Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17th May, 2017 0/52 Iterated Block Cipher Outline 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix 0/52 Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix 1/52 Iterated Block Cipher Iterated Block Cipher Iterated Block Cipher A block cipher is a function E : f0; 1gk × f0; 1gn ! f0; 1gn such k that for each K 2 f0; 1g , the function EK (·) = E(K; ·) is a permutation of f0; 1gn. The n-bit input to the block cipher is called the plaintext; and the n-bit output of the block cipher is called the ciphertext. The k-bit quantity K is called the secret key. 2/52 The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys. Iterated Block Cipher Iterated Block Cipher (Cont.) Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds. 3/52 Iterated Block Cipher Iterated Block Cipher (Cont.) Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds. The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys. 3/52 Iterated Block Cipher Designs Outline 1 Iterated Block Cipher Designs Attacks 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix 3/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) P1 ::: Plaintext ::: P16 Sub-key k(1) Mixing S11 S12 S13 S14 Round 1 Sub-key k(2) Mixing S21 S22 S23 S24 Round 2 Sub-key k(3) Mixing S31 S32 S33 S34 Round 3 Sub-key k(4) Mixing Round 4 S41 S42 S43 S44 Sub-key k(5) Mixing C1 ::: Ciphertext ::: C16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys's Tutorial). 4/52 Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc. Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. 5/52 Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc. Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. 5/52 Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc. Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. 5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc. 5/52 Iterated Block Cipher Designs Feistel Cipher Encryption Decryption Plaintext Ciphertext L0 R0 Rr+1 Lr+1 k(0) k(r) L F L F k(1) k(r−1) L F L F k(r) k(0) L F L F Rr+1 Lr+1 L0 R0 Ciphertext Plaintext Figure : Encryption and Decryption Network of a Basic Feistel Cipher (Courtesy: Wikipedia). 6/52 Iterated Block Cipher Designs Feistel Cipher vs. SPN The main advantage of this type of design is that encryption and decryption are very similar, even identical in some cases, requiring only a reversal of the key schedule. One advantage of the Feistel cipher over an SPN is that unlike SPN, here the round function F need not be invertible. 7/52 Iterated Block Cipher Designs Feistel Cipher: Variants and Examples Unbalanced Feistel cipher: Two halves are unequal in length. Generalised Feistel cipher: Plaintext is divided into more than two parts. Examples: RC6, Skipjack, etc. Other Examples: Blowfish, DES, FEAL , RC5 , LOKI etc. 8/52 Iterated Block Cipher Designs Lai Massey Encryption Decryption Plaintext Ciphertext L0 R0 Lr+1 Rr+1 H H−1 k(0) k(r) F F H H−1 k(1) k(r−1) F F H H−1 k(r) k(0) F F H H−1 Lr Rr L0 R0 Ciphertext Plaintext Figure : Encryption and Decryption Network of a Basic Lai-Massey Scheme (Courtesy: Wikipedia). 9/52 Iterated Block Cipher Designs Lai Massey (Cont.) The security properties of the Lai-Massey scheme is similar to those of the Feistel structure. Like the Feistel cipher it also shares the advantage that the round function F need not be invertible. Example: IDEA. 10/52 Iterated Block Cipher Designs We will be considering SPN type block ciphers. 11/52 Iterated Block Cipher Attacks Outline 1 Iterated Block Cipher Designs Attacks 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix 11/52 Buchberger's Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks 12/52 Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm 12/52 Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique 12/52 The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique Relinearization Technique 12/52 Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) 12/52 ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack 12/52 Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... 12/52 Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks Attacks (Cont.) Statistical Attacks 13/52 Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks Attacks (Cont.) Statistical Attacks Distinguishing Attacks 13/52 and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks Attacks (Cont.) Statistical Attacks Distinguishing Attacks Linear Cryptanalysis 13/52 Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks Attacks (Cont.) Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack 13/52 and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks