Symmetric-Key Cryptography

Orr Dunkelman

Computer Science Department University of Haifa, Israel

August 15th, 2017

Orr Dunkelman Intro 1/ 4 La Cryptographie `aCl´eSym´etrique

Orr Dunkelman

Computer Science Department University of Haifa, Israel

August 15th, 2017

Orr Dunkelman Intro 2/ 4 DES

The Data Encryption Standard

Orr Dunkelman

Computer Science Department University of Haifa, Israel

August 15th, 2017

Orr Dunkelman DES 1/ 13 DES DH The Data Encryption Standard

◮ Designed by IBM at the mid 70’s. ◮ Feistel block cipher with 16 rounds. ◮ 64-bit block size, 56-bit key size. ◮ The round function accepts 32-bit input and 48-bit subkey.

Orr Dunkelman DES 2/ 13 DES DH Outline of DES

IP

K L F 1

K L F 2

K L F 3

K L F i

K L F 16

FP

Orr Dunkelman DES 3/ 13 DES DH IP and FP

IP FP (=IP−1) 58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32 60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31 62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30 64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29 57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28 59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27 61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26 63 55 47 39 31 23 15 7 33 1 41 9 49 17 57 25

Orr Dunkelman DES 4/ 13 DES DH DES’ F-function

S1 Li Ri S2 S3 S P 4 E S5 S 6 K S7 i S8

Li+1 Ri+1

Orr Dunkelman DES 5/ 13 DES DH DES’ F-function

S1 Li Ri S2 S3 S P 4 E S5 S 6 K S7 i S8

Expands 32 bits

Li+1 to 48 bits Ri+1

Orr Dunkelman DES 5/ 13 DES DH DES’ F-function

S1 Li Ri S2 S3 S P 4 E S5 S 6 K S7 i S8

Input: 6 bits Output: 4 bits Li+1 Ri+1

Orr Dunkelman DES 5/ 13 DES DH DES’ F-function

S1 Li Ri S2 S3 S P 4 E S5 S 6 K S7 i S8

Reordering

Li+1 Permutation Ri+1

Orr Dunkelman DES 5/ 13 DES DH DES’ F-function (cont.)

P E 16 7 20 21 321 2 3 4 5 29 12 28 17 456789 1 15 23 26 8 9 10 11 12 13 5 18 31 10 12 13 14 15 16 17 2 8 24 14 16 17 18 19 20 21 32 27 3 9 20 21 22 23 24 25 19 13 30 6 24 25 26 27 28 29 22 11 4 25 28 29 30 31 32 1

Orr Dunkelman DES 6/ 13 DES DH DES’ F-function (cont.)

S1 14 4 131 2 1511 8 3 10 6 12 5 9 0 7 0 15 7 414 2 13 1 10 6 1211 9 5 3 8 4 1 14813 6 2 111512 9 7 3 105 0 1512 8 2 4 9 1 7 5 11 3 1410 0 613

S2 15 1 8 14 6 11 3 4 9 7 2 13120 5 10 3 13 4 7 15 2 8 14120 1 10 6 911 5 0 14 7 1110 4 13 1 5 812 6 9 3 2 15 13 8 10 1 3 15 4 2 116 7 12 0 514 9

Orr Dunkelman DES 7/ 13 DES DH DES’ F-function (cont.)

S3 10 0 9 146 3 15 5 1 1312 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14121115 1 13 6 4 9 815 3 0 11 1 2 12 5 1014 7 1 1013 0 6 9 8 7 4 1514 3 11 5 2 12

S4 7 13143 0 6 9 10 1 28 5 1112 4 15 13 8 115 6 15 0 3 4 7212 1 1014 9 10 6 9 01211 7 13151314 5 2 8 4 3 15 0 610 1 13 8 9 451112 7 2 14

Orr Dunkelman DES 8/ 13 DES DH DES’ F-function (cont.)

S5 2 12 4 1 7 1011 6 8 5 3 1513014 9 1411 2 12 4 7 13 1 5 0 1510 3 9 8 6 4 2 1 111013 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 104 5 3

S6 12 1 10159 2 6 8 0 13 3 4 14 7 5 11 1015 4 2 712 9 5 6 1 1314 0 11 3 8 9 1415 5 2 8 12 3 7 0 4 10 1 1311 6 4 3 2 129 5 15101114 1 7 6 0 8 13

Orr Dunkelman DES 9/ 13 DES DH DES’ F-function (cont.)

S7 4 11 2 14150 8 13 3 129 7 5 106 1 13 0 11 7 4 9 1 1014 3 512 2 158 6 1 4 1113123 7 1410156 8 0 5 9 2 6 1113 8 1 410 7 9 5 01514 2 312

S8 13 2 8 4 6 1511 1 10 9 3 14 5 0 12 7 1 1513810 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 1214 2 0 6 101315 3 5 8 2 1 147 4 10 8 131512 9 0 3 5 6 11

Orr Dunkelman DES 10/ 13 DES DH DES’ F-function (cont.)

Beware! The S-boxes are given (as in the FIPS) in a very confusing manner. The MSB and the LSB of the input determine the row in the table, and the middle 4 bits determine the column. For example, this table shows where the entry corresponding to the input is:

Location of entries in the previous tables 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 62 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63

Orr Dunkelman DES 11/ 13 DES DH DES’ Key Schedule Algorithm

◮ The key is divided into two registers C K and D (28-bit each). PC-1 ◮ Each round both registers are rotated

to the left (1 or 2 bits). ROL1 ROL1 ◮ 24 bits from C are chosen as the PC-2 ROL1 ROL1 subkey entering S1,S2,S3,S4. PC-2 ◮ D ROL2 ROL2 24 bits from are chosen as the PC-2 subkey entering S5,S6,S7,S8. ROL2 ROL2

Round 1 2 3 4 5 6 7 8 Rotation 1 1 2 2 2 2 2 2 Round 9 10 11 12 13 14 15 16 Rotation 1 2 2 2 2 2 2 1

Orr Dunkelman DES 12/ 13 DES DH Weak (and Semi-Weak) Keys of DES

◮ Weak keys: There are four keys in DES for which:

∀X : EK (EK (X )) = X

These are the subkeys for which C, D ∈{028, 128}

Orr Dunkelman DES 13/ 13 DES DH Weak (and Semi-Weak) Keys of DES

◮ Weak keys: There are four keys in DES for which:

∀X : EK (EK (X )) = X

These are the subkeys for which C, D ∈{028, 128} ◮ Semi-weak keys: There are six pairs of subkeys (K1, K2) (12 subkeys in total) for which:

∀X : EK1 (EK2 (X )) = X

These keys are found by solving the set of equations required for two keys to be semi-weak keys.

Orr Dunkelman DES 13/ 13 DES DH Semi-Weak Keys of DES

E001 E001 F101 F101 01E0 01E0 01F1 01F1 FE1F FE1F FE0E FE0E 1FFE 1FFE 0EFE 0EFE E01F E01F F10E F10E 1FE0 1FE0 0EF1 0EF1 01FE 01FE 01FE 01FE FE01 FE01 FE01 FE01 011F 011F 010E 010E 1F01 1F01 0E01 0E01 E0FE E0FE F1FE F1FE FEE0 FEE0 FEF1 FEF1

Note that these keys are given as the FIPS requires (64-bit, big endian, the least significant bit of each byte is chosen to make sure the parity of the byte is 1).

Orr Dunkelman DES 14/ 13 DES DH Diffie and Hellman’s DES Machine

◮ Shortly after the introduction of DES, Diffie and Hellman analyzed the 56-bit key length. ◮ They proposed a machine of 1,000,000 chips (in 64 racks), each tests a DES key in a microsecond. ◮ Connecting it all (and taking some overhead), their machine could find a DES key every half a day on average for 20,000,000$. ◮ If you run the machine for 5 years, the cost of finding a key is expected to be 5000$. For more information: W. Diffie, M. Hellman, Exhaustive cryptanalysis of the NBS Data Encryption Standard, Computer, Vol. 10, No. 6, pp. 74–84, June 1977.

Orr Dunkelman DES 15/ 13 Multiple Inside

Classical Meet in the Middle Attacks

Orr Dunkelman

Computer Science Department University of Haifa, Israel

August 15th, 2017

Orr Dunkelman Classical Meet in the Middle Attacks 1/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Double-Encryption

Consider Double-Encryption: P

E K1

E K2

C

Orr Dunkelman Classical Meet in the Middle Attacks 2/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Double-Encryption

Consider Double-Encryption: P ◮ In a MitM attack, try all K1 values,

and compute XK1 = EK1 (P). E K1 ◮ Store all (XK1 , K1) pairs in a table

indexed by XK1 . (XK1 , K1)

E K2

C

Orr Dunkelman Classical Meet in the Middle Attacks 2/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Double-Encryption

Consider Double-Encryption: P ◮ In a MitM attack, try all K1 values,

and compute XK1 = EK1 (P). E K1 ◮ Store all (XK1 , K1) pairs in a table

indexed by XK1 . (XK1 , K1) ◮ Then, for every K2, decrypt C, and DK2 (C) check whether DK2 (C) is in the table.

