Block Cipher Cryptanalysis: an Overview

Home , Cipher, Cryptanalysis, FEAL, Feistel cipher, KHAZAD, Linear cryptanalysis

Block Cipher Cryptanalysis: An Overview

Subhabrata Samajder

Indian Statistical Institute, Kolkata 17th May, 2017

0/52 Iterated Block Cipher Outline

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

0/52 Iterated Block Cipher

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

1/52 Iterated Block Cipher Iterated Block Cipher

Iterated Block Cipher A block cipher is a function E : {0, 1}k × {0, 1}n → {0, 1}n such k that for each K ∈ {0, 1} , the function EK (·) = E(K, ·) is a permutation of {0, 1}n.

The n-bit input to the block cipher is called the plaintext; and the n-bit output of the block cipher is called the ciphertext. The k-bit quantity K is called the secret key.

2/52 The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys.

Iterated Block Cipher Iterated Block Cipher (Cont.)

Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds.

3/52 Iterated Block Cipher Iterated Block Cipher (Cont.)

Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds. The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys.

3/52 Iterated Block Cipher Designs Outline

1 Iterated Block Cipher Designs Attacks

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

3/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN)

P1 ... Plaintext ... P16

Sub-key k(1) Mixing

S11 S12 S13 S14 Round 1

Sub-key k(2) Mixing

S21 S22 S23 S24 Round 2

Sub-key k(3) Mixing

S31 S32 S33 S34 Round 3

Sub-key k(4) Mixing

Round 4 S41 S42 S43 S44

Sub-key k(5) Mixing

C1 ... Ciphertext ... C16

Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys’s Tutorial).

4/52 Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc.

Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.)

The substitution must be a bijection to ensure decryption.

5/52 Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc.

Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.)

5/52 Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc.

Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.)

The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar.

5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.)

5/52 Iterated Block Cipher Designs Feistel Cipher

Encryption Decryption

Plaintext Ciphertext

L0 R0 Rr+1 Lr+1

k(0) k(r)

L F L F

k(1) k(r−1)

L F L F

k(r) k(0)

L F L F

Rr+1 Lr+1 L0 R0 Ciphertext Plaintext

Figure : Encryption and Decryption Network of a Basic Feistel Cipher (Courtesy: Wikipedia).

6/52 Iterated Block Cipher Designs Feistel Cipher vs. SPN

The main advantage of this type of design is that encryption and decryption are very similar, even identical in some cases, requiring only a reversal of the key schedule. One advantage of the Feistel cipher over an SPN is that unlike SPN, here the round function F need not be invertible.

7/52 Iterated Block Cipher Designs Feistel Cipher: Variants and Examples

Unbalanced Feistel cipher: Two halves are unequal in length. Generalised Feistel cipher: Plaintext is divided into more than two parts. Examples: RC6, Skipjack, etc. Other Examples: Blowﬁsh, DES, FEAL , RC5 , LOKI etc.

8/52 Iterated Block Cipher Designs Lai Massey

Encryption Decryption

Plaintext Ciphertext

L0 R0 Lr+1 Rr+1

H H−1 k(0) k(r) F F H H−1 k(1) k(r−1) F F

H H−1 k(r) k(0) F F H H−1

Lr Rr L0 R0 Ciphertext Plaintext

Figure : Encryption and Decryption Network of a Basic Lai-Massey Scheme (Courtesy: Wikipedia).

9/52 Iterated Block Cipher Designs Lai Massey (Cont.)

The security properties of the Lai-Massey scheme is similar to those of the Feistel structure. Like the Feistel cipher it also shares the advantage that the round function F need not be invertible. Example: IDEA.

10/52 Iterated Block Cipher Designs

We will be considering SPN type block ciphers.

11/52 Iterated Block Cipher Attacks Outline

1 Iterated Block Cipher Designs Attacks

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

11/52 Buchberger’s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ...

Iterated Block Cipher Attacks Attacks

Algebraic Attacks

12/52 Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ...

