Differential Cryptanalysis of the Data Encryption Standard Eli Biham Adi Shamir Differential Cryptanalysis of the Data Encryption Standard With 56 Illustrations Springer-Verlag New York Berlin Heidelberg London Paris Tokyo Hong Kong Barcelona Budapest Eli Biham Computer Science Department Technion-Israel Institute of Technology Haifa 32000 Israel Adi Shamir Department of Applied Mathematics and Computer Science The Weizmann Institute of Science Rehovot 76100 Israel Library of Congress Cataloging-in-Publication Data Biham,Eli. Differential cryptanalysis of the Data Encryption Standard / Eli Biham, Adi Shamir. p.cm. Includes bibliographical references and index. ISBN-13 :978-1-4613-9316-0 e- ISBN-13: 978-1-4613-9314-6 DOl: 10.1007/978-1-4613-9314-6 1. Computer - Access control. 2. Cryptography. I. Shamir, Adi. II. Title. QA76.9.A25B54 1993 005.8'2 - dc20 92-44581 Printed on acid-free paper. © 1993 by Springer-Verlag New York, Inc. Softcover reprint of the hardcover 1st edition 1993 All rights reserved. This work may not be translated or copied in whole or in part without the writ­ ten permission of the publisher (Springer-Verlag New York, Inc., 175 Fifth Avenue, New York, NY 10010, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in con­ nection with any form of information storage and retrieval, electronic adaptation, computer soft­ ware, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use of general descriptive names, trade names, trademarks, etc., in this publication, even if the former are not especially identified, is not to be taken as a sign that such names, as understood by the Trade Marks and Merchandise Marks Act, may accordingly be used freely by anyone. Production managed by Dimitry L. Loseff; manufacturing supervised by Vincent Scelta. Photocomposed copy prepared using the authors' LATEX files. 9 8 7 6 5 432 I ISBN-13: 978-1-4613-9316-0 Preface The security of iterated cryptosystems and hash functions has been an active research area for many years. The best known and most widely used function of this type is the Data Encryption Standard (DES). It was developed at IBM and adopted by the National Bureau of Standards in the mid 70's, and has successfully withstood all the attacks published so far in the open literature. Since the introduction of DES, many other iterated cryptosystems were developed, but their design and analysis were based on ad-hoc heuristic arguments, with no theoretical justification. In this book, we develop a new type of cryptanalytic attack which can be successfully applied to many iterated cryptosystems and hash functions. It is primarily a chosen plaintext attack but under certain circumstances, it can also be applied as a known plaintext attack. We call it "differen­ tial cryptanalysis" , since it analyzes the evolution of differences when two related plaintexts are encrypted under the same key. Differential cryptanalysis is the first published attack which is capable of breaking the full 16-round DES in less than 255 complexity. The data analysis phase computes the key by analyzing about 236 ciphertexts in 237 time. The 236 usable ciphertexts are obtained during the data collection phase from a larger pool of 247 chosen plaintexts by a simple bit repetition criteria which discards more than 99.9% of the ciphertexts as soon as they are generated. This attack can be applied to a wide variety of DES-like substitution/ permutation cryptosystems, and it demonstrates the crucial role of each element in their design. In particular, we show that almost any structural modification of DES leads to a much weaker cryptosystem, and that DES reduced to eight rounds is so weak that it can be broken in two minutes on a personal computer. The attack is also applicable to bounded-round versions of the cryptosystems FEAL, Khafre, REDOC-II, LOKI and Lucifer, and to the hash functions Snefru and N-Hash. We would like to use this opportunity to thank our colleagues who con­ tributed remarks, suggestions, ideas and designs. Shoji Miyaguchi's FEAL cryptosystem motivated the first version of our attack, and Ralph Merkle's Snefru motivated its extension to hash functions. We had valuable dis­ cussions with Henry Gilbert and Matthew Kwan, who carried out related attacks on some of the cryptosystems discussed here, and we received valu­ able remarks