E K2

C

Orr Dunkelman Classical Meet in the Middle Attacks 2/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Double-Encryption

Consider Double-Encryption: P ◮ In a MitM attack, try all K1 values,

and compute XK1 = EK1 (P). E K1 ◮ Store all (XK1 , K1) pairs in a table

indexed by XK1 . (XK1 , K1) ◮ ? Then, for every K2, decrypt C, and = DK2 (C) check whether DK2 (C) is in the table. ◮ In case there is a match in the table, E K2 check the corresponding (K1, K2) pair, using a second plaintext/ciphertext C pair.

Orr Dunkelman Classical Meet in the Middle Attacks 2/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Double-Encryption (Analysis)

◮ We shall assume that the block size and the key size are always n bits. ◮ When this is the case, the complexities of the proposed MitM attack is 2n+1 single E calls (i.e., 2n double-E calls), and 2n memory blocks.

Orr Dunkelman Classical Meet in the Middle Attacks 3/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Double-Encryption (Analysis)

◮ We shall assume that the block size and the key size are always n bits. ◮ When this is the case, the complexities of the proposed MitM attack is 2n+1 single E calls (i.e., 2n double-E calls), and 2n memory blocks. ◮ There is a simple time-memory tradeoff: TM =22n with T ≥ 2n.

Orr Dunkelman Classical Meet in the Middle Attacks 3/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Double-Encryption (Analysis)

◮ We shall assume that the block size and the key size are always n bits. ◮ When this is the case, the complexities of the proposed MitM attack is 2n+1 single E calls (i.e., 2n double-E calls), and 2n memory blocks. ◮ There is a simple time-memory tradeoff: TM =22n with T ≥ 2n. ◮ The data complexity of the attack is 2 (= unicity distance).

Orr Dunkelman Classical Meet in the Middle Attacks 3/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Triple-Encryption

◮ The same attack works also against Triple-Encryption:

C = EK3 (DK2 (EK1 (P)))

◮ Just construct a table of 2n entries as before.

Orr Dunkelman Classical Meet in the Middle Attacks 4/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on Triple-Encryption

◮ The same attack works also against Triple-Encryption:

C = EK3 (DK2 (EK1 (P)))

◮ Just construct a table of 2n entries as before. ◮ The attack offers a simple time-memory tradeoff of TM =23n with T ≥ 22n. ◮ Data complexity: 3.

Orr Dunkelman Classical Meet in the Middle Attacks 4/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on 2-Key 3-Encryption [MH81]

Consider 2-Key 3-Encryption: P

E K1

D K2

E K1

C

Orr Dunkelman Classical Meet in the Middle Attacks 5/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on 2-Key 3-Encryption [MH81]

Consider 2-Key 3-Encryption:

E K1

0

D K2

E K1

Orr Dunkelman Classical Meet in the Middle Attacks 5/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on 2-Key 3-Encryption [MH81]

Consider 2-Key 3-Encryption: PK1 ◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1 (0). E K1

0

D K2

E K1

Orr Dunkelman Classical Meet in the Middle Attacks 5/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on 2-Key 3-Encryption [MH81]

Consider 2-Key 3-Encryption: PK1 ◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1 (0). E K1 ◮ Ask for the encryption of PK1 , and 0

obtain CK1 . D K2

E K1

CK1

Orr Dunkelman Classical Meet in the Middle Attacks 5/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on 2-Key 3-Encryption [MH81]

Consider 2-Key 3-Encryption: PK1 ◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1 (0). E K1 ◮ Ask for the encryption of PK1 , and 0

obtain CK1 . K2 ◮ D Decrypt CK1 under K1 to obtain XK1 XK1 = DK1 (CK1 ). Store (XK1 , K1) in a

table. E K1

CK1

Orr Dunkelman Classical Meet in the Middle Attacks 5/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on 2-Key 3-Encryption [MH81]

Consider 2-Key 3-Encryption: PK1 ◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1 (0). E K1 ◮ Ask for the encryption of PK1 , and 0

obtain CK1 . K2 ◮ D Decrypt CK1 under K1 to obtain XK1 XK1 = DK1 (CK1 ). Store (XK1 , K1) in a

table. E K1

CK1

Orr Dunkelman Classical Meet in the Middle Attacks 5/ 15 Multiple Inside MitM 2K3Enc Meet in the Middle Attack on 2-Key 3-Encryption [MH81]

Consider 2-Key 3-Encryption: PK1 ◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1 (0). E K1 ◮ Ask for the encryption of PK1 , and 0

obtain CK1 . K2 ◮ D Decrypt CK1 under K1 to obtain XK1 XK1 = DK1 (CK1 ). Store (XK1 , K1) in a

table. E K1 ◮ Try all K2 values, and compute DK2 (0)

looking for a match in the table. CK1

Orr Dunkelman Classical Meet in the Middle Attacks 5/ 15 Multiple Inside MitM 2K3Enc Analysis

◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2n chosen plaintexts (worst case). ◮ The time/memory complexities are 2n.

Orr Dunkelman Classical Meet in the Middle Attacks 6/ 15 Multiple Inside MitM 2K3Enc Analysis

◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2n chosen plaintexts (worst case). ◮ The time/memory complexities are 2n. ◮ The data complexity can be reduced in exchange for an increase in time complexity [vOW90].

Orr Dunkelman Classical Meet in the Middle Attacks 6/ 15 Multiple Inside MitM 2K3Enc Analysis

◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2n chosen plaintexts (worst case). ◮ The time/memory complexities are 2n. ◮ The data complexity can be reduced in exchange for an increase in time complexity [vOW90]. ◮ The splice and cut attacks are related to this attack.

Orr Dunkelman Classical Meet in the Middle Attacks 6/ 15 Multiple Inside MitM 2K3Enc Other Resources

There are several very interesting papers you may wish to consider: ◮ Paul C. van Oorschot, Michael J. Wiener, A Known Plaintext Attack on Two-Key Triple Encryption, EUROCRYPT 1990: 318-325. ◮ Stefan Lucks, Attacking Triple Encryption, FSE 1998: 239-253.

Orr Dunkelman Classical Meet in the Middle Attacks 7/ 15 Multiple Inside Basics 3R C&E The Basics of Meet in the Middle (MitM) Attacks

◮ Consider a block cipher Ek (·) which can be written as Ek (·)= Hk (·) ◦ Gk (·)

PEk C

Orr Dunkelman Classical Meet in the Middle Attacks 8/ 15 Multiple Inside Basics 3R C&E The Basics of Meet in the Middle (MitM) Attacks

◮ Consider a block cipher Ek (·) which can be written as Ek (·)= Hk (·) ◦ Gk (·)

PGk Hk C

Orr Dunkelman Classical Meet in the Middle Attacks 8/ 15 Multiple Inside Basics 3R C&E The Basics of Meet in the Middle (MitM) Attacks

◮ Consider a block cipher Ek (·) which can be written as Ek (·)= Hk (·) ◦ Gk (·) − ◮ 1 Let C = Ek (P), and let Gk (P)= X = Hk (C)

X PGk Hk C

Orr Dunkelman Classical Meet in the Middle Attacks 8/ 15 Multiple Inside Basics 3R C&E The Basics of Meet in the Middle (MitM) Attacks

◮ Consider a block cipher Ek (·) which can be written as Ek (·)= Hk (·) ◦ Gk (·) − ◮ 1 Let C = Ek (P), and let Gk (P)= X = Hk (C) ◮ Assume that a subset of bits i of X can be written as ˜ Xi = Gk˜(P) ˜ Xi = Hk˜′ (C)

˜ Xi ˜ PGk˜Gk HkHk˜ C

Orr Dunkelman Classical Meet in the Middle Attacks 8/ 15 Multiple Inside Basics 3R C&E Performing a Meet in the Middle Attack

◮ Identify G˜ , H˜ , i, k˜, and k˜′

˜ ˜ Gk˜ Hk˜′

Orr Dunkelman Classical Meet in the Middle Attacks 9/ 15 Multiple Inside Basics 3R C&E Performing a Meet in the Middle Attack

◮ Identify G˜ , H˜ , i, k˜, and k˜′ ◮ Given a plaintext/ciphertext pair (P, C): ˜ ˜ 1 For each k, compute Xi = Gk˜(P)

˜ ˜ P Gk˜ Xi Hk˜′

Orr Dunkelman Classical Meet in the Middle Attacks 9/ 15 Multiple Inside Basics 3R C&E Performing a Meet in the Middle Attack

◮ Identify G˜ , H˜ , i, k˜, and k˜′ ◮ Given a plaintext/ciphertext pair (P, C): ˜ ˜ 1 For each k, compute Xi = Gk˜(P) ˜′ ′ ˜ 2 For each k , compute Xi = Hk˜′ (C)

˜ ′ ˜ P Gk˜ Xi Xi Hk˜′ C

Orr Dunkelman Classical Meet in the Middle Attacks 9/ 15 Multiple Inside Basics 3R C&E Performing a Meet in the Middle Attack

◮ Identify G˜ , H˜ , i, k˜, and k˜′ ◮ Given a plaintext/ciphertext pair (P, C): ˜ ˜ 1 For each k, compute Xi = Gk˜(P) ˜′ ′ ˜ 2 For each k , compute Xi = Hk˜′ (C) ′ ˜ ˜′ 3 Only if Xi = Xi further analyze k, k

˜ ? ′ ˜ P Gk˜ Xi = Xi Hk˜′ C

Orr Dunkelman Classical Meet in the Middle Attacks 9/ 15 Multiple Inside Basics 3R C&E Performing a Meet in the Middle Attack

◮ Identify G˜ , H˜ , i, k˜, and k˜′ ◮ Given a plaintext/ciphertext pair (P, C): ˜ ˜ 1 For each k, compute Xi = Gk˜(P) ˜′ ′ ˜ 2 For each k , compute Xi = Hk˜′ (C) ′ ˜ ˜′ 3 Only if Xi = Xi further analyze k, k ◮ “Further analyze” may be: analyze another plaintext/ciphertext pair, exhaustively search remaining key bits, etc.