Iterated Block Cipher Attacks Attacks

Algebraic Attacks Buchberger’s Algorithm

12/52 Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ...

Iterated Block Cipher Attacks Attacks

Algebraic Attacks Buchberger’s Algorithm Linearization Technique

12/52 The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ...

Iterated Block Cipher Attacks Attacks

Algebraic Attacks Buchberger’s Algorithm Linearization Technique Relinearization Technique

12/52 Slide Attack and Advanced Slide Attack ...

Iterated Block Cipher Attacks Attacks

Algebraic Attacks Buchberger’s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization)

12/52 ...

Iterated Block Cipher Attacks Attacks

Algebraic Attacks Buchberger’s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack

12/52 Iterated Block Cipher Attacks Attacks

Algebraic Attacks Buchberger’s Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ...

12/52 Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ...

Iterated Block Cipher Attacks Attacks (Cont.)

Statistical Attacks

13/52 Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ...

Iterated Block Cipher Attacks Attacks (Cont.)

Statistical Attacks Distinguishing Attacks

13/52 and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ...

Iterated Block Cipher Attacks Attacks (Cont.)

Statistical Attacks Distinguishing Attacks Linear Cryptanalysis

13/52 Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ...

Iterated Block Cipher Attacks Attacks (Cont.)

Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack

13/52 and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ...

Iterated Block Cipher Attacks Attacks (Cont.)

Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Diﬀerential Cryptanalysis

13/52 Other Attacks Diﬀerential-linear attack The Integral or Square attack The Saturation attack ...

Iterated Block Cipher Attacks Attacks (Cont.)

Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack

13/52 Iterated Block Cipher Attacks Attacks (Cont.)

13/52 S-Boxes Outline

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

13/52 S-Boxes

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

14/52 S-Boxes n m An (m, n) S-Box (or vectorial fuction) is a map f : F2 → F2 . An n m S-Box f : F2 → F2 has component functions f1,..., fm, where n each fi : F2 → F2.

S-Boxes S-Boxes

Boolean Function m An m−variable Boolean fuction is a map g : F2 → F2.

15/52 S-Boxes S-Boxes

Boolean Function m An m−variable Boolean fuction is a map g : F2 → F2.

S-Boxes n m An (m, n) S-Box (or vectorial fuction) is a map f : F2 → F2 . An n m S-Box f : F2 → F2 has component functions f1,..., fm, where n each fi : F2 → F2.

15/52 A Basic Substitution Permutation Network Outline

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

15/52 A Basic Substitution Permutation Network

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

16/52 A Basic Substitution Permutation Network SPN

P1 ... Plaintext ... P16

Sub-key k(1) Mixing

S11 S12 S13 S14 Round 1

Sub-key k(2) Mixing

S21 S22 S23 S24 Round 2

Sub-key k(3) Mixing

S31 S32 S33 S34 Round 3

Sub-key k(4) Mixing

Round 4 S41 S42 S43 S44

Sub-key k(5) Mixing

C1 ... Ciphertext ... C16

Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys’s Tutorial).

17/52 Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same.

Input 0 1 2 3 4 5 6 7 Output E 4 D 1 2 F B 8 Input 8 9 A B C D E F Output 3 A 6 C 5 9 0 7

A Basic Substitution Permutation Network Substitution

16-bit data block broken into four 4-bit sub-blocks.

18/52 Input 0 1 2 3 4 5 6 7 Output E 4 D 1 2 F B 8 Input 8 9 A B C D E F Output 3 A 6 C 5 9 0 7

A Basic Substitution Permutation Network Substitution

16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same.

18/52 A Basic Substitution Permutation Network Substitution

16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same.

Input 0 1 2 3 4 5 6 7 Output E 4 D 1 2 F B 8 Input 8 9 A B C D E F Output 3 A 6 C 5 9 0 7

18/52 A Basic Substitution Permutation Network Permutation

Input 1 2 3 4 5 6 7 8 Output 1 5 9 13 2 6 10 14 Input 9 10 11 12 13 14 15 16 Output 3 7 11 15 4 8 12 16

19/52 Decryption Also an SPN. S-boxes are the inverse of the encryption S-boxes. The sub-keys are applied in the reverse order and is moved around according to the permutation.

