See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/246375728

Higher Order Derivatives and Differential

Article · January 1994 DOI: 10.1007/978-1-4615-2694-0_23

CITATIONS READS 175 369

1 author:

Xuejia Lai Shanghai Jiao Tong University

112 PUBLICATIONS 2,829 CITATIONS

SEE PROFILE

All content following this page was uploaded by Xuejia Lai on 04 May 2016.

The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document and are linked to publications on ResearchGate, letting you access and read them immediately.

Reprint of pp Communications and Ed RBlahut et al Kluwer Academic Publishers

Higher Order Derivatives and Dierential Cryptanalysis

Xuejia Lai

R Security Engineering AG

CH Aathal Switzerland

lairch

Abstract

Highorder derivatives of multivariable functions are studied in this pap er as

a natural generalization of the basic concept used in dierential cryptanalysis

Possible applications of such derivatives in cryptology are discussed

I Intro duction

In just after Jim and I published at Euro crypt our new blo ck cipher PES the

previous version of the IDEA cipher dierential cryptanalysis was prop osed byBiham

and Shamir as a chosen attack to nd the secret of an iterated blo ck

cipher In Biham and Shamir showed that the full round DES can b e broken by

dierential cryptanalysis using only which is the rst rep orted attack

that nds the secretkey of DES with fewer encryptions than exhaustivekeysearch

Besides DES dierential cryptanalysis has b een applied successfully to many other

ciphers for example the blo ck ciphers FEAL Khafre REDOC LOKI and

Likeevery cipher designer who heard a new attack that can b e applied to his cipher

we started to apply the dierential cryptanalysis to our own prop osal As I talked to

Jim ab out the rst result of the analysis he noticed immediately that the use of the

prop erties of a Markovchain is essential to dierential cryptanalysis This observation

led to the concept of Markov Cipher whichwe presented in where it was shown

that the dierential cryptanalysis of many if not all practical blo c k ciphers can b e

formulated in terms of the theory of Markovchains For example the implication of

the only Lemma in Biham and Shamirs pap er is that DES is a Markov cipher In

particular a fairly tightlower b ound on the complexity of a dierential cryptanalysis

attack on a cipher can b e derived in terms of parameters of the Markovchain Although

dierential cryptanalysis requires far to o muchchosen to b e a practical attack

on a cipher the complexity of a dierential cryptanalysis attack is the b est measure of

its cryptographic strength that is known to day

In this pap er we consider a p ossible generalization of the original rstorder dif

ferential cryptanalysis in terms of higherorder derivative which is dened in Section

where some general prop erties of derivatives are studied In Section we consider some

This work was carried out at the Signal and Information Pro cessing Lab oratory of the Swiss

Federal Institute of TechnologyZurich Switzerland

sp ecial prop erties of derivatives of binary functions Section discusses the applications

of such higher order derivatives in cryptology In particular we consider the relation

ship among derivatives dierential cryptanalysis and linear structure of cryptographic

functions

I I Higher order derivatives

Denition Let S and T b e Ab elian groups For a function f S T the

derivatives of the f at point a S is dened as

f xf x a f x

a

Note that the derivativeof f is itself a function from S to T we can dene the ith

i derivative of f at a a a as

i

i i

f x f x

a

i a a a a

i i

i

f x b eing the i th derivativeof f at a a a The th where

i

a a

i

derivativeof f x is dened to b e f x itself

For example for i wehave

f x f x

a a



a a



f x a f x

a



f x a a f x a f x a f x

f x a a f x a f x a f x

It then follows that

f x a a f x f x f xf x

a a



a a



In general one can show the following result

Prop osition

n

X X

i

f x f x a a a

n

a a

j j

i

i

j j n

i

Pro of For n it follows from the denition Supp ose holds for n Then

n

f x

a a

n

n n

f x a f x

n

a a a a

n n

n

X X

i

A

f x a f x a a a

n n n

a a

j j

i

i j j n

i

n

f x

a a

n

n

X X

i

f x a f x a a

n n

a a

j j

i

i j j n

i

n n

X X X X

i i n

A

f x f x f x

a a a a a a

j j j j n

i i

i i

j j n j j n

i i

n

X X

i

f x a f x f x a a

n n

a a

j j

i

i

j j n

i

n

X X

i n

A

f x f x

a a a a

j j n

i

i

j j n

i

n

X X

i

f x a a f x

n a

n

a a

j j

i

i

j j n

i

n

X X

i n

A

f x f x

a a a a

j j n

i

i

j j n

i

n

X X

i

f x a a f x

n

a a a

n

j j

i

i j  j n

i

n

X X

i n

A

f x f x

a a a a

j j n

i

i j j n

i

n

X X

i

A

f x f x a a

n

a a a

n

j j

i

j j n i 

i

Some basic prop erties of the derivative are as follows

f g f g

a a a

f xg x f x a g x f xg x

a a a

Equation is rather obvious and Equation can b e obtained as follows

f xg x f x ag x a f xg x

a

f x ag x a g x f x a f xg x

f x a g x f xg x

a a

Prop osition Let deg f denote the nonlinear degree of a multivariable polynomial

function f x Then

deg f x deg f x

a

Pro of It follows from equation and from the facts that deg f g

maxdeg f deg g and deg fg degf degg and that the derivativeofalinear

function is a constant

I I I Derivatives of binary functions

In what follows we will consider only the binary functions and the group op eration is

the bitwise XOR denoted by

i

Prop osition Let La a a be the list of al l possible linear combinations of

i

a a a Then

i

X

i

f x f x c

a a

i

cLa a a

 i

Weproveitby induction For i itisobvious Supp ose hold for i Pro of

then by denition

i i

f x f x

a

i a a a a

i i

i i

f x f x a

i

a a a a

i i

X X

A A

f x c a f x c

i

cLa a a cLa a a

 i  i

X

f x c

cLa a a

 i

Corollary Derivatives of binary function is independent of the order in which the

derivation is taken ie for any permutation pj of index j

i i

f x f x

a a a a

i

p pi

The ab ove results lead to the lower b ound on the probability of derivative function

taking on a certain value This probability is essential in cryptanalysis using such

derivatives

n n

F and linearly independent a a a in Prop osition For function f F

i

in n n i

f xb is either or at least if x is uniformly F and for any b F P

a a

i

random

Pro of From equation if at input x the derivativetakes on value b then at all

i

inputs x c c La a a the derivative will takeonvalue b

i

i

f x Prop osition If a is linearly dependent of a a a then

i i

a a

i

Pro of If a is linearly dep endentof a a thena is contained in the list

i i i

La a a Thus in wehave

i

X X

f x c a f x c

i

cLa a a cLa a a

 i  i

which implies that the derivative is zero

The ab ove result shows that derivatives should b e computed at the p oints that are

linearly indep endent Otherwise the higher order derivatives will b e trivially zero such

cases are of no interest for our purp ose

n m

Prop osition For any function f F F the nth derivative of f is a constant

n n

If f F F is invertible then n th derivative of f isaconstant

Pro of Each comp onent function of f can have a nonlinear degree at most n When

f is invertible the nonlinear degree of its comp onent function is at most n The

pro of then follows from Prop osition

Example For

f x x x x x x x x x x x x x

we compute the nd derivative at

f x x x x f x x x x f x x x x x x x x

x x x x x x

Thus f x x x x Note that and are linearly inde

p endent and function f has a nonlinear degree

IV Cryptographic signicance of derivatives

Dierential cryptanalysis and derivatives The basic concept of dierential crypt

analysis is the probability of dierentials An dierential is a couple a b where a is



the dierence of a pair of distinct inputs x and x and where b is a p ossible dierence for