˜ ? ′ ˜ P Gk˜ Xi = Xi Hk˜′ C

Orr Dunkelman Classical Meet in the Middle Attacks 9/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

Plaintext ◮ Consider the first three rounds of DES. F ⊕ ◮ If the attacker knows the output from S2 in rounds 1 and 3 he can compute ⊕ F the MitM condition on 4 bits. F ⊕

Ciphertext

Orr Dunkelman Classical Meet in the Middle Attacks 10/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

◮ Consider the first three rounds of DES. Plaintext ◮ If the attacker knows the output from S2 S2 in rounds 1 and 3 he can compute F ⊕ the MitM condition on 4 bits. ⊕ F ◮ The attacker guesses the subkeys of S2 F ⊕ R1/S2, R3/S2.

Ciphertext

Orr Dunkelman Classical Meet in the Middle Attacks 10/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 1: Identify R1/S2, R3/S2 as a “good combination”.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

210 possibilities, 4-bit filter ⇒ 26 remaining possibilities.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 2: Mark known bits.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 3: Guess 9 more bits 26 · 29 =215, get 4 more bits (211 options remain).

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12,16, 23, 27 4 3, 8, 14, 17,21, 28 1, 4, 9, 15, 18, 22 3, 6,11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 4: Mark more known bits.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12,16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 5: Guess 5 more bits (211 · 25 · 2−4 =212).

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12,16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 6: Mark more known bits.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 7: Complete 3 more bits (212 · 23 · 2−4 =211).

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 8: Register C is reduced to 211 values.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19 , 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 8: Register C is reduced to 212 values.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 9: Do the same for register D.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Step 10: Try all 212 · 212 =224 possible subkeys.

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E Meet-in-the-Middle Attack on 3-Round DES

S-box Round 1 Round 2 Round 3 1 2, 6, 12, 15, 18, 25 3, 7, 13, 16, 19, 26 5, 9, 15, 18, 21, 28 2 1, 4, 7, 11, 16, 22 2, 5, 8, 12, 17, 23 4, 7, 10, 14, 19, 25 3 5, 9, 13, 20, 24, 27 6, 10, 14, 21, 25, 28 2, 8, 12, 16, 23, 27 4 3, 8, 14, 17, 21, 28 1, 4, 9, 15, 18, 22 3, 6, 11, 17, 20, 24 5 32, 38, 42, 48, 53, 56 29, 33, 39, 43, 49, 54 31, 35, 41, 45, 51, 56 6 31, 34, 41, 46, 49, 52 32, 35, 42, 47, 50, 53 34, 37, 44, 49, 52, 55 7 29, 35, 40 ,45, 50, 54 30, 36, 41, 46, 51, 55 29, 32, 38, 43, 48, 53 8 30, 33, 37, 43, 47, 51 31, 34, 38, 44, 48, 52 33, 36, 40, 46, 50, 54

Exercise: How to find the key in less than 220 operations?

Orr Dunkelman Classical Meet in the Middle Attacks 11/ 15 Multiple Inside Basics 3R C& E What Happens with Two Plaintexts?

◮ If two plaintexts are given, one can repeat the analysis of C (and D) twice, where only the values suggested both time are expected to remain. ◮ On average the wrong value of C remains with probability 2−4. ◮ This is sufficient for identifying the correct value (almost uniquely).

Orr Dunkelman Classical Meet in the Middle Attacks 12/ 15 Multiple Inside Basics 3R C& E Chaum & Evertse’s Attack on DES [CE85]

◮ Chaum & Evertse analyzed DES for MitM attacks. ◮ Their analysis found bits which are independent of key bits for as many rounds as possible. ◮ The analysis for every number of rounds r: ◮ For every 1 ≤ i < r, find after i rounds for each intermediate bit j, find the set of key bits it depends on (from the top) — di,j . ◮ ′ Do the same from the same (from the bottom) — dr−i,j . ◮ ′ For all i, j, check whether di,j ∪ dr−i,j 6= {1,..., 56}.

Orr Dunkelman Classical Meet in the Middle Attacks 13/ 15 Multiple Inside Basics 3R C& E Chaum & Evertse’s Attack on 4-Round DES

◮ Consider the first four rounds of DES. ◮ If the attacker knows the output from S3 in rounds 1 and 3, he can compute the MitM condition on 4 bits. Plaintext F ⊕ ⊕ F F ⊕ ⊕ F

Ciphertext

Orr Dunkelman Classical Meet in the Middle Attacks 14/ 15 Multiple Inside Basics 3R C& E Chaum & Evertse’s Attack on 4-Round DES

◮ Consider the first four rounds of DES. ◮ If the attacker knows the output from S3 in rounds 1 and 3, he can compute the MitM condition on 4 bits. Plaintext ◮ S3 The attacker guesses the subkeys of F ⊕ R1/S3 and R3/S3. ⊕ F S3 F ⊕ ⊕ F

Ciphertext

Orr Dunkelman Classical Meet in the Middle Attacks 14/ 15 Multiple Inside Basics 3R C& E Chaum & Evertse’s Attack on 4-Round DES

◮ Consider the first four rounds of DES. ◮ If the attacker knows the output from S3 in rounds 1 and 3, he can compute the MitM condition on 4 bits. Plaintext F ⊕

◮ One small problem ⊕ F though. . . F ⊕ ⊕ F

Ciphertext

Orr Dunkelman Classical Meet in the Middle Attacks 14/ 15 Multiple Inside Basics 3R C& E Chaum & Evertse’s Attack on 4-Round DES

◮ Consider the first four rounds of DES. ◮ If the attacker knows the output from S3 in rounds 1 and 3, he can compute the MitM condition on 4 bits. Plaintext F ⊕

◮ One small problem ⊕ F though. . . Guessing the key which F ⊕ enters R3/S3 is insufficient, as the actual input itself is unknown. ⊕ F

Ciphertext

Orr Dunkelman Classical Meet in the Middle Attacks 14/ 15 Multiple Inside Basics 3R C& E Chaum & Evertse’s Attack on 4-Round DES

◮ Consider the first four rounds of DES. ◮ If the attacker knows the output from S3 in rounds 1 and 3, he can compute the MitM condition on 4 bits. Plaintext S3 F ⊕

◮ One small problem ⊕ F S3 though. . . Guessing the key which F ⊕ enters R3/S3 is insufficient, as the actual input itself is unknown. ⊕ F S1, S2, S4, S6, S7, S8 ◮ The attacker has to guess the subkeys of R4/S1, R4/S2, R4/S4, R4/S6, Ciphertext R4/S7, and R4/S8.

Orr Dunkelman Classical Meet in the Middle Attacks 14/ 15 Multiple Inside Basics 3R C& E Summary of Chaum & Evertse Results

Rounds MitM # of bits Complexity 4 2 4(+4) 237 52 4 247 6 3 4(+4) 254 7 4 — 256 75 8 255 (2–8)

Orr Dunkelman Classical Meet in the Middle Attacks 15/ 15 DiffCrypt

Differential Cryptanalysis

Orr Dunkelman

Computer Science Department University of Haifa, Israel

August 15th, 2017

Orr Dunkelman Differential Cryptanalysis 1/ 47 DiffCrypt Intro Plain Char Diff Differential Cryptanalysis [BS91]

◮ The first method which reduced the complexity of attacking DES below (half of) exhaustive search.

Orr Dunkelman Differential Cryptanalysis 2/ 47 DiffCrypt Intro Plain Char Diff Differential Cryptanalysis [BS91]

◮ The first method which reduced the complexity of attacking DES below (half of) exhaustive search. ◮ Note In all the following discussion we ignore the existence of the initial and the final permutations, since they do not affect the analysis.

Orr Dunkelman Differential Cryptanalysis 2/ 47 DiffCrypt Intro Plain Char Diff Differential Cryptanalysis [BS91]

◮ The first method which reduced the complexity of attacking DES below (half of) exhaustive search. ◮ Note In all the following discussion we ignore the existence of the initial and the final permutations, since they do not affect the analysis. Motivation ◮ All the operations except for the S boxes are linear. ◮ Mixing the key in all the rounds prohibits the attacker from knowing which entries of the S boxes are actually used, and thus he cannot know their output.

Orr Dunkelman Differential Cryptanalysis 2/ 47 DiffCrypt Intro Plain Char Diff Basic Idea

◮ How can we inhibit the key from hiding the information?

Orr Dunkelman Differential Cryptanalysis 3/ 47 DiffCrypt Intro Plain Char Diff Basic Idea

◮ How can we inhibit the key from hiding the information? ◮ Study the differences between two encryptions of two different plaintexts: P and P∗. ◮ Notation: For any value X during the encryption of P, and the corresponding value X ∗ during encryption of P∗, denote the difference by X ′ = X ⊕ X ∗.

Orr Dunkelman Differential Cryptanalysis 3/ 47 DiffCrypt Intro Plain Char Diff Advantages

◮ It is easy to predict the output difference of linear operations given the input difference: ◮ Unary operations (E, P, IP): (P(X ))′ = P(X ) ⊕ P(X ∗)= P(X ′)

◮ Binary operations (XOR): (X ⊕ Y )′ = (X ⊕ Y ) ⊕ (X ∗ ⊕ Y ∗)= X ′ ⊕ Y ′

◮ Mixing the key: (X ⊕ K)′ = (X ⊕ K) ⊕ (X ∗ ⊕ K)= X ′ ◮ We conclude that the differences are linear in linear operations, and in particular, the result is key independent.

Orr Dunkelman Differential Cryptanalysis 4/ 47 DiffCrypt Intro Plain Char Diff Differences and the S Boxes

◮ Assume we have two inputs X and X ∗ for the same S box, and that we know only their difference X ′. ◮ Denote Y = S(X ). ◮ What do we know about Y ′?

Orr Dunkelman Differential Cryptanalysis 5/ 47 DiffCrypt Intro Plain Char Diff Differences and the S Boxes

◮ Assume we have two inputs X and X ∗ for the same S box, and that we know only their difference X ′. ◮ Denote Y = S(X ). ◮ What do we know about Y ′? ◮ When X ′ = 0 (simple case): S(X )= S(X ∗) for any X , and thus Y ′ = 0. ◮ When X ′ 6= 0: we do not know the output difference. Definition Lets look on the distribution of the pairs (X ′, Y ′) of all the possible inputs X . We call the table containing this information difference distribution table of the S box.

Orr Dunkelman Differential Cryptanalysis 5/ 47 DiffCrypt Intro Plain Char Diff The Difference Distribution Table of S1

Input Output XOR

XOR 0x 1x 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx Dx Ex Fx 0x 64000000000000 000 1x 0 0 0 6 0 2 4 4 01012 410 6 2 4 2x 00080444068 612 642 3x 144221064264 4 0 2 2 20 4x 000601010604 6 4 2 8 6 2 5x 48622442044 012 246 6x 04248262844 24 2012 7x 241040484248 22 244 8x 000120884062 88 224 9x 10 2 4 0 2 4 6 0 2 2 8 010 0 212 Ax 08622860646 04 0210 Bx 24010224026. 2 6 6 4 212 . . 30x 046012622824 46 224 31x 48210222260 0 2 2 410 8 32x 4264422466482280 33x 446210842402 24 624 34x 0 8 16 62001260 0 0 0 806 35x 22408000144 6 8 0 214 0 36x 26228022426 86 4100 37x 221242441044 2 6 0 2 2 4 38x 0622202246 4 4 4 61010 39x 622412648402 42 440 3Ax 6464680622622640 3Bx 2640024646864462 3Cx 010 4 012 0 4 2 6 0 412 4 4 2 0 3Dx 08622608440 401244 3Ex 482224414420 20 844 3Fx 4842402442488622

Orr Dunkelman Differential Cryptanalysis 6/ 47 DiffCrypt Intro Plain Char Diff Basic Observations

◮ In the first row X ′ = 0 and thus all the 64 pairs satisfy Y ′ = 0. Y ′ =6 0 is impossible. ◮ In the remaining rows: The average value is 4, the sum in each line is 64. The values are all even in the range 0–16. ◮ The entries with value 16 mean that for a quarter of the pairs with this input difference X ′, the output difference is the particular Y ′. ◮ The entries with value 0 mean that there are no pairs with the corresponding input difference X ′ and the corresponding output difference Y ′.

Orr Dunkelman Differential Cryptanalysis 7/ 47 DiffCrypt Intro Plain Char Diff Differences and the S Boxes

◮ Definition: If the entry of the input difference X ′ and the output difference Y ′ is greater than zero, we say that X ′ may cause Y ′ by the S box, and denote X ′ → Y ′. ◮ Definition: The probability of X ′ → Y ′ is the probability that for a pair with the input difference X ′, the output difference is Y ′, among all the possible pairs. ◮ In DES, the probability is the corresponding value in the difference distribution table divided by 64. ◮ Similarly we define X ′ → Y ′ by the F -function, and define the probability as the product of the probabilities by the eight S boxes.

Orr Dunkelman Differential Cryptanalysis 8/ 47 DiffCrypt Intro Plain Char Diff The Essence of (Plain) Differential Cryptanalysis

◮ Given an input and output differences of an S box, it is possible to list all the pairs with these differences. ◮ For the entry 09x → 1x the 2 pairs are: 1 33x , 3Ax 2 3Ax , 33x ◮ For the entry 01x → Fx the 4 pairs are: 1 1Ex , 1Fx 2 1Fx , 1Ex 3 2Ax , 2Bx 4 2Bx , 2Ax ◮ The lists of pairs of all the differences can easily be computed in advance.

Orr Dunkelman Differential Cryptanalysis 9/ 47 DiffCrypt Intro Plain Char Diff An Example of a Simple Attack

◮ Assume a 3-round DES, in which for some pair of plaintexts ′ P =01960018 00000000x , and ′ T =41 96 40 1A 48 00 00 00x . ◮ We also assume that T =00000000 08000000x and ∗ T =41 96 40 1A 40 00 00 00x . ◮ (We use the notation T for the ciphertexts, as we use C for the third round intermediate values.)

Orr Dunkelman Differential Cryptanalysis 10/ 47 DiffCrypt Intro Plain Char Diff An Example of a Simple Attack

′ P =01960018 00000000x

A′ a′ =00 00 00 00x F =00 00 00 00x

B′ b′ =48 00 00 00x F =01 96 00 18x = P(02 00 00 08x )

C ′ c′ =40 00 40 02x F =48 00 00 00x = P(13 00 00 00x )

T ′ =41 96 40 1A 48 00 00 00x

Orr Dunkelman Differential Cryptanalysis 11/ 47 DiffCrypt Intro Plain Char Diff An Example of a Simple Attack (cont.)

◮ In the third round’s S1: ◮ Input difference: 09x , ◮ Output difference: 1x ◮ Check the difference distribution table. ◮ Obtain only two possible pairs for this combination ((33x , 3Ax ) and (3Ax , 33x )).

Orr Dunkelman Differential Cryptanalysis 12/ 47 DiffCrypt Intro Plain Char Diff An Example of a Simple Attack (cont.)

Thus, we get the following equations:

S1E ⊕ S1K = 33x or 3Ax ∗ S1E ⊕ S1K = 3Ax or 33x . From the known ciphertexts we know that S1E = 01x ∗ S1E = 08x .

Therefore, we can find two possible values for S1K S1K = 32x or 3Bx .

(Notice that the difference between these two values is always the input difference, 09x in this case.)

Orr Dunkelman Differential Cryptanalysis 13/ 47 DiffCrypt Intro Plain Char Diff Characteristics

◮ We can “trade” the knowledge about the value by discussing statistical information about the differences. 14 Example A two-round characteristic with probability 64 (In 14 S1, 0Cx → Ex with probability 64 ):

ΩP =00808200 6000 0000x

A′ =00 80 82 00 a′ =60 00 00 00 p = 14 x F x 64 = P(E0 00 00 00x )

B′ b′ p =0 F =0 =1

ΩT =60000000 00000000x

Orr Dunkelman Differential Cryptanalysis 14/ 47 DiffCrypt Intro Plain Char Diff Characteristics (cont.)

Definition An n-round characteristic is a tuple Ω=(ΩP , ΩΛ, ΩT ) where ΩP and ΩT are m-bit numbers and ΩΛ is a list of n elements ΩΛ = (Λ1, Λ2,..., Λn), each is a pair i i i i of the form Λi =(λI ,λO ) where λI and λO are m/2 bit numbers and m is the block size of the cryptosystem. A characteristic satisfies the following requirements:

1 λI = the right half of ΩP 2 1 λI = the left half of ΩP ⊕ λO n λI = the right half of ΩT n−1 n λI = the left half of ΩT ⊕ λO and for every i such that 2 ≤ i ≤ n − 1: i i−1 i+1 λO = λI ⊕ λI .

Orr Dunkelman Differential Cryptanalysis 15/ 47 DiffCrypt Intro Plain Char Diff Characteristics (cont.)

◮ Characteristics can be concatenated if 1 2 swap(ΩT ) = ΩP . The resultant characteristic is

1 1 2 2 Ω=(ΩP , ΩΛ||ΩΛ, ΩT ).

◮ For ciphers which are not Feistels, the concatenation is 1 2 possible if L(ΩT ) = ΩP for L being the non-keyed linear transformation of transition between rounds.

Orr Dunkelman Differential Cryptanalysis 16/ 47 DiffCrypt Intro Plain Char Diff A Right Pair

◮ Definition: A right pair with respect to a characteristic ∗ ′ Ω and a key K is a pair P, P , which satisfies P = ΩP , and all whose differences in the rounds 1,..., n are as predicted by the characteristic.

Orr Dunkelman Differential Cryptanalysis 17/ 47 DiffCrypt Intro Plain Char Diff Probability of a Characteristic

◮ Definition: The probability of a characteristic is the probability that a random pair P, P∗ which satisfies ′ P = ΩP is a right pair with respect to a random independent key.

