DOCSLIB.ORG

25 Years of Linear Cryptanalysis -Early History and Path Search Algorithm

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
25 Years of Linear Cryptanalysis -Early History and Path Search Algorithm 25 Years of Linear Cryptanalysis -Early History and Path Search Algorithm- Asiacrypt 2018, December 3 2018 Mitsuru Matsui © Mitsubishi Electric Corporation Back to 1990… 2 © Mitsubishi Electric Corporation FEAL (Fast data Encipherment ALgorithm) • Designed by Miyaguchi and Shimizu (NTT). • 64-bit block cipher family with the Feistel structure. • 4 rounds (1987) • 8 rounds (1988) • N rounds(1990) N=32 recommended • Key size is 64 bits (later extended to 128 bits). • Optimized for 8-bit microprocessors (no lookup tables). • First commercially successful cipher in Japan. • Inspired many new ideas, including linear cryptanalysis. 3 © Mitsubishi Electric Corporation FEAL-NX Algorithm [Miyaguchi 90] subkey 4 © Mitsubishi Electric Corporation The Round Function of FEAL 2-byte subkey Linear Relations 푌 2 = 푋1 0 ⊕ 푋2 0 푌 2 = 푋1 0 ⊕ 푋2 0 ⊕ 1 (푁표푡푎푡푖표푛: 푌 푖 = 푖-푡ℎ 푏푖푡 표푓 푌) 5 © Mitsubishi Electric Corporation Linear Relations of the Round Function Linear Relations 푂 16,26 ⊕ 퐼 24 = 퐾 24 K 푂 18 ⊕ 퐼 0,8,16,24 = 퐾 8,16 ⊕ 1 푂 10,16 ⊕ 퐼 0,8 = 퐾 8 S 0 푂 2,8 ⊕ 퐼 0 = 퐾 0 ⊕ 1 (푁표푡푎푡푖표푛: 퐴 푖, 푗, 푘 = 퐴 푖 ⊕ 퐴 푗 ⊕ 퐴 푘 ) S1 O I f S0 f 3-round linear relations with p=1 S1 f modified round function f at least 3 subkey (with whitening key) f bytes affect output6 6 © Mitsubishi Electric Corporation History of Cryptanalysis of FEAL • 4-round version – 100-10000 chosen plaintexts [Boer 88] – 20 chosen plaintexts [Murphy 90] – 8 chosen plaintexts [Biham, Shamir 91] differential – 200 known plaintexts [Tardy-Corfdir, Gilbert 91] – 5 known plaintexts [Matsui, Yamagishi 92] pre-linear • 8-round version – 10000 chosen plaintexts [Tardy-Corfdir, Gilbert 90] differential – 2000 chosen plaintexts [Biham, Shamir 91] differential – 215-228 known plaintexts [Matsui, Yamagishi 92] pre-linear – 224 known plaintexts [Biham 94] linear – 210-211 known plaintexts [Sakikoyama et al 2016] multiple linear 7 © Mitsubishi Electric Corporation A Better Relation and Pre-linear Attack 푂 10, 18, 26 ⊕ 퐼 16 = 퐾 16,24 ⊕ 1 [Tardy-Corfdir, Gilbert 91] K 푐푎푟푟푦 7 6 5 4 3 2 1 0 ← 퐴 ⊕ 퐾1 S0 +) 7 6 5 4 3 2 1 0 ← 퐵 ⊕ 퐾2 퐾2 푂[16] 퐵 푂[16] S1 O 12 subkey bits 퐾1 I 퐴 퐾1 0 , … , 퐾1 5 , 퐾2 0 , … , 퐾2[5] S 0 non-linearly affect 푂 16 . How to reduce S1 these “active” subkey bits ? Fourth (modified) round function 8 © Mitsubishi Electric Corporation A Better Relation and Pre-linear Attack 푂 10, 18, 26 ⊕ 퐼 16 = 퐾 16,24 ⊕ 1 [Tardy-Corfdir, Gilbert 91] 푐푎푟푟푦 7 6 5 4 3 2 1 0 ← 퐴 ⊕ 퐾1 +) 7 6 5 4 3 2 1 0 ← 퐵 ⊕ 퐾2 퐾2 푂[16] 퐵 푂[16] S1 Observation [Matsui, Yamagishi 92] 퐾1 퐴 Divide inputs into two groups 퐴 5 = 퐵[5] and 퐴 5 = ~퐵[5]. Then for one of the two groups, 퐴 6 ⊕ 퐴 5 ⊕ 퐵 6 ⊕ 푂[16] is const. This reveals 퐾1 5 = 퐾2[5] or 퐾1 5 = ~퐾2 5 . 