1

CS349 Cryptography

Department of Computer ScienceWellesley College

Substitution-permutation ciphers

Linear cryptanalysis

Linear cryptanalysis 12-2

Block ciphers

o Modern product ciphers incorporate a sequenceof permutation and substitution operations.

2

Linear cryptanalysis 12-3

Substitution-permutation networkso The game is to do this

over and over again,substitution for confusionand permutation fordefusion.

o A typical iterated cipherrequires a round functionand key schedule.

Linear cryptanalysis 12-4

Key schedules and round functionso Round keys, K1, …, KNr, are

constructed from arandom binary key, K,using some fixed, publicalgorithm.

o A round function, g, takesinputs Kr and a currentstate wr-1 and producesthe next state, wr.*

*The plaintext is the initial state, w0.

†

w0 ¨ xw1 ¨ g(w0,K1)w2 ¨ g(w1,K 2)

. . .wNr-1 ¨ g(wNr-2,K Nr-1)

wNr ¨ g(wNr-1,K Nr)y ¨ wNr

3

Linear cryptanalysis 12-5

Substitution and permutationo Plaintext and ciphertext

are broken into binarysequences of length lm, theblock length.

o A permutationpS: {0, 1}l Æ {0, 1}l,called an S-box,substitutes each set of lbits for another.

o A permutationpP : {1, …, lm} Æ {1, …, lm}mixes everything up.

Linear cryptanalysis 12-6

In the example shown, . . .o . . . the S-boxes are given by the

substitutions:

o . . . while the permutation is:

4

Linear cryptanalysis 12-7

We still need a key scheduleo Given a 32-bit key K = (k1, …, k31), define Kr, for 1 ≤ r ≤ 5, to

consist of 16 consecutive bits of K, beginning with k4r-3.o For K given by

0011 1010 1001 0100 1101 0110 0011 1111the round keys are: K1 = 0011 1010 1001 0100 K2 = 1010 1001 0100 1101 K3 = 1001 0100 1101 0110 K4 = 0100 1101 0110 0011 K5 = 1101 0110 0011 1111

Linear cryptanalysis 12-8

For x = 0010 0110 1011 0111

5

Linear cryptanalysis 12-9

Linear cryptanalysiso The object of linear

cryptanalysis is to find aprobabilistic linearrelationship betweensubsets of plaintext andciphertext bits*.

o The attacker computesXOR of relevant bits inrelationship using variouskeys in order to find a keythat yields a nonrandomdistribution.

*Thus, this is known-plaintext attack.

Linear cryptanalysis 12-10

Before the details, we need . . .o Suppose, X1, X2, . . . are independent random variables

taking values from the set {0, 1} such thatand

o The independence of Xi and Xj implies that

o We compute and .

†

Pr[Xi = 0] = pi

†

Pr[Xi =1] =1- pi

†

Pr[Xi = 0,X j = 0] = pi p j

Pr[Xi = 0,X j =1] = pi(1- p j )Pr[Xi =1,X j = 0] = (1- pi)p j

Pr[Xi =1,X j =1] = (1- pi)(1- p j )

†

Pr[Xi ⊕ X j = 0]

†

Pr[Xi ⊕ X j =1]

6

Linear cryptanalysis 12-11

A random variable’s biaso The bias of a random

variable Xi is

o Observe that

†

ei = pi -12

†

-12

£ ei £12

Pr[Xi = 0] =12

+ ei

Pr[Xi =1] =12

-ei

Linear cryptanalysis 12-12

The piling-up lemma*Lemma. Let denote the bias of the randomvariable . Then

Corollary. Let denote the bias of the randomvariable . Suppose thatfor some j, then .

*Proof by induction on k.

†

ei1 ,i2 ,...,ik = 2k-1 ei jj=1

k

’†

ei1 ,i2 ,...,ik

†

Xi1 ⊕ Xi2 ⊕ ... ⊕ Xik

†

ei1 ,i2 ,...,ik

†

Xi1 ⊕ Xi2 ⊕ ... ⊕ Xik

†

ei j= 0

†

ei1 ,i2 ,...,ik = 0

7

Linear cryptanalysis 12-13

Linear approximations of S-boxeso Consider an S-box

pS: {0, 1}m Æ {0, 1}n.o Assume input chosen

uniformly at random from{0, 1}m .

o Similarly, each output co-ordinate yj defines arandom variable Yj takingvalues 0 and 1.