Orr Dunkelman Differential Cryptanalysis 18/ 47 DiffCrypt Intro Plain Char Diff Probability of a Characteristic

◮ Definition: The probability of a characteristic is the probability that a random pair P, P∗ which satisfies ′ P = ΩP is a right pair with respect to a random independent key. ◮ The probability of a characteristic is the product of all the probabilities of the S boxes in the characteristic. ◮ There is an underlying assumption that all the transitions are independent. ◮ A lot of research focused on this issue. Usually, it is OK to assume that.

Orr Dunkelman Differential Cryptanalysis 18/ 47 DiffCrypt Intro Plain Char Diff Probability of a Characteristic

◮ Definition: The probability of a characteristic is the probability that a random pair P, P∗ which satisfies ′ P = ΩP is a right pair with respect to a random independent key. ◮ The probability of a characteristic is the product of all the probabilities of the S boxes in the characteristic. ◮ There is an underlying assumption that all the transitions are independent. ◮ A lot of research focused on this issue. Usually, it is OK to assume that. Usually.

Orr Dunkelman Differential Cryptanalysis 18/ 47 DiffCrypt Intro Plain Char Diff Probability of a Characteristic

◮ Definition: The probability of a characteristic is the probability that a random pair P, P∗ which satisfies ′ P = ΩP is a right pair with respect to a random independent key. ◮ The probability of a characteristic is the product of all the probabilities of the S boxes in the characteristic. ◮ There is an underlying assumption that all the transitions are independent. ◮ A lot of research focused on this issue. Usually, it is OK to assume that. Usually. Usually.

Orr Dunkelman Differential Cryptanalysis 18/ 47 DiffCrypt Intro Plain Char Diff Probability of a Characteristic

◮ Definition: The probability of a characteristic is the probability that a random pair P, P∗ which satisfies ′ P = ΩP is a right pair with respect to a random independent key. ◮ The probability of a characteristic is the product of all the probabilities of the S boxes in the characteristic. ◮ There is an underlying assumption that all the transitions are independent. ◮ A lot of research focused on this issue. Usually, it is OK to assume that. Usually. Usually. Usually.

Orr Dunkelman Differential Cryptanalysis 18/ 47 DiffCrypt Intro Plain Char Diff Subtle Probability Theory Issues

◮ The differential transitions are taken over all possible inputs. ◮ The question is what are the “possible inputs”.

Orr Dunkelman Differential Cryptanalysis 19/ 47 DiffCrypt Intro Plain Char Diff Subtle Probability Theory Issues

◮ The differential transitions are taken over all possible inputs. ◮ The question is what are the “possible inputs”. ◮ Most notably, we discuss the probability taken over all pairs and all keys. ◮ In real-life, the key is fixed. ◮ Hence, we need to assume that the probability for a given key is roughly the same as for all keys.

Orr Dunkelman Differential Cryptanalysis 19/ 47 DiffCrypt Intro Plain Char Diff Subtle Probability Theory Issues

◮ The differential transitions are taken over all possible inputs. ◮ The question is what are the “possible inputs”. ◮ Most notably, we discuss the probability taken over all pairs and all keys. ◮ In real-life, the key is fixed. ◮ Hence, we need to assume that the probability for a given key is roughly the same as for all keys. ◮ It is not. Usually (and also in the case of DES) it is mostly independent of the key.

Orr Dunkelman Differential Cryptanalysis 19/ 47 DiffCrypt Intro Plain Char Diff Examples of One-Round Characteristics

The following One-Round characteristic is obtained by picking the best entries in the difference distribution tables. The result is probability 1 characteristic (for any L′):

′ ΩP =(L , 0x )

A′ a′ p =0x F =0x =1

′ ΩT =(L , 0x )

Orr Dunkelman Differential Cryptanalysis 20/ 47 DiffCrypt Intro Plain Char Diff Examples of One-Round Characteristics

The second best one-round characteristic has probability 1/4, using only one active S box (S2):

′ ΩP =(L , 04 00 00 00x )

A′ =40 08 00 00 a′ =04 00 00 00 p = 16 = 1 x F x 64 4 = P(0A 00 00 00x )

′ ΩT =(L ⊕ 40 08 00 00x , 04 00 00 00x )

There is a similar characteristic using S6.

Orr Dunkelman Differential Cryptanalysis 21/ 47 DiffCrypt Intro Plain Char Diff A Three-Round Characteristic (with Prob. 1/16)

1 ΩP =40080000 0400 0000x

A′ =40 08 00 00 a′ =04 00 00 00 p = 1 x F x 4

B′ b′ p =0x F =0x =1

C ′ =40 08 00 00 c′ =04 00 00 00 p = 1 x F x 4

1 ΩT =40080000 04000000x

Orr Dunkelman Differential Cryptanalysis 22/ 47 DiffCrypt Intro Plain Char Diff A 5-Round Characteristic (with Prob. ≈ 1/10, 000)

ΩP =40 5C 00 00 04 00 00 00x

′ ′ 1 A =40 08 00 00x a =04 00 00 00x p = F 4 = P(0A 00 00 00x )

B′ =04 00 00 00 b′ =00 54 00 00 p = 10·16 x F x 64·64 = P(00 10 00 00x )

C ′ c′ p =0 F =0 =1

D′ =04 00 00 00 d ′ =00 54 00 00 p = 10·16 x F x 64·64

E ′ =40 08 00 00 e′ =04 00 00 00 p = 1 x F x 4

ΩT = ΩP =40 5C 00 00 04 00 00 00x

Orr Dunkelman Differential Cryptanalysis 23/ 47 DiffCrypt Intro Plain Char Diff Probabilities Versus Number of Rounds

Number of rounds Probability 1 1 2 1/4 3 1/16 4 ≈ 1/800 5 ≈ 1/10000 6 ≈ 1/1000000

◮ More rounds ⇒ Lower probability. ◮ Extrapolating the table, after 9–10 rounds, the probabilities are smaller than 2−56 or 2−64.

Orr Dunkelman Differential Cryptanalysis 24/ 47 DiffCrypt Intro Plain Char Diff Iterative Characteristics

◮ Characteristics which can be concatenated to themselves are called iterative characteristics. ◮ The best iterative characteristic of DES is:

ΩP =(ψ, 0)=19 60 00 00 00 00 00 00x

A′ =0 a′ =0 p=1 F

′ ′ 14·8·10 B =0 b = ψ = p = 643 F 1 19 60 00 00x ≈ 234

ΩT = (0, ψ)=00000000 19600000x

where ψ =19 60 00 00x . ◮ † There is another value ψ =1B 60 00 00x for which the iterative characteristic has the same probability.

Orr Dunkelman Differential Cryptanalysis 25/ 47 DiffCrypt Intro Plain Char Diff Iterative Characteristics (cont.)

◮ These two characteristics are the best when iterated to seven or more rounds. ◮ We note that to have a zero output difference (for a non-zero input difference), there should be at least three active S boxes.

Orr Dunkelman Differential Cryptanalysis 26/ 47 DiffCrypt Intro Plain Char Diff Iterative Characteristics (cont.)

◮ These two characteristics are the best when iterated to seven or more rounds. ◮ We note that to have a zero output difference (for a non-zero input difference), there should be at least three active S boxes. ◮ Definition: An S box is called active if its input difference is non-zero.

Orr Dunkelman Differential Cryptanalysis 26/ 47 DiffCrypt Intro Plain Char Diff Iterative Characteristics (cont.)

◮ These two characteristics are the best when iterated to seven or more rounds. ◮ We note that to have a zero output difference (for a non-zero input difference), there should be at least three active S boxes. ◮ Definition: An S box is called active if its input difference is non-zero.

Orr Dunkelman Differential Cryptanalysis 26/ 47 DiffCrypt Intro Plain Char Diff The Probability of the Iterative Characteristics

Number of rounds Probability 3 2−7.9 ≈ 1/234 5 2−15.7 ≈ 1/55000 7 2−23.6 9 2−31.5 11 2−39.4 13 2−47.2 15 2−55.1 16 2−62 17 2−63

Orr Dunkelman Differential Cryptanalysis 27/ 47 DiffCrypt Intro Plain Char Diff Differentials

◮ As we will shortly see, most differential attacks only use ΩP and ΩT , and are independent of the intermediate differences. ◮ As a result, we can define the concept of differentials.

Orr Dunkelman Differential Cryptanalysis 28/ 47 DiffCrypt Intro Plain Char Diff Differentials

◮ As we will shortly see, most differential attacks only use ΩP and ΩT , and are independent of the intermediate differences. ◮ As a result, we can define the concept of differentials. ◮ Definition: A Differential is a set of all the characteristics with the same ΩP and ΩT . ◮ The probability of the differential is the sum of the probabilities of the various characteristics. ◮ Obviously, the probability of a given characteristics serves as a lower bound for the probability of the associated differential.