9 © Mitsubishi Electric Corporation The Cut-off Method Later generalized as “Partitioning Cryptanalysis” [Harpes, Massey 97]. Divide plaintext-ciphertext pairs into two groups. – For one group, a relation always holds or fails (p=1 or 0). – For the other, the relation does not always hold (p≈1/2). – “Which is which” depends on key. A few pairs are enough to distinguish. – Also reducing the number of relevant text/key bits. – Better than (probabilistic) linear approximation. Successful for FEAL, but applying this method to DES is difficult… 10 © Mitsubishi Electric Corporation Moving to Linear Approximation 푥 Linear Approximation Probability 푝 푎, 푏 = 푥 푎 ⋅ 푥 = 푏 ⋅ 푦 /2푛 푎, 푏: linear characteristic or masking value 푆 0 ≤ 푝 푎, 푏 ≤ 1 푦 = 푆(푥) Linear Correlation 휆푝푆 푎, 푏 = 2푝 푎, 푏 − 1 휆푝 푎, 푏 is larger = more linear. 푎 ⋅ 푥 푆 0 ≤ |휆푝푆 푎, 푏 | ≤ 1 Differential Characteristic Probability 푛 훿푝푆 푎, 푏 = 푥 푆 푥 ⊕ 푆 푥 ⊕ 푎 = 푏 /2 푎, 푏: differential characteristic 푏 ⋅ 푦 0 ≤ 훿푝푆 푎, 푏 ≤ 1 11 © Mitsubishi Electric Corporation An Example: S5 of DES 푥 푋 3 = 푌[2] 휆푝푆5 8,4 = 0 no use 푋 1 = 푌[0] 휆푝푆5 2,1 = 1/8 makes sense 푆5 푋 4 = 푌[0,1,2,3] 휆푝푆5 16,15 = −5/8 very biased 푦 = 푆5(푥) 푎 ⋅ 푥 This relation was fully used for cryptanalyzing the full 16-round DES. Adi Shamir (and independently Matt Franklin) 푏 ⋅ 푦 had found this correlation already in 1985. 12 © Mitsubishi Electric Corporation “On the Security of DES” [Shamir Crypto 85] X[4]=0 X[4]=1 Y[0,1,2,3]=0 13 © Mitsubishi Electric Corporation Best Path Search Algorithm 푎0 • An algorithm deriving linear (resp. differential) path 푅1 푎0, 푎1, … , 푎푟 that maximize 푖=1…푟 |휆푝푅 푎푖−1, 푎푖 | (resp. 훿푝). 푎1 푖 • Expected to lead to the most efficient attack. 푅2 푎 2 • The best linear (resp. differential) path of the full DES was completely determined. 푎푟−1 • Still being used as a tool for evaluating block ciphers 푅푟 (e.g. “multiple linear cryptanalysis”). 푎푟 14 © Mitsubishi Electric Corporation The Algorithm: Sketch 푎0 • Induction on the number of rounds: – Computes 퐵 푟 (and the corresponding 푅1 푏푒푠푡 푎0, 푎1, … , 푎푟) assuming 퐵푏푒푠푡(푖) (푖=1, … , 푟-1) is known. 푎1 퐵푎0푎1…푎푡 푅2 • Needs an initial value 퐵푖푛푖푡(푟)(< 퐵푏푒푠푡 푟 ) – Works for any small value, but significantly 퐵 (푟) 푎 푖푛푖푡 2 affects performance. – Updated when a better path is found. – When finished, 퐵푖푛푖푡(푟) must be 퐵푏푒푠푡(푟). 푎푟−1 퐵푏푒푠푡(푟 − 푡) • Given 푎 , 푎 , … , 푎 , choose 푎 such that 푅푟 0 1 푡−1 푡 퐵푖푛푖푡 푟 < 퐵푎0푎1…푎푡 ∗ 퐵푏푒푠푡 푟 − 푡 holds. 푎푟 – If not holds, no hope of finding a better path. 퐵 (푟) = max 휆푝 (푎 , 푎 ) 퐵푎0푎1…푎푡 = 푖=1…푡 휆푝푅푖(푎푖−1, 푎푖) 푏푒푠푡 푖=1…푡 푅푖 푖−1 푖 푎0푎1…푎푟 15 © Mitsubishi Electric Corporation The Branch-and-Bound Method Path Search Algorithm Define Binit(n) for n=1,2,..,r Search1(); Search1() /* 1st round characteristic */ for each characteristic a1 choose a0 so as to maximize |λpR1(a0,a1)| Search2(2); Search2(i) /* i-th round characteristic i>1 */ for each characteristics ai [in an decreasing order of | λpRi(ai-1,ai)|] if(ai is not ‘connectable’ to ai-1) continue; if(Ba0,a1,..,ai * Bbest(r-i) < Binit(r)) return; /* no hope of this path */ if(i == r) /* reached bottom */ Binit(r) = Ba0,a1,..,ai; /* found a better path ! */ else Search2(i+1); /* go to next round */ 16 © Mitsubishi Electric Corporation Time Complexity • In practice, we need to design a double recursive algorithm to handle multiple active S-boxes in a single round. • Generally exponentially heavy. • Difficult to estimate computing time in advance. • Found the best linear path of DES in a few minutes (in 1993), which is equivalent to an exhaustive path search. • Speed depends on the quality of the initial value Binit. • Limiting the number of active S-boxes per round often improves performance significantly. – Step1: Limited search using arbitrary small initial values. – Step2: Full search using the output of Step1 as initial values. 17 © Mitsubishi Electric Corporation First Experiment of Breaking the Full DES • July to September, 1993 (50 days) • 12 computers (PA-RISC) • 243 known plaintext-ciphertext pairs (generated by M-sequence). • 26 key bits from 2 equations derived from best 14-round linear path. • Remaining 30 key bits were found by an exhaustive search. • The biggest threat was the “thunder attack”. One of the 12 computers (PA-RISC 99MHz) 18 © Mitsubishi Electric Corporation DES variants with permuted S-boxes • Best linear/differential path search for all (8!=40320) permutations. • For permuted DES variants, partial results were known [Matsui94] The only following paths were searched: – (differential) Biham-Shamir’s two-round iterative characteristics. – (linear) one active S-box per round (type I) or two-round iterative characteristics (type II). • Complete search for all permutation patterns [Unpublished] – (differential) confirmed that known best is actually best. – (linear) better paths newly found for some permutations. 19 © Mitsubishi Electric Corporation Biham-Shamir’s 2-round Iterative Characteristic Three adjacent active S-boxes in every other round 0 19600000 S1 Δ퐼 =03 Δ푂푆1=00 푆1 Δ푂 =0 Δ퐼 =19600000 1 1 S2 Δ퐼푆 =32 F Δ푂푆2=00 2 S3 Δ퐼 =2C Δ푂푆3=00 푆3 Δ푂 =0 Δ퐼 =0 2 F 2 0 19600000 For all permuted DES variants, this type of characteristic achieves best path (part of design criteria of DES). 20 © Mitsubishi Electric Corporation Distribution of Best 16-round Differential Char Probability of Permuted DES Variants 9000 8000 7680 6816 DES: -61.97 7000 6336 6000 5024 5000 4576 4000 2880 3000 2208 1920 Number of permutations of Number 2000 960 960 1000 784 0 0 0 160 16 0 -49 -50 -51 -52 -53 -54 -55 -56 -57 -58 -59 -60 -61 -62 -63 -64 -65 Best 16-round differential characteristic probability (log2) 21 © Mitsubishi Electric Corporation Distribution of Best 