25 Years of Linear Cryptanalysis -Early History and Path Search Algorithm- Asiacrypt 2018, December 3 2018 Mitsuru Matsui © Mitsubishi Electric Corporation Back to 1990… 2 © Mitsubishi Electric Corporation FEAL (Fast data Encipherment ALgorithm) • Designed by Miyaguchi and Shimizu (NTT). • 64-bit block cipher family with the Feistel structure. • 4 rounds (1987) • 8 rounds (1988) • N rounds(1990) N=32 recommended • Key size is 64 bits (later extended to 128 bits). • Optimized for 8-bit microprocessors (no lookup tables). • First commercially successful cipher in Japan. • Inspired many new ideas, including linear cryptanalysis. 3 © Mitsubishi Electric Corporation FEAL-NX Algorithm [Miyaguchi 90] subkey 4 © Mitsubishi Electric Corporation The Round Function of FEAL 2-byte subkey Linear Relations 푌 2 = 푋1 0 ⊕ 푋2 0 푌 2 = 푋1 0 ⊕ 푋2 0 ⊕ 1 (푁표푡푎푡푖표푛: 푌 푖 = 푖-푡ℎ 푏푖푡 표푓 푌) 5 © Mitsubishi Electric Corporation Linear Relations of the Round Function Linear Relations 푂 16,26 ⊕ 퐼 24 = 퐾 24 K 푂 18 ⊕ 퐼 0,8,16,24 = 퐾 8,16 ⊕ 1 푂 10,16 ⊕ 퐼 0,8 = 퐾 8 S 0 푂 2,8 ⊕ 퐼 0 = 퐾 0 ⊕ 1 (푁표푡푎푡푖표푛: 퐴 푖, 푗, 푘 = 퐴 푖 ⊕ 퐴 푗 ⊕ 퐴 푘 ) S1 O I ｆ S0 ｆ 3-round linear relations with p=1 S1 ｆ modified round function f at least 3 subkey (with whitening key) ｆ bytes affect output6 6 © Mitsubishi Electric Corporation History of Cryptanalysis of FEAL • 4-round version – 100-10000 chosen plaintexts [Boer 88] – 20 chosen plaintexts [Murphy 90] – 8 chosen plaintexts [Biham, Shamir 91] differential – 200 known plaintexts [Tardy-Corfdir, Gilbert 91] – 5 known plaintexts [Matsui, Yamagishi 92] pre-linear • 8-round version – 10000 chosen plaintexts [Tardy-Corfdir, Gilbert 90] differential – 2000 chosen plaintexts [Biham, Shamir 91] differential – 215-228 known plaintexts [Matsui, Yamagishi 92] pre-linear – 224 known plaintexts [Biham 94] linear – 210-211 known plaintexts [Sakikoyama et al 2016] multiple linear 7 © Mitsubishi Electric Corporation A Better Relation and Pre-linear Attack 푂 10, 18, 26 ⊕ 퐼 16 = 퐾 16,24 ⊕ 1 [Tardy-Corfdir, Gilbert 91] K 푐푎푟푟푦 7 6 5 4 3 2 1 0 ← 퐴 ⊕ 퐾1 S0 +) 7 6 5 4 3 2 1 0 ← 퐵 ⊕ 퐾2 퐾2 푂[16] 퐵 푂[16] S1 O 12 subkey bits 퐾1 I 퐴 퐾1 0 , … , 퐾1 5 , 퐾2 0 , … , 퐾2[5] S 0 non-linearly affect 푂 16 . How to reduce S1 these “active” subkey bits ? Fourth (modified) round function 8 © Mitsubishi Electric Corporation A Better Relation and Pre-linear Attack 푂 10, 18, 26 ⊕ 퐼 16 = 퐾 16,24 ⊕ 1 [Tardy-Corfdir, Gilbert 91] 푐푎푟푟푦 7 6 5 4 3 2 1 0 ← 퐴 ⊕ 퐾1 +) 7 6 5 4 3 2 1 0 ← 퐵 ⊕ 퐾2 퐾2 푂[16] 퐵 푂[16] S1 Observation [Matsui, Yamagishi 92] 퐾1 퐴 Divide inputs into two groups 퐴 5 = 퐵[5] and 퐴 5 = ~퐵[5]. Then for one of the two groups, 퐴 6 ⊕ 퐴 5 ⊕ 퐵 6 ⊕ 푂[16] is const. This reveals 퐾1 5 = 퐾2[5] or 퐾1 5 = ~퐾2 5 . 9 © Mitsubishi Electric Corporation The Cut-off Method Later generalized as “Partitioning Cryptanalysis” [Harpes, Massey 97]. Divide plaintext-ciphertext pairs into two groups. – For one group, a relation always holds or fails (p=1 or 0). – For the other, the relation does not always hold (p≈1/2). – “Which is which” depends on key. A few pairs are enough to distinguish. – Also reducing the number of relevant text/key bits. – Better than (probabilistic) linear approximation. Successful for FEAL, but applying this method to DES is difficult… 10 © Mitsubishi Electric Corporation Moving to Linear Approximation 푥 Linear Approximation Probability 푝 푎, 푏 = 푥 푎 ⋅ 푥 = 푏 ⋅ 푦 /2푛 푎, 푏: linear characteristic or masking value 푆 0 ≤ 푝 푎, 푏 ≤ 1 푦 = 푆(푥) Linear Correlation 휆푝푆 푎, 푏 = 2푝 푎, 푏 − 1 휆푝 푎, 푏 is larger = more linear. 