Orr Dunkelman Differential Cryptanalysis 28/ 47 DiffCrypt Intro Plain Char Diff Differential Attacks

◮ The simplest differential attack (0R-attack) breaks ciphers with the same number of rounds as the characteristic ΩP → ΩT . ◮ The basic attack algorithm: − ∗ 1 Choose some m = 2p 1 random pairs P, P such that ′ P =ΩP , and request the corresponding ciphertexts T and T ∗ under the unknown key K. ′ 2 Choose only the pairs satisfying T =ΩT , and discard the others. 3 Assume that the remaining pairs are right pairs with respect to the characteristics. 4 Apply the basic differential analysis (using the differences and the values of T and T ∗) to obtain candidates for the last subkey (in S boxes whose input difference is non-zero). ◮ Orr DunkelmanOne canDifferential also Cryptanalysis attack the first round using the right pairs 29/ 47 DiffCrypt Intro Plain Char Diff Differential Attacks — Analysis

◮ Given m pairs, about m(p +2−64) pairs remain: ◮ mp right pairs, ◮ 2−64m wrong pairs (as DES’ block size is 64-bit). ◮ If p ≫ 2−64 we can assume that all the remaining pairs are right pairs (w.h.p.).

Orr Dunkelman Differential Cryptanalysis 30/ 47 DiffCrypt Intro Plain Char Diff Differential Attacks — Analysis

◮ Given m pairs, about m(p +2−64) pairs remain: ◮ mp right pairs, ◮ 2−64m wrong pairs (as DES’ block size is 64-bit). ◮ If p ≫ 2−64 we can assume that all the remaining pairs are right pairs (w.h.p.). ◮ Then, in the active S boxes, not all the actual inputs to the S boxes are possible. Each such actual input suggests a candidate to the 6 subkey bits affecting the S-box. ◮ The right value must be suggested by all pairs. ◮ By intersecting these suggestions we remain with the correct key candidate (and a related value).

Orr Dunkelman Differential Cryptanalysis 30/ 47 DiffCrypt Intro Plain Char Diff Differential Attacks — Analysis

◮ Given m pairs, about m(p +2−64) pairs remain: ◮ mp right pairs, ◮ 2−64m wrong pairs (as DES’ block size is 64-bit). ◮ If p ≫ 2−64 we can assume that all the remaining pairs are right pairs (w.h.p.). ◮ Then, in the active S boxes, not all the actual inputs to the S boxes are possible. Each such actual input suggests a candidate to the 6 subkey bits affecting the S-box. ◮ The right value must be suggested by all pairs. ◮ By intersecting these suggestions we remain with the correct key candidate (and a related value). ◮ If a wrong pair still remains, we will find that the intersection of most key lists contains the correct value.

Orr Dunkelman Differential Cryptanalysis 30/ 47 DiffCrypt Intro Plain Char Diff Difficulty of Application to the Full DES

◮ In order to attack the full DES (16-rounds) we need at least 2 · 262 pairs: 1 Their encryption costs more than exhaustive search. 2 If you have all the 264 plaintext blocks — what is the meaning of ifnding the key? 3 The identification of right pairs is not so good, since p 6≫ 2−64.

Orr Dunkelman Differential Cryptanalysis 31/ 47 DiffCrypt Intro Plain Char Diff 1R-Attacks

◮ In 1R-attacks, the differential characteristic is shorter by 1 round than the cipher we attack. ◮ In other words, the characteristic predicts the differences except in the last round, and ΩT is the predicted difference before the last round. ◮ Note that for right pairs, the input difference of the F -function of the last round is known (both from the ′ characteristic and the ciphertexts (T )R = (ΩT )L) ◮ It can can be used to discard wrong pairs. ◮ On the other hand, the difference of the output of the ′ F -function can be calculated as (T )L ⊕ (ΩT )R . ◮ To conclude, we can use shorter characteristics with higher probabilities, although the identification of the right pairs is somewhat worse.

Orr Dunkelman Differential Cryptanalysis 32/ 47 DiffCrypt Intro Plain Char Diff 2R-Attacks

◮ In such attacks, the cipher is 2 rounds longer than the characteristic. ◮ In these attack, the attacker knows for right pairs 1 The differences of the input to the last F -function, and the inputs themselves. 2 The predicted differences of the input to the F -function in the second-last round (from the characteristic). 3 The differences of the outputs of the last two ′ F -functions can be calculated from ΩT and T . ◮ Hence, if he can identify the right pairs, he can again apply the attack.

Orr Dunkelman Differential Cryptanalysis 33/ 47 DiffCrypt Intro Plain Char Diff Identifiying and Discarding Wrong Pairs

◮ Given that we do not know what output difference to expect it may seem hard to discard wrong pairs.

Orr Dunkelman Differential Cryptanalysis 34/ 47 DiffCrypt Intro Plain Char Diff Identifiying and Discarding Wrong Pairs

◮ Given that we do not know what output difference to expect it may seem hard to discard wrong pairs. ◮ Luckily, for right pairs — we know the input/output differences of the last two rounds. ◮ Hence, if in any of these 16 S boxes, the input difference does not combine with the output difference — the assumption on the input difference is wrong.

Orr Dunkelman Differential Cryptanalysis 34/ 47 DiffCrypt Intro Plain Char Diff Identifiying and Discarding Wrong Pairs

◮ Given that we do not know what output difference to expect it may seem hard to discard wrong pairs. ◮ Luckily, for right pairs — we know the input/output differences of the last two rounds. ◮ Hence, if in any of these 16 S boxes, the input difference does not combine with the output difference — the assumption on the input difference is wrong. ◮ In other words, the pair is wrong, and can be discarded.

Orr Dunkelman Differential Cryptanalysis 34/ 47 DiffCrypt Intro Plain Char Diff 3R-Attacks / Attacking 8 Rounds

◮ Consider 8-round DES, and use the following 5-round characteristic (of probability 1/10486):

ΩP =40 5C 00 00 04 00 00 00x

A′ =40 08 00 00 a′ =04 00 00 00 p = 1 x F x 4 = P(0A 00 00 00x )

B′ =04 00 00 00 b′ =00 54 00 00 p = 10·16 x F x 64·64 = P(00 10 00 00x )

C ′ c′ p =0 F =0 =1

D′ =04 00 00 00 d ′ =00 54 00 00 p = 10·16 x F x 64·64

E ′ =40 08 00 00 e′ =04 00 00 00 p = 1 x F x 4

ΩT = ΩP =40 5C 00 00 04 00 00 00x

Orr Dunkelman Differential Cryptanalysis 35/ 47 DiffCrypt Intro Plain Char Diff Attacking 8 Rounds: A Brief Description

◮ ∗ ′ The attacker chooses pairs P, P satisfying P = ΩP . With probability p =1/10486 the difference after five rounds is ΩT . ◮ ′ In the sixth round f = (ΩT )L =40 5C 00 00x : S1:08x , S2:00x , S3:0Bx , S4:38x , S5:00x , S6:00x , S7:00x , S8:00x . ◮ Thus, the output differences of S2, S5, S6, S7 and S8 are zero as well!

Orr Dunkelman Differential Cryptanalysis 36/ 47 DiffCrypt Intro Plain Char Diff Attacking 8 Rounds: A Brief Description

◮ ∗ ′ The attacker chooses pairs P, P satisfying P = ΩP . With probability p =1/10486 the difference after five rounds is ΩT . ◮ ′ In the sixth round f = (ΩT )L =40 5C 00 00x : S1:08x , S2:00x , S3:0Bx , S4:38x , S5:00x , S6:00x , S7:00x , S8:00x . ◮ Thus, the output differences of S2, S5, S6, S7 and S8 are zero as well! ◮ For right pairs, the output differences of S2, S5, S6, S7 ′ and S8 in the last round can be calculated from ΩT , T and these zeroes. ◮ The inputs to the last round are known, and thus the inputs to the S boxes are known up to XOR with the last subkey K8.

Orr Dunkelman Differential Cryptanalysis 36/ 47 DiffCrypt Intro Plain Char Diff Attacking 8 Rounds: A Brief Description

◮ We can analyze all pairs, and see which key guesses they suggest. ◮ Each pair is expected to offer 45 keys (“randomly” selected among the 230 possible keys. ◮ All right pairs will also suggest the right key. ◮ In other words, about 1/10486 of the pairs suggest the right key. 5 ◮ 4 −20 1 And about 230 =2 = 1048576 of the pairs suggest each wrong key.

Orr Dunkelman Differential Cryptanalysis 37/ 47 DiffCrypt Intro Plain Char Diff Attacking 8 Rounds: Detailed Description

∗ ′ 1 Choose 100,000 pairs P, P satisfying P = ΩP , and request their ciphertexts T , T ∗ under the unknown key K. 30 2 Initialize an array of 2 entries with zeroes. 3 Compute the inputs and the input difference of the last F -function:

h = TR ∗ ∗ h = TR h′ = h ⊕ h∗ and 20 bits of the output difference ′ ′ ′ H = (ΩT )R ⊕ F ⊕ TL where 20 bits of F ′ are known to be zero, and the same 20 bits are calculated for H′: the output of five S boxes.

Orr Dunkelman Differential Cryptanalysis 38/ 47 DiffCrypt Intro Plain Char Diff Attacking 8 Rounds: Detailed Description

4 For each of the five S boxes in the last round for which the inputs X , X ∗ as well as the output differences Y ′ are known, calculate all the possible values of their 6 key bits, which satisfy S(X ⊕ k) ⊕ S(X ∗ ⊕ k)= Y ′, and create a list of all the possible 30 bits of the key. For each 30-bit value, increment (by one) the corresponding entry in the array. 5 After all the pairs are processed, the highest entry should correspond to the right value of the 30 key bits. 6 Complete the remaining 26 key bits (by exhaustive search or by a differential attack).