15-round Differential Char Probability of Permuted DES Variants 10000 9024 8640 9000 8256 8000 7680 7000 6000 5000 DES: -55.10 4000 2880 3000 Number of permutations of Number 2000 960 960 832 832 1000 0 0 0 0 256 0 -43 -44 -45 -46 -47 -48 -49 -50 -51 -52 -53 -54 -55 -56 -57 Best 15-round differential characteristic probability (log2) 22 © Mitsubishi Electric Corporation Distribution of Best 16-round Linear Correlation of Permuted DES Variants 12000 10841 10375 10000 DES: -22.42 8000 6000 5664 4320 4000 3024 2792 Number of permutations of Number 2000 1440 720 879 237 27 1 0 -20 -21 -22 -23 -24 -25 -26 -27 -28 -29 -30 -31 -32 Best 16-round linear correlation (log2) 23 © Mitsubishi Electric Corporation Distribution of Best 15-round Linear Correlation of Permuted DES Variants 30000 25000 23972 DES: -20.74 20000 15000 10000 5760 4902 Number of permutations of Number 5000 2277 720 0 1411 1048 190 40 0 -19 -20 -21 -22 -23 -24 -25 -26 -27 -28 -29 Best 15-round linear correlation (log2) 24 © Mitsubishi Electric Corporation Some Observations • Some interesting linear paths: Ex.1: Non iterative 16-round best path 7 – 7 8 7 – 7 8 7 – 7 32 7 – 7 5 2-28.68 (3 perms) Ex.2: 11-round best path with 3 active S-boxes in a round 1 5 – 5 1 456 1 5 – 5 1 2-18.98 (29 perms) • The permutation choice of the original DES is very weak.
Load more

Recommended publications
  • Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms
    Copyright NTT and Mitsubishi Electric Corporation 2000 Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms † ‡ † Kazumaro Aoki Tetsuya Ichikawa Masayuki Kanda ‡ † ‡ ‡ Mitsuru Matsui Shiho Moriai Junko Nakajima Toshio Tokita † Nippon Telegraph and Telephone Corporation 1-1 Hikarinooka, Yokosuka, Kanagawa, 239-0847 Japan {maro,kanda,shiho}@isl.ntt.co.jp ‡ Mitsubishi Electric Corporation 5-1-1 Ofuna, Kamakura, Kanagawa, 247-8501 Japan {ichikawa,matsui,june15,tokita}@iss.isl.melco.co.jp September 26, 2000 Abstract. We present a new 128-bit block cipher called Camellia. Camellia sup- ports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Camellia was carefully designed to withstand all known cryptanalytic attacks and even to have a sufficiently large security leeway for use of the next 10-20 years. There are no hidden weakness inserted by the designers. It was also designed to have suitability for both software and hardware implementations and to cover all possible encryption applications that range from low-cost smart cards to high-speed network systems. Compared to the AES finalists, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can en- crypt on a PentiumIII (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In ad- dition, a distinguishing feature is its small hardware design. The hardware design, which includes key schedule, encryption and decryption, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know.
    [Show full text]
  • Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT
    Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT Jorge Nakahara Jr1, Pouyan Sepehrdad1, Bingsheng Zhang2, Meiqin Wang3 1EPFL, Lausanne, Switzerland 2Cybernetica AS, Estonia and University of Tartu, Estonia 3Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China Estonian Theory Days, 2-4.10.2009 Outline Why cryptanalysis?! Outline Outline Contributions The PRESENT Block Cipher Revisited Algebraic Cryptanalysis of PRESENT Linear Cryptanalysis of PRESENT Linear Hulls of PRESENT Conclusions Acknowledgements Outline Outline Contributions we performed linear analysis of reduced-round PRESENT exploiting fixed-points (and other symmetries) of pLayer exploiting low Hamming Weight bitmasks using iterative linear relations first linear hull analysis of PRESENT: 1st and 2nd best trails known-plaintext and ciphertext-only attack settings revisited algebraic analysis of 5-round PRESENT in less than 3 min best attacks on up to 26-round PRESENT (out of 31 rounds) Outline Outline The PRESENT Block Cipher block cipher designed by Bogdanov et al. at CHES’07 aimed at RFID tags, sensor networks (hardware environments) SPN structure 64-bit block size, 80- or 128-bit key size, 31 rounds one full round: xor with round subkey, S-box layer, bit permutation (pLayer) key schedule: 61-bit left rotation, S-box application, and xor with counter Outline Outline The PRESENT Block Cipher Computational graph of one full round of PRESENT Outline Outline Previous attack complexities on reduced-round
    [Show full text]
  • Security Analysis of an Encryption Scheme Based on Nonpositional Polynomial Notations
    Open Eng. 2016; 6:250–258 Research Article Open Access Nursulu Kapalova* and Dilmukhanbet Dyusenbayev Security analysis of an encryption scheme based on nonpositional polynomial notations DOI 10.1515/eng-2016-0034 unique providing that bases are pairwise relatively prime. Received May 05, 2016; accepted Jun 28, 2016 As distinct from classical RNSs, irreducible polynomials over GF(2) that is binary polynomials serve as bases in Abstract: The aim of the research was to conduct a cryp- NPNs [1–6]. tographic analysis of an encryption scheme developed Based on NPNs, nonconventional algorithms for en- on the basis of nonpositional polynomial notations to cryption, digital signatures and cryptographic key ex- estimate the algorithm strength. Nonpositional polyno- change have been developed [3, 7–9]. This paper is con- mial notations (NPNs) are residue number systems (RNSs) cerned with an investigation of the strength of a noncon- based on irreducible polynomials over GF(2). To evalu- ventional encryption scheme against cryptanalysis. The ate if the algorithms developed on the basis of NPNs are core of the algorithm under study is as follows. secure, mathematical models of cryptanalysis involving algebraic, linear and differential methods have been de- 1. First of all, an NPN is formed with its working bases signed. The cryptanalysis is as follows. A system of non- consisting of chosen irreducible polynomials linear equations is obtained from a function transforming p x p x ... p x plaintext into ciphertext with a key. Next, a possibility of 1( ), 2( ), , S( ) (1) transition of the nonlinear system to a linear one is consid- over GF(2) of degrees m1, m2, ..
    [Show full text]
  • Miss in the Middle Attacks on IDEA and Khufu
    Miss in the Middle Attacks on IDEA and Khufu Eli Biham? Alex Biryukov?? Adi Shamir??? Abstract. In a recent paper we developed a new cryptanalytic techni- que based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1 Introduction In [5,17] a new cryptanalytic technique based on impossible differentials was proposed, and its application to Skipjack [28] and DEAL [17] was described. In this paper we apply this technique to the IDEA and Khufu cryptosystems. Our new attacks are much more efficient and cover more rounds than the best previously known attacks on these ciphers. The main idea behind these new attacks is a bit counter-intuitive. Unlike tra- ditional differential and linear cryptanalysis which predict and detect statistical events of highest possible probability, our new approach is to search for events that never happen. Such impossible events are then used to distinguish the ci- pher from a random permutation, or to perform key elimination (a candidate key is obviously wrong if it leads to an impossible event). The fact that impossible events can be useful in cryptanalysis is an old idea (for example, some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves).