A Basic Substitution Permutation Network Key Mixing & Decryption

Key Mixing Bit-wise exclusive-OR. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA.

20/52 A Basic Substitution Permutation Network Key Mixing & Decryption

Key Mixing Bit-wise exclusive-OR. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA.

Decryption Also an SPN. S-boxes are the inverse of the encryption S-boxes. The sub-keys are applied in the reverse order and is moved around according to the permutation.

20/52 Linear Cryptanalysis Outline

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

20/52 Linear Cryptanalysis

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

21/52 Let, pL = Pr [Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0] , 1 then linear probability bias bL =| pL − 2 | . Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. It is a known plaintext attack.

Linear Cryptanalysis Goal

The main aim in linear cryptanalysis is to ﬁnd linear expressions of the form

Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0,

which have a high or low probability of occurrence.

22/52 Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. It is a known plaintext attack.

Linear Cryptanalysis Goal

The main aim in linear cryptanalysis is to ﬁnd linear expressions of the form

Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0,

which have a high or low probability of occurrence.

Let, pL = Pr [Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0] , 1 then linear probability bias bL =| pL − 2 | .

22/52 It is a known plaintext attack.

Linear Cryptanalysis Goal

The main aim in linear cryptanalysis is to ﬁnd linear expressions of the form

Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0,

which have a high or low probability of occurrence.

Let, pL = Pr [Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0] , 1 then linear probability bias bL =| pL − 2 | . Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits.

22/52 Linear Cryptanalysis Goal

The main aim in linear cryptanalysis is to ﬁnd linear expressions of the form

Xi1 ⊕ Xi2 ⊕ · · · Xiu ⊕ Yj1 ⊕ Yj2 ⊕ · · · Yjv = 0,

which have a high or low probability of occurrence.

22/52 th Xi denotes the i bit of the input X = [X1, X2, X3, X4] to the S-box. th Yi denotes the i bit of the output Y = [Y1, Y2, Y3, Y4] to the S-box.

X1 X2 X3 X4

S-box

Y1 Y2 Y3 Y4

Figure : S-box Mapping (Courtesy: Heys’s Tutorial).

Linear Cryptanalysis Notations

P and C denotes the 16-bit plaintext and ciphertext, respectively.

23/52 Linear Cryptanalysis Notations

P and C denotes the 16-bit plaintext and ciphertext, respectively. th Xi denotes the i bit of the input X = [X1, X2, X3, X4] to the S-box. th Yi denotes the i bit of the output Y = [Y1, Y2, Y3, Y4] to the S-box.

X1 X2 X3 X4

S-box

Y1 Y2 Y3 Y4

Figure : S-box Mapping (Courtesy: Heys’s Tutorial).

23/52 Let, k(i) represent the i th round key.

Linear Cryptanalysis Notations (Cont.)

(i) th (i) U represents the input to the i round S-box and Uj represents the jth bit of block U(i). (i) th (i) V represents the output of the i round S-box and Vj represents the jth bit of block V (i).

24/52 Linear Cryptanalysis Notations (Cont.)

24/52 Linear Cryptanalysis Piling-Up Lemma

Piling-Up Lemma (Matsui)

For n independent, random binary variables, X1, X2,..., Xn

n 1 Y Pr[X ⊕ · · · ⊕ X = 0] = + 2n−1 ε 1 n 2 i i=1 or, equivalently, n n−1 Y ε1,2,...,n = 2 εi , i=1

where ε1,2,...,n represents the bias of X1 ⊕ · · · ⊕ Xn = 0.

25/52 This is done by considering the cipher’s non-linear components. In this case, the S-Box.

Linear Cryptanalysis How to construct such linear expressions?

26/52 In this case, the S-Box.

Linear Cryptanalysis How to construct such linear expressions?