Orr Dunkelman Differential Cryptanalysis 39/ 47 DiffCrypt Intro Plain Char Diff The Attack on the Full 16-Round DES

◮ The 15-round characteristic has probability 2−55.1, and clearly cannot be used to reduce the complexity of attack below 255. ◮ The 14-round characteristic has probability 2−54.1. ◮ In order to attack DES, we must then use characteristics of at most 13 rounds. ◮ However, 3R-attacks are infeasible, since due to lack of data the right key cannot be identified.

Orr Dunkelman Differential Cryptanalysis 40/ 47 DiffCrypt Intro Plain Char Diff The Idea

◮ Add an additional round as a first round, not included in the characteristic, and without cost.

′ ′ ′ P =(PL, PR )=(v, ψ)

′ ′ A = vF a = ψ One additional round

′ ′ B =0 F b =0

0 F ψ = 19 60 00 00x The 13-round characteristic 0F 0 with probability 2−47.2 0 F ψ

0F 0

′ ′ ′ ′ G = h = TR F g = ψ

′ ′ ′ ′ ′ H = g ⊕ TL = h = TR Two rounds for the 2R-attack ′ F TL ⊕ ψ

′ ′ ′ T =(TL, TR )

Orr Dunkelman Differential Cryptanalysis 41/ 47 DiffCrypt Intro Plain Char Diff The Data

◮ 12 Let {vj } be the set of 2 possible output values of S1, S2 and S3, after the P permutation, where all the other 20 bits are zero (assume v0 = 0). ◮ Choose the plaintexts in structures of 214, using the two best iterative characteristics: 1 Choose (random) P0. 1 1 1 2 P1 = P0 ⊕ (0, ψ ), where ΩP = (ψ , 0). 2 2 2 3 P2 = P0 ⊕ (0, ψ ), where ΩP = (ψ , 0). 1 2 4 P3 = P0 ⊕ (0, ψ ⊕ ψ ). 12 5 For 0 ≤ i ≤ 3, 0 < j < 2 : Pi+4j = Pi ⊕ (vj , 0). ◮ In this structure, for every Pi there is some unknown Pj 1 2 whose difference (before round 2) is ΩP . Similarly for ΩP . ◮ Therefore, for each characteristic, there are 213 pairs in the structure, and in total 214 for both characteristics.

Orr Dunkelman Differential Cryptanalysis 42/ 47 DiffCrypt Intro Plain Char Diff The Data: Analysis

◮ Right pairs: the 13-round characteristic probability is 2−47.2. In a structure there are on average 214 · 2−47.2 =2−33.2 right pairs. ◮ One right pair is expected to exist in 233.2 structures on average, i.e., in about 247.2 chosen plaintexts.

Orr Dunkelman Differential Cryptanalysis 43/ 47 DiffCrypt Intro Plain Char Diff Identification of Wrong Pairs

◮ As ΩT =(ψ, 0) the input of the F -function in the second-last round differs by ψ in the right pairs. ◮ ψ’s active S boxes are S1, S2, and S3.

Orr Dunkelman Differential Cryptanalysis 44/ 47 DiffCrypt Intro Plain Char Diff Identification of Wrong Pairs

◮ As ΩT =(ψ, 0) the input of the F -function in the second-last round differs by ψ in the right pairs. ◮ ψ’s active S boxes are S1, S2, and S3. ◮ The 20-bit output difference of S4,S5,S6,S7,S8 is zero.

Orr Dunkelman Differential Cryptanalysis 44/ 47 DiffCrypt Intro Plain Char Diff Identification of Wrong Pairs

◮ As ΩT =(ψ, 0) the input of the F -function in the second-last round differs by ψ in the right pairs. ◮ ψ’s active S boxes are S1, S2, and S3. ◮ The 20-bit output difference of S4,S5,S6,S7,S8 is zero. ◮ The input difference must be zero in these 20 bits. ◮ This difference observable in the ciphertext side!

Orr Dunkelman Differential Cryptanalysis 44/ 47 DiffCrypt Intro Plain Char Diff Identification of Wrong Pairs

◮ As ΩT =(ψ, 0) the input of the F -function in the second-last round differs by ψ in the right pairs. ◮ ψ’s active S boxes are S1, S2, and S3. ◮ The 20-bit output difference of S4,S5,S6,S7,S8 is zero. ◮ The input difference must be zero in these 20 bits. ◮ This difference observable in the ciphertext side! ◮ Hence, a wrong pair passes the test with probability 2−20. ◮ And from the 226 pairs in each structure, and only about 26 wrong pairs pass the test.

Orr Dunkelman Differential Cryptanalysis 44/ 47 DiffCrypt Intro Plain Char Diff Identification of Wrong Pairs (cont.)

◮ Some of the remaining wrong pairs can also be sieved. ◮ Consider the first, 15th, and 16th rounds, and verify that all the input/output differences are consistent with each other. ◮ This test discards about 14 13 15 2 8 1 − 16 · 16 · 16
· 0.8 =1 − 0.0745 = 92.55% of the wrong pairs. ◮ Only about 26 · 0.0745 = 4.768 wrong pairs from each structure remain after this test.

Orr Dunkelman Differential Cryptanalysis 45/ 47 DiffCrypt Intro Plain Char Diff Finding the Key Using One Right Pair

◮ In previous differential attacks we counted the frequency of the keys, and thus needed several right pairs. ◮ We observe that when we count by a large number of bits, it is more efficient to compute a trial encryption to verify key directly. ◮ We first find 52-bit values corresponding to the 48 bits of the last subkey plus 4 bits accessible in rounds 1 and 15. ◮ For this, we take into consideration that the subkeys are not independent. ◮ If a suggestion is inconsistent, we discard it. ◮ For the remaining 52-bit candidates, we complete the 52 bits to 56 bits (with all the possible values of the additional 4 bits), and compute a trial encryption on each of the 56-bit keys.

Orr Dunkelman Differential Cryptanalysis 46/ 47 DiffCrypt Intro Plain Char Diff Extensions of Differential Cryptanalysis

◮ Conditional characteristics (Ben-Aroya, Biham) ◮ Higher-order differential cryptanalysis (Lai ; Biham) ◮ Markov Ciphers (Lai, Massey) ◮ Truncated Differentials (Knudsen) ◮ Provable Security against Differential Attacks (Knudsen, Nyberg) ◮ Impossible Differentials (Knudsen; Biham, Biryukov, and Shamir). ◮ Boomerang, amplified boomerang, and rectangle attacks. ◮ Multiple differentials (2012, Blondeau, G´erard, Nyberg)

Orr Dunkelman Differential Cryptanalysis 47/ 47 PAST PRESENT

The Advanced Encryption Standard (AES)

Orr Dunkelman

Computer Science Department University of Haifa, Israel

August 15th, 2017

Orr Dunkelman AES 1/ 19 PAST PRESENT Competition AES The AES Competition

◮ DES has many shortcomings (short key, inadequate performance in software, secret design criteria, etc.) ◮ This led NIST (eventually) to start a competition to select the next block cipher. ◮ It was an open competition starting at 1997. ◮ The block size was set to 128 bits, and three key sizes where required, 128, 192, and 256 bits.

Orr Dunkelman AES 2/ 19 PAST PRESENT Competition AES The AES Competition

◮ DES has many shortcomings (short key, inadequate performance in software, secret design criteria, etc.) ◮ This led NIST (eventually) to start a competition to select the next block cipher. ◮ It was an open competition starting at 1997. ◮ The block size was set to 128 bits, and three key sizes where required, 128, 192, and 256 bits.

The target: Be faster and more secure than 3DES.

Orr Dunkelman AES 2/ 19 PAST PRESENT Competition AES The Candidates

◮ 21 submissions were sent to NIST, 15 of which satisfied the requirements from the submissions:

Candidate Candidate Candidate Candidate Candidate CAST-256 CRYPTON DEAL DFC E2 FROG HPC LOKI97 MAGENTA MARS RC6 Rijndael SAFER++ Serpent TWOFISH

◮ The first phase took a year, and at its end, 5 candidates were picked as finalists as they had merits over the other candidates.

Orr Dunkelman AES 3/ 19 PAST PRESENT Competition AES The Finalists

◮ MARS — designed by the IBM team (Don Coppersmith et al.) ◮ RC6 — designed by RSA people (Ron Rivest et al.) ◮ Rijndael — designed by K.U. Leuven post-docs (Joan Daeman and Vincent Rijmen). ◮ Serpent — designed by an international academic team (Ross Anderson, Eli Biham, and Lars R. Knudsen). ◮ Twofish — designed by Counterpane (Bruce Schneier et al.)

Orr Dunkelman AES 4/ 19 PAST PRESENT Competition AES The Selection — Rijndael as the AES

◮ On September 2001, Rijndael was announced as the Advanced Encryption Standard (AES). ◮ Rijndael was deemed to offer sufficient security, and affordable performance, i.e., being the fastest on many platforms and hardware friendly.

Orr Dunkelman AES 5/ 19 PAST PRESENT Competition AES The Advanced Encryption Standard

◮ The cipher has an SP (substitution-permutation) network structure. ◮ Block size — 128 bits, Key size — 128, 192, or 256 bits. ◮ Number of rounds depends on the key length (10/12/14, respectively).