 

the resulting outputs y f x and y f x The probability of an dierential a b

is the conditional probabilitythat b is the dierence y of the outputs given that the



input pair x x has dierence x a when the x is uniformly random We denote

this dierential probabilityby P y bjx a If the dierence is dened by the



group op eration ie if x x x then

f b P y bjx a P f x a f x bP

a

Prop osition The probability of a dierential a b is the probability that the rst

derivative of function f x at point a takes on value b when x is uniformly random

The success of dierential cryptanalysis is based on the fact that many practical

blo ck ciphers are obtained from iterating a cryptographically weak round function If

the dierence of a pair of inputs to the last round can b e anticipated with a high

probability then the secret key used in the last round can usually b e derived from the

pair of outputs and from the dierence at the input By using highorder derivatives

the basic idea of dierential cryptanalysis can b e generalized to the case when more

than two inputs are used simultaneously for deriving the secret key if a nontrivial

ith derivative of r round function takes on a value with high probability then it is

i

possible to derive the key for the last round from the known outputs and from the

anticipated derivative value Although some indep endent preliminary exp eriments

indicated that cryptanalysis using high order derivativemaynotbemorepowerful than

the rst order dierential cryptanalysis we exp ect however that the derivative will

provide new measurement for the strength of cryptographic functions

Linear structure and derivatives A function f is said to havealinear structure if

there is a nonzero a such that f x a f x remains invariant for all x The study of

linear structure has lead to attacks on cipher functions and to the nonlinearity

criteria for cryptographic functions From the denitions it is easy to see

that function f x has a linear structure if and only if there is a nonzero a such that

the derivativeof f xata is a constant or equivalently if and only if function f has

a dierential of probability one The relationship among the concepts of dierential

linear structure and derivatives then suggests the following

A new design principle for cryptographic functions For each small i the non

trivial ith derivatives of function should take on each p ossible value roughly uniform

n n

In particular a binary function from F to F the nontrivial ith derivatives should

in

take on each p ossible value with probability ab out

References

X Lai and J L Massey A Prop osal for a New Blo ck Standard

Advances in Cryptology EUROCRYPT Pro ceedings LNCS pp

SpringerVerlag Berlin

E Biham and A Shamir Dierential Cryptanalysis of DESlike Cryptosys

tems Advances in Cryptology CRYPTO Pro ceedings LNCS pp

SpringerVerlag Berlin

E Biham and A Shamir Dierential Cryptanalysis of the full round DES

Abstracts of CRYPTO

E Biham and A Shamir Dierential Cryptanalysis of FEAL and NHash

Advances in Cryptology EUROCRYPT Pro ceedings LNCS pp

SpringerVerlag Berlin

E Biham and A Shamir Dierential Cryptanalysis of Snefru Khafre REDOC

I I LOKI and Lucifer Advances in Cryptology CRYPTO Pro ceedings

LNCS pp SpringerVerlag Berlin

X Lai J L Massey and S MurphyMarkov Ciphers and Dierential Crypt

analysis Advances in Cryptology EUROCRYPT Pro ceedings LNCS

pp SpringerVerlag Berlin

C Harp es Notes on High Order Dierential Cryptanalysis of DES Internal

rep ort Signal and Information Pro cessing Lab oratory Swiss Federal Institute of

Technology August

E Biham Higher Order Dierential Cryptanalysis Preliminary draft August

D Chaum JH Evertse Cryptanalysis of DES with a reduced numb er of rounds

Advances in Cryptology CRYPTO Pro ceedings pp SpringerVerlag

JH Evertse Linear structures in blo ck ciphers Advances in Cryptology EURO

CRYPT Pro ceedings pp SpringerVerlag

W Meier O Staelbach Nonlinearity criteria for cryptographic functions Ad

vances in Cryptology EUROCRYPT Pro ceedings pp Springer

Verlag

K Nyb erg On the construction of highly nonlinear p ermutations Advances in

Cryptology EUROCRYPT Pro ceedings pp SpringerVerlag