-397

2. M.Matsui,”The First Experimental Cryptanalysis of the Data Encryption Standard”, Proc. Of Crypto’94,LNCS839, pp.1-11.


M. Matsui Mitsuru Matsui is a Japanese cryptographer and senior

researcher for Mitsubishi Electric Company. While researching error-correcting codes in 1990, Matsui was inspired by Biham and Shamir's differential cryptanalysis, and discovered the technique of linear cryptanalysis, published in 1993. Differential and linear cryptanalysis are the two major general techniques known for the cryptanalysis of block ciphers. The following year, Matsui was the first to publicly report an experimental cryptanalysis of DES, using the computing power of twelve workstations over a period of fifty days. He is also the author of the MISTY-1 and MISTY-2 block ciphers, and contributed to the design of Camellia and KASUMI.

http://en.wikipedia.org/wiki/Japan

http://en.wikipedia.org/wiki/Cryptographer

http://en.wikipedia.org/wiki/Mitsubishi

http://en.wikipedia.org/wiki/1990

http://en.wikipedia.org/wiki/Eli_Biham

http://en.wikipedia.org/wiki/Adi_Shamir

http://en.wikipedia.org/wiki/Differential_cryptanalysis


Eurocrypt1992-Hungary


XOR branch vs. 3-forked branch

Fi

Y i

X i-1 X i

K i

X i-1 Yi Xi

XOR branch after f-ft. i.e., DC goes downstream through f-ft.Xi = Xi-2 Yi-1 (3 i n)with {i=1}

n pi

Xi : Xi’s Differential value

Xi

Y i

X i

Y i-1

Y i

Y i

K i

Yi-1Xi

3-forked branch before f-ft. i.e.,LC goes upstream through f-ft. Yi = Yi-2 Xi-1 (3 i n)with 2n-1{i=1}

n |pi -1/2| Xi-1 : Xi-1’s Masking value

Fi

DC LC


Basic principle of LC(Goal) : Find linear approximation

P[i1,i2,…,ia] C[j1,j2,…,jb]=K[k1,k2,…,kc]

with significant prob. p ( ½) where A[i,j,…,k]=A[i] A[j] … A[k]

(Algorithm)MLE(Maximum Likelihood Estimation)(Step 1) For given P and C, compute X=P[i1,i2,…,ia] C[j1,j2,…,jb],

let N = # of Pt given,(Step 2) if |X=0| > N/2 K[k1,k2,…,Kc]=0 else 1.

if |X=0| < N/2 K[k1,k2,…,kc]=1 else 0.


Linear Distribution Table(I)

For a S-box Sa,(a=1,2,…,8) of DESNSa(,)= #{x | 0 x < 64, parity(x) = parity(S(x))}

1 63 , 1 15, : dot product (bitwise AND)

Ex) NS5(16,15) =12 The 5-th input bit at S5-box is equal to the linear sum of 4 output bi

ts with probability 12/64. X[15] F(X,K)[7,18,24,29]=K[22] with 0.19 X[15] F(X,K)[7,18,24,29]=K[22] 1 with 1-0.19=0.81

(Note) least significant at the right and index 0 at the least significant bit (Little endian)


Linear Distribution Table(II)

Si-box

X

S(X)

NSa(,)• NSa(,) has even values.• If =1,32(20x), 33(21

x), NSa(, )=32• NSa(, ) varies from 0 to 64


3-round DES by LC

F1

F2

[15]

p1=12/64[7,18,24,29]

F3 p3=12/64

PPH

PL

K1

X1

K2

X2

[7,18,24,29] X3

K3[15]

[22]

[22]

C

X2[7,18,24,29] PH[7,18,24,29] PL[15] = K1[22] ---------- (1)

X2[7,18,24,29] CH[7,18,24,29] CL[15] = K3[22] ---------- (2)

CHCL

(1) (2) => X2[7,18,24,29] CH[7,18,24,29] CL[15] X2[7,18,24,29] PH[7,18,24,29] PL[15] = K1[22] K3[22] holding prob. = (p1 * p3 ) + (1 - p1) *(1-p3)* Discard IP and FP like DC


Piling-up lemma in LC

If independent prob. value, Xi ‘s ( 1 i n ) have prob pi to value 0, (1-pi) to value 1, p = {prob(X1 X2 … Xn ) = 0} is

p = 2n-1i=1n(pi - 1/2) +1/2.

