Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Linear Cryptanalysis of DES M. Matsui. 1. Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994. 2. The first experimental cryptanalysis of the Data Encryption Standard. CRYPT0 94, 1994. Linear Approximations β’ A function with one bit output is a linear function over Z2 if output is XOR of input bits and constants. β Examples: π π₯1 , π₯2 , π₯3 = π₯1 β π₯2 , π π₯1 , π₯2 = 1 β’ If the function f in DES is linear then we can break DES. β’ g has a p-linear approximation if with probability p the output is equal to a linear function. β Example: π π₯1 , π₯2 , π₯3 = π₯1 β¨ π₯3 has a 3/4-linear approximation. β’ Every function has a ½-approximation. Using Linear Approximations of DES β’ Assume that 1 bit of the output has a linear approx. β’ Example: Assume that if we pick M at random and C=DES(M,K), then with probability 0.51 C[56] ο M [17] ο½ K [17] ο K [23] Attack: β Get a random message and its encryption: β’ (M, C= DES(M,K)). β Compute b ο½ C[56] ο M [17] and conclude that K [17] ο K [23] ο½ b with probability 0.51. β’ Increasing the probability: repeat many times and take majority. β’ Can use exhaustive search with complexity 255 Using Linear Approximations of DES How do we find linear approximations in DES? β’ consider 3-round DES, without IP and IP-1. β’ start with an S-BOX β S5. The S-Box S5 2 12 14 11 4 11 2 4 1 2 12 7 10 11 6 8 5 4 1 5 0 15 10 9 12 7 13 1 11 10 13 8 12 7 1 14 x2 x3 x4 x5 x1 S5 x6 y1 y 2 y3 y4 7 8 15 2 13 6 15 3 15 13 0 0 14 9 3 9 8 6 6 3 0 14 9 10 4 5 5 3 Does not look random: β’1,2 ,7,11 appears only in left side β’4,12,13 appear 3 times in left side β’8,10,14 appear 2 times in each side β’0,3,5,9,15 appears only in right side β’6 appears 3 times in right side β’The XOR of the numbers in left-side is 1 52 x2 ο½ y1 ο y2 ο y3 ο y4 with probability οΎ 0.8 64 The f function of DES 17β20 The permutation P We need to trace the bits 17-20 that come from to S5 After P they are bits 3,8,14,25 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25 The f function of DES Bit 26 in k 26 26 17-20 Bits 3,8,14,25 The Expansion function E We need bit 26 β the second bit that goes to S5 The f function of DES Bit 17 in R Bit 26 in k 26 26 17-20 Bits 3,8,14,25 3 Round DES Bits 3,8,14,25 Bit 17 Bit 26 Bits 3,8,14,25 Bits 3,8,14,25 Bit 17 Bit 17 Bit 26 Bits 3,8,14,25 ( L0 [3] ο R1[3]) ο ( L0 [8] ο R1[8]) ο ( L0 [14] ο R1[14]) ο ( L0[25] ο R1[25]) ο½ R0[17] ο K1[26] The Attack on 3 Round DES β’ From first round with probability 52/64 ( L0 [3] ο R1[3]) ο ( L0 [8] ο R1[8]) ο ( L0 [14] ο R1[14]) ο ( L0[25] ο R1[25]) ο½ R0[17] ο K1[26] β’ From third round with probability 52/64 ( R3[3] ο R1[3]) ο ( R3[8] ο R1[8]) ο ( R3[14] ο R1[14]) ο ( R3[25] ο R1[25]) ο½ L3[17] ο K3[26] β’ Thus, with probability (52/64) 2+(12/64)2 ο» 0.7 ( L0 [3] ο L0 [8] ο L0 [14] ο L0 [25]) ο ( R3[3] ο R3[8] ο R3[14] ο R3[25]) ο R0 [17] ο L3[17] ο½ K1[26] ο K3[26] β’ Finds one bit of the key Linear cryptanalysis: Learning One Bit β’ If a bit of the outputs has a 1/2+p linear approximation in i-round DES, then β Get O(1/p2) message, encryption pairs β’ For each pair compute βthe bitβ of the key β’ Take the value that appears more times β’ Get correct value with high probability β’ Learn one bit of key β’ Can do betterβ¦ 4 Round DES πΏ4 ? ( L0 [3] ο L0 [8] ο L0 [14] ο L0 [25]) ο ( R3[3] ο R3[8] ο R3[14] ο R3[25]) ο R0 [17] ο L3[17] πΏ4 πΏ4 πΏ3 17 β π πΏ4 , πΎ4 17 = π 4 [17] β’ Only 6 bits in K4 affect bit 17 of πΏ4 ο½ K1[26] ο K3[26] Bits 3,8,14,25 Bit 17 Bit 26 f ( L3 , K 4 ) β’ With the correct 6 bits the 3-round approximation holds with prob. 0.7 β’ With incorrect 6 bits π π 3 , πΎ4 is random β’ Check 26 options of these bits and ? find the correct bits β’ Found 7 bits of key! K K Bit 26 Bits 3,8,14,25 Bit 17 K4 4 Bits 3,8,14,25 4 Linear cryptanalysis β’ If a bit of the outputs has a 1/2+p linear approximation in i-round DES, then we choose O(1/p2) messages in (i+1)-round DES and compute 7 bits of the key. β’ Can do the same trick with first round and last i-rounds, get another 7 bits β’ Use exhaustive search to find the other 42 bits. Known Attacks β’ 8 rounds: 221 plaintexts (40 seconds) β’ 12 rounds: 233 plaintexts (50 hours) β’ 16 rounds: 243 plaintexts (50 days, 12 computers) β Uses two 14-rounds approximation β Using each approximation it finds 13 bits β Finds 30 bits by exhaustive search