Orr Dunkelman AES 6/ 19 PAST PRESENT Competition AES The Advanced Encryption Standard

SubBytes

0 4 812 ARK 1 5 913 SB SR MC 2 6 1014 3 7 1115 3 7 1115 153 711 L ki

ShiftRows MixColumns

Orr Dunkelman AES 7/ 19 PAST PRESENT Competition AES The MixColumns Operation

◮ MixColumns treats each column of four bytes as four elements over GF (28). Then, the column is multiplied by the Matrix: ′ s0 2311 s0  ′      s1 1231 s1 ′ =  s2   1123   s2   ′       s3   3112   s3 

Orr Dunkelman AES 8/ 19 PAST PRESENT Competition AES The MixColumns Operation

◮ MixColumns treats each column of four bytes as four elements over GF (28). Then, the column is multiplied by the Matrix: ′ s0 2311 s0  ′      s1 1231 s1 ′ =  s2   1123   s2   ′       s3   3112   s3 

◮ The field GF (28) is constructed over the (irreducible) polynomial 11B, i.e., x 8 + x 4 + x 3 + x + 1.

Orr Dunkelman AES 8/ 19 PAST PRESENT Competition AES The SubBytes Operation

◮ Given input x, compute y = x −1 (over the same field, △ with 0 =0−1). ◮ Then compute the output as:

z0 10001111 y0 1         z1 11000111 y1 1  z2   11100011   y2   0           z3   11110001   y3   0    =     ⊕    z   11111000   y   0   4     4     z   01111100   y   1   5     5     z   00111110   y   1   6     6     z7   00011111   y7   0 

Orr Dunkelman AES 9/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then S W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then S W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then S W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Nk i Else if ≡ 8 and ≡ 4 mod 8 then S RCi W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then S W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Competition AES AES’ Key Schedule Algorithm

The key schedule for AES with 32 · Nk-bit key: ◮ Initialize W [0,..., Nk − 1] = K[0,..., Nk − 1]. ◮ For i = Nk,..., 4 · (7 + Nk) − 1 do ◮ If i ≡ 0 mod Nk then W [i]= W [i − Nk]⊕ SB(W [i − 1] ≪ 8) ⊕ RCON[i/Nk], ◮ Else if Nk ≡ 8 and i ≡ 4 mod 8 then W [i]= W [i − 8] ⊕ SB(W [i − 1]), L ◮ Otherwise W [i]= W [i − 1] ⊕ W [i − Nk], ◮ The first subkey is W [0, 1, 2, 3], the second is W [4, 5, 6, 7], etc.

Orr Dunkelman AES 10/ 19 PAST PRESENT Performance Security Real AES’ Performance

◮ AES is fast.

Orr Dunkelman AES 11/ 19 PAST PRESENT Performance Security Real AES’ Performance

◮ AES is fast. ◮ Both in software and in hardware. ◮ In software: ◮ With AES-NI — 3.8 cpb (0.64 cbp if using CTR mode). ◮ no AES-NI — 7.6 cpb (CTR mode). ◮ In hardware: ◮ ASIC/optimized for size — 2.4 KGates (61 Kbps @ 100 Khz). ◮ ASIC/optimized for speed — over 44 Gbps. ◮ FPGA/optimized for size — 222 slices & 3 block RAM (150 Mbps). ◮ FPGA/optimized for speed — over 24 Gbps.

Orr Dunkelman AES 11/ 19 PAST PRESENT Performance Security Real Security Properties

◮ The S-boxes are based on inversion over GF (28). ◮ The MixColumns operation is an MDS matrix, which along with the ShiftRows operation ensures a full diffusion after two rounds. ◮ Uses The “wide trail strategy”: ◮ Number of active S-boxes after two rounds ≥ 5, ◮ Number of active S-boxes after three rounds ≥ 9, ◮ Number of active S-boxes after four rounds ≥ 25. ◮ Any 4-round differential characteristic has probability of no more than 2−150.

Orr Dunkelman AES 12/ 19 PAST PRESENT Performance Security Real Security Properties (cont.)

◮ The security against differential and linear attacks is derived from the fact that there are no good differentials (linear hulls) of high probability.

Orr Dunkelman AES 13/ 19 PAST PRESENT Performance Security Real Security Properties (cont.)

◮ The security against differential and linear attacks is derived from the fact that there are no good differentials (linear hulls) of high probability. ◮ In a series of papers, the maximal expected differential and maximal expected linear probabilities for two and four rounds were computed. ◮ The results are that 4-round AES has no differentials or linear hulls with high enough probability for attacks (bounds have the order of magnitude of 2−110). ◮ Hence, any differential/linear attack on more than 6-round AES require about 2110 data.

Orr Dunkelman AES 13/ 19 PAST PRESENT Performance Security Real The Advanced Encryption Standard (cont.)

◮ For efficiency reasons, one can implement the SubBytes and the MixColumns operation together using a memory lookup. ◮ There are four 8-bit to 32-bit tables used in most implementations.

Orr Dunkelman AES 14/ 19 PAST PRESENT Performance Security Real The Advanced Encryption Standard (cont.)

◮ For efficiency reasons, one can implement the SubBytes and the MixColumns operation together using a memory lookup. ◮ There are four 8-bit to 32-bit tables used in most implementations. ◮ The last round has no MixColumns. ◮ So there is a fifth 8-bit to 8-bit table.

Orr Dunkelman AES 14/ 19 PAST PRESENT Performance Security Real The Advanced Encryption Standard (cont.)

◮ For efficiency reasons, one can implement the SubBytes and the MixColumns operation together using a memory lookup. ◮ There are four 8-bit to 32-bit tables used in most implementations. ◮ The last round has no MixColumns. ◮ So there is a fifth 8-bit to 8-bit table. ◮ This table is accessed only during the last round of encryption. . . [P02, Ber05, OST06, ...]

Orr Dunkelman AES 14/ 19 PAST PRESENT Performance Security Real Cache Attack on AES (Concept)

1 Flush the cache (filling it with information). 2 Call the encryption process. 3 Identify which entries of the fifth table were accessed (time the time needed to access the cache again).

Orr Dunkelman AES 15/ 19 PAST PRESENT Performance Security Real Cache Attack on AES (Concept)

1 Flush the cache (filling it with information). 2 Call the encryption process. 3 Identify which entries of the fifth table were accessed (time the time needed to access the cache again). 4 Make Profit.

Orr Dunkelman AES 15/ 19 PAST PRESENT Performance Security Real Certificational Attacks on AES

◮ There are several certificational attacks on AES: 1 In [BKN09] the first attack on the full AES-256 is reported: ◮ Related-Key model (235 keys needed) data & time: 2131. ◮ Several attacks on AES-256 in Davies-Meyer mode. 2 In [BK09] related-subkey attacks on AES-192 and AES-256: ◮ A 299 data/time attack on AES-256 (using 4 related keys). ◮ A 2176 data/time attack on AES-192. 3 [B+10] practical time related-key and related-subkey attacks on AES. 4 [BK10] almost practical time related-key attacks. 5 [BKR11] Biclique attacks on the full AES (improve on exhaustive search by a factor of ≈ 3).

Orr Dunkelman AES 16/ 19 PAST PRESENT Performance Security Real Best Attacks on AES (in the Common Model)

◮ When considering the common model, the best known attacks are variants of the Demirci-Sel¸cuk attack. ◮ These attacks are based on some precomputed meet in the middle tables. ◮ The main idea: 1 Find a function f from round i to round i +4 that depends on a few values as possible. 2 Precompute all possible values of f , and store the values in a table. 3 Take data that satisfy the requirements from the input to f . 4 Partially decrypt the ciphertexts to look at the output of f . 5 If the output is not in the precomputed table — the partial decryption was under a wrong subkey guess.

Orr Dunkelman AES 17/ 19 PAST PRESENT Performance Security Real Best Attacks on AES (cont.)

Source AES-128 AES-192 AES-256 Rnd D T M Rnd D T M Rnd D T M [DS08] — 7 246+n 294+n 2192−n 7 234+n 282+n 2204−n 8 234+n 2206+n 2206−n [D+09] — — 8 234+max(0,n−24) 2206+n 2206−n [DKS10] 7 2103+n 2103−n 2129−n 7 2103+n 2103+n 2129−n 7 2103+n 2103+n 2129−n 8 2113+n 2172+n 2129−n 8 2113+n 2196+n 2129−n [DFJ13] 7 2105 299 290 7 299 299 296 7 299 299 296 7 299 299 296 8 2113 2172 282 8 2113 2196 282 8 2107 2172 296 9 2120 2203 2203 [LJW13] — 9 2121 2185 2185 —

Orr Dunkelman AES 18/ 19 PAST PRESENT Performance Security Real Security Implications of These Attacks

◮ Do not use AES-192/AES-256 as-is in Davies-Meyer compression functions. ◮ Do not assume AES-192/AES-256 to be related-subkey PRFs in security proofs. ◮ Do not assume that AES’ security is perfect

Orr Dunkelman AES 19/ 19 PAST PRESENT Performance Security Real Security Implications of These Attacks

◮ Do not use AES-192/AES-256 as-is in Davies-Meyer compression functions. ◮ Do not assume AES-192/AES-256 to be related-subkey PRFs in security proofs. ◮ Do not assume that AES’ security is perfect ◮ But actually, as long as you use AES-192/AES-256 for encryption, and as long as your system does not allow related-subkeys, and as long as your encryption does not use crazy modes of operation, you are just fine.

Orr Dunkelman AES 19/ 19