    [Show full text]
  • Security Analysis of Lightweight Iot Cipher: Chaskey
    cryptography Article Security Analysis of Lightweight IoT Cipher: Chaskey Ashutosh Dhar Dwivedi Department of Applied Mathematics and Computer Science, Technical University of Denmark, 2800 Kongens Lyngby, Denmark; [email protected] or [email protected] Received: 3 July 2020; Accepted: 1 August 2020; Published: 5 August 2020 Abstract: This paper presents the differential cryptanalysis of ARX based cipher Chaskey using tree search based heuristic approach. ARX algorithms are suitable for resource-constrained devices such as IoT and very resistant to standard cryptanalysis such as linear or differential. To make a differential attack, it is important to make differential characteristics of the cipher. Finding differential characteristics in ARX is the most challenging task nowadays. Due to the bigger block size, it is infeasible to calculate lookup tables for non-linear components. Transition through the non-linear layer of cipher faces a huge state space problem. The problem of huge state space is a serious research topic in artificial intelligence (AI). The proposed heuristic tool use such methods inspired by Nested Tree-based sampling to find differential paths in ARX cipher and successfully applied to get a state of art results for differential cryptanalysis with a very fast and simpler framework. The algorithm can also be applied in different research areas in cryptanalysis where such huge state space is a problem. Keywords: heuristic techniques; differential attacks; Chaskey cipher; ARX lightweight ciphers; nested tree search; single player games 1. Introduction IoT has created new values by connecting network with various small devices, but security threat becomes more important issues in the recent reports of automobile hacking and illegal surveillance camera manipulation etc.
    [Show full text]
  • Design and Analysis of Lightweight Block Ciphers : a Focus on the Linear
    Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer Christof Beierle Doctoral Dissertation Faculty of Mathematics Ruhr-Universit¨atBochum December 2017 Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer vorgelegt von Christof Beierle Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum Dezember 2017 First reviewer: Prof. Dr. Gregor Leander Second reviewer: Prof. Dr. Alexander May Date of oral examination: February 9, 2018 Abstract Lots of cryptographic schemes are based on block ciphers. Formally, a block cipher can be defined as a family of permutations on a finite binary vector space. A majority of modern constructions is based on the alternation of a nonlinear and a linear operation. The scope of this work is to study the linear operation with regard to optimized efficiency and necessary security requirements. Our main topics are • the problem of efficiently implementing multiplication with fixed elements in finite fields of characteristic two. • a method for finding optimal alternatives for the ShiftRows operation in AES-like ciphers. • the tweakable block ciphers Skinny and Mantis. • the effect of the choice of the linear operation and the round constants with regard to the resistance against invariant attacks. • the derivation of a security argument for the block cipher Simon that does not rely on computer-aided methods. Zusammenfassung Viele kryptographische Verfahren basieren auf Blockchiffren. Formal kann eine Blockchiffre als eine Familie von Permutationen auf einem endlichen bin¨arenVek- torraum definiert werden. Eine Vielzahl moderner Konstruktionen basiert auf der wechselseitigen Anwendung von nicht-linearen und linearen Abbildungen.
    [Show full text]
  • 7.4.2 DES Algorithm DES Is a Feistel Cipher Which Processes Plaintext Blocks of N =64Bits, Producing 64-Bit Ciphertext Blocks (Figure 7.8)
    252 Ch. 7 Block Ciphers 7.4.2 DES algorithm DES is a Feistel cipher which processes plaintext blocks of n =64bits, producing 64-bit ciphertext blocks (Figure 7.8). The effective size of the secret key K is k =56bits; more precisely, the input key K is specified as a 64-bit key, 8 bits of which (bits 8, 16,... ,64) may be used as parity bits. The 256 keys implement (at most) 256 of the 264! possible bijec- tions on 64-bit blocks. A widely held belief is that the parity bits were introduced to reduce the effective key size from 64 to 56 bits, to intentionally reduce the cost of exhaustive key search by a factor of 256. K K P 56 plaintext 56 ciphertext C 64K 64 key −1 PCDESC DES P Figure 7.8: DES input-output. Full details of DES are given in Algorithm 7.82 and Figures 7.9 and 7.10. An overview follows. Encryption proceeds in 16 stages or rounds. From the input key K, sixteen 48-bit subkeys Ki are generated, one for each round. Within each round, 8 fixed, carefully selected 6-to-4 bit substitution mappings (S-boxes) Si, collectively denoted S, are used. The 64-bit plaintext is divided into 32-bit halves L0 and R0. Each round is functionally equivalent, taking 32-bit inputs Li−1 and Ri−1 from the previous round and producing 32-bit outputs Li and Ri for 1 ≤ i ≤ 16, as follows: Li = Ri−1; (7.4) Ri = Li−1 ⊕ f(Ri−1,Ki), where f(Ri−1,Ki)=P (S(E(Ri−1) ⊕ Ki))(7.5) Here E is a fixed expansion permutation mapping Ri−1 from 32 to 48 bits (all bits are used once; some are used twice).
    [Show full text]
  • Differential Cryptanalysis of the Data Encryption Standard
    Differential Cryptanalysis of the Data Encryption Standard Eli Biham1 Adi Shamir2 December 7, 2009 1Computer Science Department, Technion – Israel Institute of Technology, Haifa 32000, Israel. Email: [email protected], WWW: http://www.cs.technion.ac.il/˜biham/. 2Department of Applied Mathematics and Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel. Email: [email protected]. This versionofthebookisprocessedfromtheauthor’soriginalLaTeXfiles,andmaybe differentlypaginatedthantheprintedbookbySpringer(1993). Copyright:EliBihamandAdiShamir. Preface The security of iterated cryptosystems and hash functions has been an active research area for many years. The best known and most widely used function of this type is the Data Encryption Standard (DES). It was developed at IBM and adopted by the National Bureau of Standards in the mid 70’s, and has successfully withstood all the attacks published so far in the open literature. Since the introduction of DES, many other iterated cryptosystems were developed, but their design and analysis were based on ad-hoc heuristic arguments, with no theoretical justification. In this book, we develop a new type of cryptanalytic attack which can be successfully applied to many iterated cryptosystems and hash functions. It is primarily a chosen plaintext attack but under certain circumstances, it can also be applied as a known plaintext attack. We call it “differen- tial cryptanalysis”, since it analyzes the evolution of differences when two related plaintexts are encrypted under the same key. Differential cryptanalysis is the first published attack which is capable of breaking the full 16-round DES in less than 255 complexity. The data analysis phase computes the key by analyzing about 236 ciphertexts in 237 time.
    [Show full text]
  • Security Analysis of the GF-NLFSR Structure and Four-Cell Block Cipher
    Security Analysis of the GF-NLFSR Structure and Four-Cell Block Cipher Wenling Wu, Lei Zhang, Liting Zhang and Wentao Zhang State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190, P.R.China Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, L-M structure and Gener- alized Feistel structure. In [29], Choy et al. proposed a new structure called GF-NLFSR (Generalized Feistel-NonLinear Feedback Shift Regis- ter), and designed a new block cipher called Four-Cell which is based on the 4-cell GF-NLFSR. In this paper, we ¯rst study properties of the n- cell GF-NLFSR structure, and prove that for an n-cell GF-NLFSR, there exists an (n2 + n ¡ 2) rounds impossible di®erential. Then we present an impossible di®erential attack on the full 25-round Four-Cell using this kind of 18-round impossible di®erential distinguisher together with dif- ferential cryptanalysis technique. The data complexity of our attack is 2111:5 and the time complexity is less than 2123:5 encryptions. In addi- tion, we expect the attack to be more e±cient when the relations between di®erent round subkeys can be exploited by taking the key schedule al- gorithm into consideration. Key words: GF-NLFSR structure, Four-Cell block cipher, Impossible di®erential cryptanalysis, Data complexity, Time complexity. 1 Introduction The overall structure is one of the most important properties of block ciphers, and it plays important roles in the round number choice, software and hard- ware implementation performances and so on.
    [Show full text]
  • Linear Cryptanalysis Using Multiple Approximations and FEAL
    Linear Cryptanalysis Using Multiple Approximations and FEAL Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA [email protected] [email protected] Abstract. We describe the results of experiments on the use of multiple approximations in a linear cryptanalytic attack on FEAL; we pay partic- ular attention to FEAL-8. While these attacks on FEAL are interesting in their own right, many important and intriguing issues in the use of multiple approximations are brought to light. 1 Introduction At Crypto'94 Matsui [5] presented details on experiments with linear cryptanal- ysis which derived the key used for the encryption of data with DES [11]. Such attacks on DES, however, still require too much known plaintext to be consid- ered completely practical. The technique of simultaneously using multiple linear approximations, also presented at Crypto'94 [4], might be useful in reducing the amount of plaintext required for a successful linear cryptanalytic attack. While initial experimental evidence has demonstrated the theoretical poten- tial of using multiple approximations [4], it remains to be seen quite how powerful it might be in practice 1. In this paper we shall describe the results of experi- ments on the use of multiple approximations in a linear cryptanalytic attack on the cipher FEAL [14], in particular on the eight-round version denoted FEAL-8. In the following section we shall describe the essential features of the tech- nique of linear cryptanalysis together with a description of how multiple linear approximations might be used. We shall then consider the linear cryptanalysis of FEAL and provide the results of various experiments we performed.
    [Show full text]
  • Feal-Nx Specifications
    FEAL-NX SPECIFICATIONS 1 Introduction 1.1 Outline of the FEAL-NX cipher FEAL , the Fast Data Encipherment Algorithm, is a 64-bit block cipher algorithm that enciphers 64-bit plaintexts into 64-bit ciphertexts and vice versa. FEAL has three options: key length, round number and key parity. The key length selects either 64-bit key or 128-bit key, the round number (N) specifies the internal iteration number for data randomization, and the key parity option selects either the use or non-use of parity bits in a key block. One subset of FEAL, called FEAL-NX, is N round FEAL using a 128-bit key without key parity. 1.2 FEAL-NX options FEAL-NX options are defined below. (1) Round number (N) Determines the round number (N) for FEAL data randomization, where N ≥ 32 and even. 1.3 Definitions and explanations 1.3.1 Definitions (1) key-block: 128-bit. 1 (2) key: Key information used for enciphering/deciphering. (3) round number (N): the internal iteration number for FEAL data randomization. (4) extended key: 16-bit blocks, Ki, which are a randomized and extended form of the key, are output from FEAL key schedule, where i=0, 1, ..., (N+7). 1.3.2 Conventions and Notations (1) A, Ar,... : blocks (The lengths of blocks are defined in each section) (2) (A, B,...) : concatenation in this order (3) A ⊕ B: exclusive-or operation of A and B (4) φ : zero block, 32-bits long (5) = : Transfer from right side to left side (6) Bit position: 1, 2, 3,...
    [Show full text]
  • Differential and Linear Cryptanalysis of a Reduced-Round SC2000
    Di®erential and Linear Cryptanalysis of a Reduced-Round SC2000 Hitoshi Yanami,1 Takeshi Shimoyama,1 and Orr Dunkelman2 1FUJITSU LABORATORIES LTD. 1-1, Kamikodanaka 4-Chome, Nakahara-ku, Kawasaki, 211-8588, Japan fyanami, [email protected] 2COMPUTER SCIENCE DEPARTMENT, TECHNION. Haifa 32000, Israel [email protected] Abstract. We analyze the security of the SC2000 block cipher against both di®erential and linear attacks. SC2000 is a six-and-a-half-round block cipher, which has a unique structure that includes both the Feis- tel and Substitution-Permutation Network (SPN) structures. Taking the structure of SC2000 into account, we investigate one- and two-round iterative di®erential and linear characteristics. We present two-round it- erative di®erential characteristics with probability 2¡58 and two-round iterative linear characteristics with probability 2¡56. These characteris- tics, which we obtained through a search, allowed us to attack four-and- a-half-round SC2000 in the 128-bit user-key case. Our di®erential attack needs 2103 pairs of chosen plaintexts and 220 memory accesses and our linear attack needs 2115:17 known plaintexts and 242:32 memory accesses, or 2104:32 known plaintexts and 283:32 memory accesses. Keywords: symmetric block cipher, SC2000, di®erential attack, linear attack, characteristic, probability 1 Introduction Di®erential cryptanalysis was initially introduced by Murphy [10] in an attack on FEAL-4 and was later improved by Biham and Shamir [1, 2] to attack DES. Linear cryptanalysis was ¯rst proposed by Matsui and Yamagishi [6] in an at- tack on FEAL and was extended by Matsui [7] to attack DES.
    [Show full text]