This is done by considering the cipher’s non-linear components.

26/52 Linear Cryptanalysis How to construct such linear expressions?

This is done by considering the cipher’s non-linear components. In this case, the S-Box.

26/52 Linear Cryptanalysis S-Box Analysis

X1 X2 X3 X4 Y1 Y2 Y3 Y4 X2 ⊕ X3 Y1 ⊕ Y3 ⊕ Y4 X1 ⊕ X4 Y2 X3 ⊕ X4 Y1 ⊕ Y4 0 0 0 0 1 1 1 0 0 0 0 1 0 1 0 0 0 1 0 1 0 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1 1 0 0 1 1 0 0 0 1 1 0 0 0 1 1 1 1 0 0 1 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 1 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 0 0 1 1 1 1 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 1 1 0 0 1 0 0 1 0 0 0 1 1 0 1 0 0 0 0 0 1 1 0 0 1 0 0 1 1 0 1 1 1 1 1 0 0 0 1 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 0 1 0 1 1 1 1 1 0 1 0 1 0 1 1 0 0 1 1 0 0 0 1 0 0 1 1 0 0 0 0 0 0 0 1 0 1 0 0 1 1 1 0 1 1 1 0 0 0 1 0 1 Table : Sample Diﬀerence Pairs of the S-box.

27/52 Linear Cryptanalysis S-Box Analysis (cont.)

Input Mask in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F

0 +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1 0 0 -2 -2 0 0 -2 +6 +2 +2 0 0 +2 +2 0 0

2 0 0 -2 -2 0 0 -2 -2 0 0 +2 +2 0 0 -6 +2

3 0 0 0 0 0 0 0 0 +2 -6 -2 -2 +2 +2 -2 -2

4 0 +2 0 -2 -2 -4 -2 0 0 -2 0 +2 +2 -4 +2 0

5 0 -2 -2 0 -2 0 +4 +2 -2 0 -4 +2 0 -2 -2 0

6 0 +2 -2 +4 +2 0 0 +2 0 -2 +2 +4 -2 0 0 -2

7 0 -2 0 +2 +2 -4 +2 0 -2 0 +2 0 +4 +2 0 +2

8 0 0 0 0 0 0 0 0 -2 +2 +2 -2 +2 -2 -2 -6

9 0 0 -2 -2 0 0 -2 -2 -4 0 -2 +2 0 +4 +2 -2

A 0 +4 -2 +2 -4 0 +2 -2 +2 +2 0 0 +2 +2 0 0

B 0 +4 0 -4 +4 0 +4 0 0 0 0 0 0 0 0 0 Output Mask in Hexadecimal C 0 -2 +4 -2 -2 0 +2 0 +2 0 +2 +4 0 +2 0 -2

D 0 +2 +2 0 -2 +4 0 +2 -4 -2 +2 0 +2 0 0 +2

E 0 +2 +2 0 -2 -4 0 +2 -2 0 0 -2 -4 +2 -2 0

F 0 -2 -4 -2 -2 0 +2 0 0 -2 +4 -2 -2 0 +2 0 Table : Linea Approximation Table of the S-box Represented by Table.

28/52 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher

Linear approximation of the overall cipher is achieved by concatenating appropiate S-boxes. By constructing a linear approximation involving plaintext bits and the data bits from the output of the second last round, it is possible to attack the cipher by recovering a subset of the subkey bits that follow the last round.

29/52 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.)

P5 P7P8

(1) (1) (1) k5 k7 k8

S11 S12 S13 S14 Round 1

(2) k6

S21 S22 S23 S24 Round 2

(3) (3) k6 k14

S31 S32 S33 S34 Round 3

(4) (4) (4) (4) k6 k14 k6 k14 (4) (4) (4) (4) U6 U8 U14 U16 Round 4 S41 S42 S43 S44

(5) (5) (5) (5) k5 ... k8 k13 ...k16

Figure : Sample Linear Approximation (Courtesy: Heys’s Tutorial).

30/52 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.)