The number of known pt req’d for LC with success prob. 97.7% is |p - 1/2|-2


LC of DES16 (I)(Preparation) Use the best iterative linear

iteration

(Search stage)Data Counting : count the effective number of pt

and ct and derive key : effective keys (13-bit + 13-bit)

Exhaustive Search : the remaining 30 bits of a key


LC of DES16 (II)

Round # of Known Plaintext 8 221

12 233

16 247 243

EC93

CR94


Strengthening DES

Key size expansionDouble Encryption

ek:E2(K2,E1(K1,P)), dk:D1(K1,D2(K2,C))Meet-in-the-middle attackNo effectiveness

Triple Encryption ek:E(K1,D(K2,E(K1,P))), dk:D(K1,E(K2,D(K1,C))) ek:E(K1,D(K2,E(K3,P))), dk:D(K3,E(K2,D(K1,C)))112 or 168 bits


Variations


Variation of DC/LC Multiple LC : Kaliski & Robshaw [CR94] Differential-Linear Cryptanalysis : Langford & Hellman [CR

94] Truncated and Higher order DC : Knudsen [FSE95] Nonlinear Approximation in LC : Knudsen [EC96] Partitioning Cryptanalysis : Harpes & Massey [FSE97] Interpolation Attack : Jakobsen & Knudsen [FSE97] Differential Attack with Impossible Characteristics : Biham

[EC99], etc. Related-key Attack : Kelsey, Schneier, Wagner [CR96]


Asiacrypt1996-Kyongju, Korea


Side Channel Attack


Traditional Cryptographic Model vs. Side Channel

Side Channel

Power Consumption / Timing / EM Emissions / Acoustic

Radiation / Temperature / Power Supply / Clock Rate, etc.

E() D()

Key

Attacker

Ke Kd

C

C=E(P,Ke)P=D(C,Kd)

Insecure channel

Secure channel

P D


Timing Analysis Paul C. Kocher, “Timing Attacks on Implementations of

Diffie—Hellman, RSA, DSS, and Other Systems”, Advances in Cryptology - CRYPTO '96, Springer-Verlag, 1996 , LNCS , Vol. 1109 , pp. 104-113.

Cryptosystems can take different amounts of time to process different inputs. Performance optimizations in software Branching/conditional statements Caching in RAM Variable length instructions (multiply, divide)

Countermeasures Make all operations run in same amount of time

Set all operations by the slowest one Add random delays Blind signature technique


Fault Analysis

D. Boneh, R. DeMillo, and R. Lipton, “On the importance of checking cryptographic protocols for faults”, Journal of Cryptology, Springer-Verlag, Vol. 14, No. 2, pp. 101--119, 2001

Aim to cause errors during the processing of a cryptographic device Simple Fault Analysis Differential Fault Analysis

Countermeasures Verify correctness of output before transmitting it to the external Make devices tamper resistant (strong shielding, detect supply

voltages and clock speeds)


Power Analysis Paul C. Kocher and Joshua Jaffe and Benjamin Jun

“Differential Power Analysis”, Advances in Cryptology -CRYPTO '99, Springer-Verlag, 1999 , LNCS , Vol.1666 , pp.388-397

The power consumed by a cryptographic device was analyzed during the processing of the cryptographic operation Simple Power Analysis Differential Power Analysis

Countermeasures Don’t use secret values in conditionals/loops Ensure little variation in power consumption between instructions Reducing power variations (shielding, balancing) Randomness (power, execution, timing) + counters on card Algorithm redesign (non-linear key update, blinding) Hardware redesign (decouple power supply, gate level design)


EM Emissions

D. Agrawal and B. Archambeault and J. R. Rao and P. Rohatgi“The EM Side-Channel(s)”, Cryptographic Hardware and Embedded Systems - CHES 2002, Springer-Verlag, 2003 , LNCS , Vol. 2523 , pp.29-45

1950s TEMPEST EM side channels include a higher variety of information

and can be additionally applied from a certain distance. Countermeasures

Redesign circuits Shielding EM noise


Acoustic Analysis

Acoustic Analysis Keyboard Acoustic Emanations, Dmitri Asonov and Rakesh Agr

awal, IBM Almaden Research Center, 2004. Acoustic cryptanalysis - On noisy people and noisy machines b

y Adi Shamir and Eran Tromer

Date post:	18-Mar-2016
Category:	Documents
Upload:	dixon
View:	109 times
Download:	7 times

Differential Cryptanalysis

Documents