*Thus, each input co-ordinate xi defines a random variable Xi taking on values 0 and 1 and these Xi are independent with zero biases.

Linear cryptanalysis 12-14

In our example, . . .o . . . the permutation

pS: {0, 1}4 Æ {0, 1}4, isgiven by

o The random variable

is unbiased.

†

X1 ⊕ X4 ⊕ Y2

8

Linear cryptanalysis 12-15

Linear approximation table NL(a, b)

*Bias of the binary 8-tuple: e(a, b) = Pr(a,b) -1/2 = NL(a,b)/16 - 1/2.

Linear cryptanalysis 12-16

A linear attack on an SPNo We find a linear

approximation of S-boxesincorporating four activeS-boxes:

o Assuming independencesof Ti, piling up lemmaimplieshas bias -1/32.

†

S21 : T1 = U5

1 ⊕ U71 ⊕ V8

1 ⊕ V61 has bias 1/4

S22 : T2 = U6

2 ⊕ V62 ⊕ V8

2 has bias -1/4S2

3 : T3 = U63 ⊕ V6

3 ⊕ V83 has bias -1/4

S43 : T4 = U14

3 ⊕ V143 ⊕ V16

3 has bias -1/4

†

T1 ⊕ T2 ⊕ T3 ⊕ T4

9

Linear cryptanalysis 12-17

Canceling “intermediate” variableso The XOR of the Ti can be

expressed in terms ofplaintext bits, bits of u4,and key bits.

†

T1 = U51 ⊕ U7

1 ⊕ V81 ⊕ V6

1

= X5 ⊕ K 51 ⊕ X7 ⊕ K 7

1 ⊕ X8 ⊕ K 81 ⊕ V6

1

T2 = U62 ⊕ V6

2 ⊕ V82

= V61 ⊕ K 6

2 ⊕ V62 ⊕ V8

2

T3 = U63 ⊕ V6

3 ⊕ V83

= V62 ⊕ K 6

3 ⊕ V63 ⊕ V8

3

T4 = U143 ⊕ V14

3 ⊕ V163

= V82 ⊕ K14

3 ⊕ V143 ⊕ V16

3

Linear cryptanalysis 12-18

Plaintext, bits of u4 and keybitso

o Next, replace the Vi3 by

expressions involving Ui4.†

T1 ⊕ T2 ⊕ T3 ⊕ T4 =

X5 ⊕ X7 ⊕ X8 ⊕ V63 ⊕ V8

3 ⊕ V143 ⊕ V16

3

⊕ K 51 ⊕ K 7

1 ⊕ K 81 ⊕ K 6

2 ⊕ K 63 ⊕ K14

3

†

V63 = U6

4 ⊕ K 64

V83 = U14

4 ⊕ K144

V143 = U8

4 ⊕ K 84

V163 = U16

4 ⊕ K164

10

Linear cryptanalysis 12-19

Selecting the biased random variableo The result

o If the keybits are fixed, then the random variable

has fixed value 0 or 1 and

has bias equal to ±1/32, where the sign depends on thevalues of the unknown key bits.

†

X5 ⊕ X7 ⊕ X8 ⊕ U64 ⊕ U8

4 ⊕ U144 ⊕ U16

4

⊕ K 51 ⊕ K 7

1 ⊕ K 81 ⊕ K 6

2 ⊕ K 63 ⊕ K14

3 ⊕ K 64 ⊕ K 8

4 ⊕ K144 ⊕ K16

4

†

K 51 ⊕ K 7

1 ⊕ K 81 ⊕ K 6

2 ⊕ K 63 ⊕ K14

3 ⊕ K 64 ⊕ K 8

4 ⊕ K144 ⊕ K16

4

†

X5 ⊕ X7 ⊕ X8 ⊕ U64 ⊕ U8

4 ⊕ U144 ⊕ U16

4

Linear cryptanalysis 12-20

Candidate subkeyso Recall our random variable

o There are 28 = 256possibilities for the keysthat are XORed with the2nd and 4th S-boxes in thefinal row.

o For each plaintext,ciphertext pair a partialdecryption is possible, andthe value of the randomvariable is computed.

†

X5 ⊕ X7 ⊕ X8 ⊕ U64 ⊕ U8

4 ⊕ U144 ⊕ U16

4

11

Linear cryptanalysis 12-21

Successo It is suggested that a

linear attacked based on alinear approximationhaving bias equal to e willbe successful if thenumber of plaintext-ciphertext pairs isapproximately ce-2, for asmall constant c.