We use the following approximation of the S-box : 12 1 S12 : X1 ⊕ X3 ⊕ X4 = Y2 with probability 16 and bias + 4 4 1 S22 : X2 = Y2 ⊕ Y4 with probability 16 and bias − 4 4 1 S32 : X2 = Y2 ⊕ Y4 with probability 16 and bias − 4 4 1 S34 : X2 = Y2 ⊕ Y4 with probability 16 and bias − 4

31/52 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.)

Notice, U(1) = P ⊕ k(1).

For S12, we have

(1) (1) (1) (1) V6 = U5 ⊕ U7 ⊕ U8 = (P5 ⊕ K1,5) ⊕ (P7 ⊕ K1,7) ⊕ (P8 ⊕ K1,8).

3 This holds with probability 4 .

32/52 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.)

Continuing . . . X U4,6 ⊕ U4,8 ⊕ U4,14 ⊕ U4,16 ⊕ P5 ⊕ P7 ⊕ P8 ⊕ = 0, K where X = K1,5⊕K1,7⊕K1,8⊕K2,6⊕K3,6⊕K3,14⊕K4,6⊕K4,8⊕K4,14⊕K4,16. K

33/52 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.)

P K is ﬁxed to either 0 or 1 depending on the key of the cipher. Using piling-up lemma

1 3 1 1 13 15 p = + 23 − − = . L 2 4 2 4 2 32

Therefore, 1 b = − . L 32

34/52 Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.)

P Depending on whether K = 0 or 1, the expression

U4,6 ⊕ U4,8 ⊕ U4,14 ⊕ U4,16 ⊕ P5 ⊕ P7 ⊕ P8

holds with either probability 15 17 p = or 1 − p = . L 32 L 32

35/52 We shall refer to the bits to be recovered from the last sub-key as the target partial sub-key. (5) (5) (5) (5) (5) (5) (5) (5) In our example k5 , k6 , k7 , k8 , k13 , k14 , k15 , k16 .

Linear Cryptanalysis Extracting Key Bits

36/52 Linear Cryptanalysis Extracting Key Bits

Once an r − 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4. We shall refer to the bits to be recovered from the last sub-key as the target partial sub-key. (5) (5) (5) (5) (5) (5) (5) (5) In our example k5 , k6 , k7 , k8 , k13 , k14 , k15 , k16 .

36/52 Assume that we have 10000 plaintext/ ciphertext pairs encrypted under a particular key.

Linear Cryptanalysis Extracting Key Bits: Algorithm

1 Generate about 2 many known plaintext/ ciphertext pairs. bL

37/52 Linear Cryptanalysis Extracting Key Bits: Algorithm

1 Generate about 2 many known plaintext/ ciphertext pairs. bL Assume that we have 10000 plaintext/ ciphertext pairs encrypted under a particular key.

37/52 - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [C5,..., C8, C13,..., C16] with the guessed key value. - Do a inverse substitution (S-Box−1) to get (4) (4) (4) (4) U6 , U8 , U14 , U16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. |count−5000| - Find the | bias |= 10000 . Select the guess with the maximum bias as our target sub-key.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.)

For each of the of the 256 possible values of K5,5, K5,6, K5,7, K5,8, K5,13, K5,14, K5,15, K5,16, do the following :

38/52 - Do a inverse substitution (S-Box−1) to get (4) (4) (4) (4) U6 , U8 , U14 , U16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. |count−5000| - Find the | bias |= 10000 . Select the guess with the maximum bias as our target sub-key.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.)

38/52 - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. |count−5000| - Find the | bias |= 10000 . Select the guess with the maximum bias as our target sub-key.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.)

38/52 |count−5000| - Find the | bias |= 10000 . Select the guess with the maximum bias as our target sub-key.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.)

For each of the of the 256 possible values of K5,5, K5,6, K5,7, K5,8, K5,13, K5,14, K5,15, K5,16, do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [C5,..., C8, C13,..., C16] with the guessed key value. - Do a inverse substitution (S-Box−1) to get (4) (4) (4) (4) U6 , U8 , U14 , U16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation.

