Unit 21 February 28, 2011 1 Differential Cryptanalysis

Murphy: Differential cryptanalysis of FEAL (1990) Biham & Shamir: DES (1991)

Chosen-plaintext attack

Idea: find pairs of plaintexts with a fixed “difference” so that from the output difference, some information about the key is gleaned.

c 2011 Clifford Bergman Unit 21 February 28, 2011 2

Differential cryptanalysis of baby lucifer

Try to find a set of inputs that ensure that some bit at the beginning of round 3 will have a known value.

Consider the table of f -boxes in baby lucifer:

c 2011 Clifford Bergman Unit 21 February 28, 2011 3 f0 f1 f0 f1 0000 1101 0001 1000 1110 1010 0001 0000 0100 1001 0011 1111 0010 1011 1011 1010 0101 0110 0011 0111 1101 1011 1100 1000 0100 0100 1100 1100 0010 0000 0101 1001 0011 1101 1111 0101 0110 0001 0111 1110 1000 1001 0111 1010 1110 1111 0110 0010

Note that fi (00x0) ends in a 1 for i = 0, 1 and x = 0, 1.

c 2011 Clifford Bergman Unit 21 February 28, 2011 4

Input pairs with output bits common to f0 and f1

000* ..0. *111 ..10 00*0 ...1 1*00 ...0 0*00 ..0. 100* ..1. 0*10 ...1 1*01 ...1 001* ...1 1*11 ...0 *100 ...0 11*0 .0.. *101 ...1

c 2011 Clifford Bergman Unit 21 February 28, 2011 5

a1 a3

b1 b3

4 a2 a

2 b b4

a5 a3

c 2011 Clifford Bergman Unit 21 February 28, 2011 6

Thus if a2 is of the form 00 . 0 .... then b2 is ...1 ....

After permuting by σ = h7, 8, 5, 2, 1, 3, 6, 4i we have a3 = ...... 1

Which values of a1 will ensure that a2 = 00.0 .... (regardless of the key)? babyl

Going backwards through σ: σ−1 = h5, 4, 6, 8, 3, 7, 1, 2i, so b1 = . 0 .... 00

c 2011 Clifford Bergman Unit 21 February 28, 2011 7

Looking for . 0 .... 00

Common outputs from f0 and f1

0000 ..01 1000 1.10 0001 0.00 1001 ..11 0010 1011 1010 01.. 0011 .1.1 1011 1.00 0100 .100 1100 00.0 0101 .0.1 1101 .1.1 0110 0..1 1110 100. 0111 1.10 1111 0.10

c 2011 Clifford Bergman Unit 21 February 28, 2011 8

Thus if we set a1 to any of: left-half: 0010, 0101, 1100, 1110 right-half: 0001, 0100, 1011 then a2 will have the desired property.

This yields 12 plaintexts p1, p2,..., p12 for which bit 8 at the beginning of round 3 is ‘1’ (regardless of key).

babyl

c 2011 Clifford Bergman Unit 21 February 28, 2011 9

Suppose we obtain the encryptions Ek (pi ) = ci , for i = 1, 2,..., 12. Our objective is to determine k.

Guess bits k6, k7, k8. Use the guess to partialy decrypt ci and determine the right-half of a3.

If we guessed right, the last bit should always be ‘1’. If we guess wrong, it should be ‘1’ with probability 1/2.

Thus by checking k6, k7, k8 against all of ci for i = 1,..., 12, we will detect a wrong guess with probability 1 − 2−12 = .99975.

c 2011 Clifford Bergman Unit 21 February 28, 2011 10

Strategy: Use this technique to determine bits 6–8. Then use brute-force on bits 1–5. Total keys checked: 23 + 25 = 40  256. chosen-plaintexts required: 12

c 2011 Clifford Bergman Unit 21 February 28, 2011 11

For DES, requires 247 plaintext blocks.

No brute-forcing is required.

c 2011 Clifford Bergman