from Philip Zimmermann. Don Coppersmith, Martin Hell­ man, and Alan Konheim sent us many helpful comments and suggestions vi which greatly improved the presentation of our results. Finally, the encour­ agement and help of our families are greatly appreciated. Remark: Shortly before this book was sent to the publishers, Don Coppersmith (who was a member of the DES design team at IBM in the early 70's) revealed that his team was aware of differential cryptanalysis back in 1974, and designed the S boxes and the permutation in order to optimally defeat it. They had to keep this information secret for 18 years for national security reasons since it was such a potent form of cryptanalysis, but decided to break the silence after we rediscovered and published it. In response to our question, Don refused to reveal whether this is the strongest attack on the DES that his team was aware of, but reiterated his belief that the DES is still viable. Contents 1 Introduction 1 2 Results 7 3 Introduction to Differential Cryptanalysis 11 3.1 Notations and Definitions 11 3.2 Overview ........ 15 3.3 Characteristics . 22 3.4 The Signal to Noise Ratio 29 3.5 Known Plaintext Attacks 31 3.6 Structures......... 31 4 Differential Cryptanalysis of DES Variants 33 4.1 DES Reduced to Four Rounds. 33 4.2 DES Reduced to Six Rounds ........ 37 4.3 DES Reduced to Eight Rounds . 41 4.3.1 Enhanced Characteristic's Probability 46 4.3.2 Extension to Nine Rounds. 47 4.4 DES with an Arbitrary Number of Rounds 48 4.4.1 3R-Attacks 49 4.4.2 2R-Attacks 50 4.4.3 1R-Attacks 51 4.4.4 Su~mary 52 4.4.5 Enhanced Characteristic's Probability 54 4.5 Modified Variants of DES . 55 4.5.1 Modifying the P Permutation. 56 4.5.2 Modifying the Order of the S Boxes 57 4.5.3 Replacing XORs by Additions ... 58 4.5.3.1 Replacing the XORs Within the F Function 58 4.5.3.2 Replacing All the XORs. .. 59 4.5.3.3 Replacing All the XORs in an Equivalent DES Description . .. 59 4.5.4 Random and Modified S Boxes . .. 60 4.5.5 S Boxes with Uniform Difference Distribution Tables 62 4.5.6 Eliminating the E Expansion . .. 63 4.5.7 Replacing the Order of the E Expansion and the XOR with the Subkeys . 64 4.6 DES with Independent Keys. .. 65 viii Contents 4.6.1 Eight Rounds. .. 65 4.6.2 Sixteen Rounds . .. 68 4.7 The Generalized DES Scheme (GDES) . .. 69 4.7.1 GDES Properties. .. 69 4.7.2 Cryptanalysis of GDES .. .. 71 4.7.2.1 A Known Plaintext Attack for n = q. .. 72 4.7.2.2 A Second Known Plaintext Attack for n = q 72 4.7.2.3 A Chosen Plaintext Attack for n = 2q - 1. 73 4.7.2.4 A Chosen Plaintext Attack for n = 3q - 2. 73 4.7.2.5 A Chosen Plaintext Attack for n = lq - 1. 73 4.7.2.6 The Actual Attack on the Recommended Variant. .. 74 4.7.2.7 Summary.................. 76 5 Differential Cryptanalysis of the Full l6-Round DES 79 5.1 Variants of the Attack . 86 6 Differential Cryptanalysis of FEAL 89 6.1 Cryptanalysis of FEAL-8 ................... 95 6.1.1 Reducing FEAL-8 to Seven Rounds ......... 96 6.1.2 Reducing the Seven-Round Cryptosystem to Six Rounds 98 6.1.3 Reducing the Cryptosystem to 5, 4, 3, 2 and 1 Rounds 99 6.1.4 Calculating the Key Itself . 100 6.1.5 Summary ........................ 101 6.2 Cryptanalysis of FEAL-N and FEAL-NX with N :::; 31 Rounds101 6.3 Other Properties of FEAL . 105 7 Differential Cryptanalysis of Other Cryptosystems 109 7.1 Cryptanalysis of Khafre . .. 109 7.2 Cryptanalysis of REDOC-II . .. 115 7.3 Cryptanalysis of LOKI . 121 7.4 Cryptanalysis of Lucifer . .. 125 7.4.1 First Attack. .. 128 7.4.2 Second Attack ..................... 130 8 Differential Cryptanalysis of Hash Functions 133 8.1 Cryptanalysis of Snefru ......... 133 8.2 Cryptanalysis of N-Hash . 145 9 Non-Differential Cryptanalysis of DES with a Small Number of Rounds 149 Contents ix 9.1 Ciphertext Only Attacks ......... 149 9.1.1 A Three-Round Attack ..... 149 9.1.2 Another Three-Round Attack . 150 9.1.3 A Four-Round Attack . 150 9.2 Known Plaintext Attacks ..... 151 9.2.1 A Three-Round Attack .. 151 9.3 Statistical Known Plaintext Attacks 152 9.3.1 A Three-Round Attack 152 9.3.2 A Four-Round Attack 152 9.3.3 A Five-Round Attack 154 9.3.4 A Six-Round Attack 154 A Description of DES 155 A.l The Key Scheduling Algorithm 159 A.2 DES Modes of Operation ... 162 B The Difference Distribution Tables of DES 165 Glossary 175 Bibliography 183 Index 186 .