38/52 Select the guess with the maximum bias as our target sub-key.

Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.)

38/52 Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.)

38/52 Note that the experimental bias = 0.0336 is very close to the 1 expected value of 32 = 0.03125.

Linear Cryptanalysis Experimental Results (Partial)

Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal (5) (5) (5) (5) | bias | (5) (5) (5) (5) | bias | [k5 ,..., k8 , k13 ,..., k16 ] [k5 ,..., k8 , k13 ,..., k16 ] 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048 Table : Experimental Result (Partial) for Linear Attack.

39/52 Linear Cryptanalysis Experimental Results (Partial)

Note that the experimental bias = 0.0336 is very close to the 1 expected value of 32 = 0.03125.

39/52 - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: Wide trail strategy. “Stronger” S-boxes or non-linear function. ...

Linear Cryptanalysis Summary

Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function, which deviates “substantially” from uniform.

40/52 Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: Wide trail strategy. “Stronger” S-boxes or non-linear function. ...

Linear Cryptanalysis Summary

40/52 Prevention: Wide trail strategy. “Stronger” S-boxes or non-linear function. ...

Linear Cryptanalysis Summary

Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function, which deviates “substantially” from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force.

40/52 Wide trail strategy. “Stronger” S-boxes or non-linear function. ...

Linear Cryptanalysis Summary

40/52 Linear Cryptanalysis Summary

40/52 Diﬀerential Cryptanalysis Outline

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

40/52 Diﬀerential Cryptanalysis

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

41/52 It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. In order to determine a high probability difference pair, we consider the input-output differences of the S-Boxes.

Diﬀerential Cryptanalysis Idea

In an ideally randomizing cipher, the probability that a particular output diﬀerence ∆Y occurs, given a particular 1 input diﬀerence ∆X is 2n where n is the number of bits.

42/52 Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. In order to determine a high probability difference pair, we consider the input-output differences of the S-Boxes.

Diﬀerential Cryptanalysis Idea

42/52 Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. In order to determine a high probability difference pair, we consider the input-output differences of the S-Boxes.

Diﬀerential Cryptanalysis Idea

42/52 In order to determine a high probability diﬀerence pair, we consider the input-output diﬀerences of the S-Boxes.

Diﬀerential Cryptanalysis Idea

In an ideally randomizing cipher, the probability that a particular output difference ∆Y occurs, given a particular 1 input difference ∆X is 2n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys.

42/52 Diﬀerential Cryptanalysis Idea

42/52 Diﬀerential Cryptanalysis Notations

Let X 1, X 2 ∈ {0, 1}n. Deﬁne,∆ X = X 1 ⊕ X 2.

Let, ∆X = [∆X1,..., ∆Xn]. A differential (∆X , ∆Y ): for a given input difference ∆X , ∆Y is the difference in output. Differential Characteristics: A sequence of input and output differences to the rounds so that the output difference from one round corresponds to the input difference for the next round.

43/52 Diﬀerential Cryptanalysis Sample Diﬀerence Pairs of the S-BOX

∆Y X Y ∆X = 1011 ∆X = 1000 ∆X = 0100 0000 1110 0010 1101 1100 0001 0100 0010 1110 1011 0010 1101 0111 0101 0110 0011 0001 0010 1011 1001 0100 0010 0101 0111 1100 0101 1111 1111 0110 1011 0110 1011 0010 1011 0110 0111 1000 1101 1111 1001 0000 0011 0010 1101 0110 0001 1010 0111 1110 0011 0010 0110 0010 0101 0110 0011 1100 0010 1011 1011 0100 0101 1101 0111 0110 0101 1001 0010 0110 0011 0110 0000 1111 1011 0110 0111 0111 0101 1111 1011

Table : Sample Diﬀerence Pairs of the S-box.

44/52 Diﬀerential Cryptanalysis Diﬀerence Distribution Table

Input Diﬀerence in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F

0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1 0 0 0 2 0 0 0 2 0 2 4 0 4 2 0 0

2 0 0 0 2 0 6 2 2 0 2 0 0 0 0 2 0

3 0 0 2 0 2 0 0 0 0 4 2 0 2 0 0 4

4 0 0 0 2 0 0 6 0 0 2 0 4 2 0 0 0

5 0 4 0 0 0 2 2 0 0 0 4 0 2 0 0 2

6 0 0 0 4 0 4 0 0 0 0 0 0 2 2 2 2

7 0 0 2 2 2 0 2 0 0 2 2 0 0 0 0 4

8 0 0 0 0 0 0 2 2 0 0 0 4 0 4 2 2

9 0 2 0 0 2 0 0 4 2 0 2 2 2 0 0 0

A 0 2 2 0 0 0 0 0 6 0 0 2 0 0 4 0

B 0 0 8 0 0 2 0 2 0 0 0 0 0 2 0 2

C 0 2 0 0 2 2 2 0 0 0 0 2 0 6 0 0 Output Diﬀerence in Hexadecimal

D 0 4 0 0 0 0 0 4 2 0 2 0 2 0 2 0

E 0 0 2 4 2 0 0 0 6 0 0 0 0 0 2 0

F 0 2 0 0 6 0 0 0 0 4 0 2 0 0 2 0

Table : Diﬀerence Distribution Table for the S-box Represented by Table.

45/52 Diﬀerential Cryptanalysis Keyed S-BOX

W1 W2 W3 W4 K K 1 K 2 L L L L 3 K4 X1 X2 X3 X4

S-box

Y1 Y2 Y3 Y4

Figure : Keyed S-box.

46/52 Diﬀerential Cryptanalysis Sample Diﬀerential Cryptanalysis

∆P = [0000, 1011, 0000, 0000]

S11 S12 S13 S14 Round 1

S21 S22 S23 S24 Round 2

S31 S32 S33 S34 Round 3

∆U(4) ... ∆U(4) ∆U(4) ... ∆U(4) 5 8 13 16 Round 4 S41 S42 S43 S44

(5) (5) (5) (5) k5 ... k8 k13 ...k16

Figure : Sample Diﬀerential Characteristic.

47/52 Probability of the Diﬀerential Characteristics:

pD = product of the diﬀerentials of the active S-Boxes = (8/16) × (1/16)3 = 27/1024.

Diﬀerential Cryptanalysis Probability of the Diﬀerential Characteristics

Active S-Boxes:

S12 : ∆X = B → ∆Y = 2 with probability 8/16.

S23 : ∆X = 4 → ∆Y = 6 with probability 6/16

S32 : ∆X = 2 → ∆Y = 5 with probability 6/16

S33 : ∆X = 2 → ∆Y = 5 with probability 6/16

48/52 Diﬀerential Cryptanalysis Probability of the Diﬀerential Characteristics

Active S-Boxes:

S12 : ∆X = B → ∆Y = 2 with probability 8/16.

S23 : ∆X = 4 → ∆Y = 6 with probability 6/16

S32 : ∆X = 2 → ∆Y = 5 with probability 6/16

S33 : ∆X = 2 → ∆Y = 5 with probability 6/16 Probability of the Diﬀerential Characteristics:

pD = product of the diﬀerentials of the active S-Boxes = (8/16) × (1/16)3 = 27/1024.

48/52 Diﬀerential Cryptanalysis Extracting Key Bits : Algorithm

Generate about 1 many chosen plaintext/ ciphertext pairs pD satisfying the input diﬀerence. Assume that we have 5000 such pairs.

49/52 - For each pair of plaintext/ ciphertext pairs, exclusive-OR the partial ciphertext (C5,..., C8, C13,..., C16) with the guessed key value. - Do a inverse substitution (S-Box−1) to get (4) (4) (4) (4) U6 , U8 , U14 , U16 . - Count the number of pairs of plaintext/ ciphertext pairs that satisfy our diﬀerential characteristics and then ﬁnd the prob = count/5000. Select the one which has the maximum ‘prob’ as our target partial key.

Diﬀerential Cryptanalysis Extracting Key Bits : Algorithm (Cont.)

For each of the of the 256 possible values of (5) (5) (5) (5) (5) (5) (5) (5) K5 , K6 , K7 , K8 , K13 , K14 , K15 , K16 , we do the following :

50/52 - Do a inverse substitution (S-Box−1) to get (4) (4) (4) (4) U6 , U8 , U14 , U16 . - Count the number of pairs of plaintext/ ciphertext pairs that satisfy our diﬀerential characteristics and then ﬁnd the prob = count/5000. Select the one which has the maximum ‘prob’ as our target partial key.

Diﬀerential Cryptanalysis Extracting Key Bits : Algorithm (Cont.)

50/52 - Count the number of pairs of plaintext/ ciphertext pairs that satisfy our diﬀerential characteristics and then ﬁnd the prob = count/5000. Select the one which has the maximum ‘prob’ as our target partial key.

Diﬀerential Cryptanalysis Extracting Key Bits : Algorithm (Cont.)

50/52 Select the one which has the maximum ‘prob’ as our target partial key.

Diﬀerential Cryptanalysis Extracting Key Bits : Algorithm (Cont.)

For each of the of the 256 possible values of (5) (5) (5) (5) (5) (5) (5) (5) K5 , K6 , K7 , K8 , K13 , K14 , K15 , K16 , we do the following : - For each pair of plaintext/ ciphertext pairs, exclusive-OR the partial ciphertext (C5,..., C8, C13,..., C16) with the guessed key value. - Do a inverse substitution (S-Box−1) to get (4) (4) (4) (4) U6 , U8 , U14 , U16 . - Count the number of pairs of plaintext/ ciphertext pairs that satisfy our diﬀerential characteristics and then ﬁnd the prob = count/5000.

50/52 Diﬀerential Cryptanalysis Extracting Key Bits : Algorithm (Cont.)

50/52 Note that the experimatal value of the probability, = 0.0244 is 27 very close to the expected value of 1024 = 0.0264.

Diﬀerential Cryptanalysis Experimental Results (Partial)

Target Sub-key in Hexadecimal Empirical Target Sub-key in Hexadecimal Empirical (5) (5) (5) (5) (5) (5) (5) (5) [k5 ,..., k8 , k13 ,..., k16 ] Probability [k5 ,..., k8 , k13 ,..., k16 ] Probability 0x1C 0.0000 0x2A 0.0032 0x1D 0.0000 0x2B 0.0022 0x1E 0.0000 0x2C 0.0000 0x1F 0.0000 0x2D 0.0000 0x20 0.0000 0x2E 0.0000 0x21 0.0136 0x2F 0.0000 0x22 0.0068 0x30 0.0004 0x23 0.0068 0x31 0.0000 0x24 0.0244 0x32 0.0004 0x25 0.0000 0x33 0.0004 0x26 0.0068 0x34 0.0000 0x27 0.0068 0x35 0.0004 0x28 0.0030 0x36 0.0000 0x29 0.0024 0x37 0.0008

Table : Experimental Result (Partial) for Diﬀerential Attack.

51/52 Diﬀerential Cryptanalysis Experimental Results (Partial)

Table : Experimental Result (Partial) for Diﬀerential Attack.

Note that the experimatal value of the probability, = 0.0244 is 27 very close to the expected value of 1024 = 0.0264.

51/52 Appendix Outline

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

51/52 Appendix

1 Iterated Block Cipher

2 S-Boxes

3 A Basic Substitution Permutation Network

4 Linear Cryptanalysis

5 Diﬀerential Cryptanalysis

6 Appendix

52/52 Appendix References

1 A Tutorial on Linear and Diﬀerential Cryptanalysis by Howard M. Heys. 2 Wikipedia.

52/52 Appendix

Thank you for your kind attention!

52/52