푎 ⋅ 푥 푆 0 ≤ |휆푝푆 푎, 푏 | ≤ 1 Differential Characteristic Probability 푛 훿푝푆 푎, 푏 = 푥 푆 푥 ⊕ 푆 푥 ⊕ 푎 = 푏 /2 푎, 푏: differential characteristic 푏 ⋅ 푦 0 ≤ 훿푝푆 푎, 푏 ≤ 1 11 © Mitsubishi Electric Corporation An Example: S5 of DES 푥 푋 3 = 푌[2] 휆푝푆5 8,4 = 0 no use 푋 1 = 푌[0] 휆푝푆5 2,1 = 1/8 makes sense 푆5 푋 4 = 푌[0,1,2,3] 휆푝푆5 16,15 = −5/8 very biased 푦 = 푆5(푥) 푎 ⋅ 푥 This relation was fully used for cryptanalyzing the full 16-round DES. Adi Shamir (and independently Matt Franklin) 푏 ⋅ 푦 had found this correlation already in 1985. 12 © Mitsubishi Electric Corporation “On the Security of DES” [Shamir Crypto 85] X[4]=0 X[4]=1 Y[0,1,2,3]=0 13 © Mitsubishi Electric Corporation Best Path Search Algorithm 푎0 • An algorithm deriving linear (resp. differential) path 푅1 푎0, 푎1, … , 푎푟 that maximize 푖=1…푟 |휆푝푅 푎푖−1, 푎푖 | (resp. 훿푝). 푎1 푖 • Expected to lead to the most efficient attack. 푅2 푎 2 • The best linear (resp. differential) path of the full DES was completely determined. 푎푟−1 • Still being used as a tool for evaluating block ciphers 푅푟 (e.g. “multiple linear cryptanalysis”). 푎푟 14 © Mitsubishi Electric Corporation The Algorithm: Sketch 푎0 • Induction on the number of rounds: – Computes 퐵 푟 (and the corresponding 푅1 푏푒푠푡 푎0, 푎1, … , 푎푟) assuming 퐵푏푒푠푡(푖) (푖=1, … , 푟-1) is known. 푎1 퐵푎0푎1…푎푡 푅2 • Needs an initial value 퐵푖푛푖푡(푟)(< 퐵푏푒푠푡 푟 ) – Works for any small value, but significantly 퐵 (푟) 푎 푖푛푖푡 2 affects performance. – Updated when a better path is found. – When finished, 퐵푖푛푖푡(푟) must be 퐵푏푒푠푡(푟). 푎푟−1 퐵푏푒푠푡(푟 − 푡) • Given 푎 , 푎 , … , 푎 , choose 푎 such that 푅푟 0 1 푡−1 푡 퐵푖푛푖푡 푟 < 퐵푎0푎1…푎푡 ∗ 퐵푏푒푠푡 푟 − 푡 holds. 푎푟 – If not holds, no hope of finding a better path. 퐵 (푟) = max 휆푝 (푎 , 푎 ) 퐵푎0푎1…푎푡 = 푖=1…푡 휆푝푅푖(푎푖−1, 푎푖) 푏푒푠푡 푖=1…푡 푅푖 푖−1 푖 푎0푎1…푎푟 15 © Mitsubishi Electric Corporation The Branch-and-Bound Method Path Search Algorithm Define Binit(n) for n=1,2,..,r Search1(); Search1() /* 1st round characteristic */ for each characteristic a1 choose a0 so as to maximize |λpR1(a0,a1)| Search2(2); Search2(i) /* i-th round characteristic i>1 */ for each characteristics ai [in an decreasing order of | λpRi(ai-1,ai)|] if(ai is not ‘connectable’ to ai-1) continue; if(Ba0,a1,..,ai * Bbest(r-i) < Binit(r)) return; /* no hope of this path */ if(i == r) /* reached bottom */ Binit(r) = Ba0,a1,..,ai; /* found a better path ! */ else Search2(i+1); /* go to next round */ 16 © Mitsubishi Electric Corporation Time Complexity • In practice, we need to design a double recursive algorithm to handle multiple active S-boxes in a single round. • Generally exponentially heavy. • Difficult to estimate computing time in advance. • Found the best linear path of DES in a few minutes (in 1993), which is equivalent to an exhaustive path search. • Speed depends on the quality of the initial value Binit. • Limiting the number of active S-boxes per round often improves performance significantly. – Step1: Limited search using arbitrary small initial values. – Step2: Full search using the output of Step1 as initial values. 17 © Mitsubishi Electric Corporation First Experiment of Breaking the Full DES • July to September, 1993 (50 days) • 12 computers (PA-RISC) • 243 known plaintext-ciphertext pairs (generated by M-sequence). • 26 key bits from 2 equations derived from best 14-round linear path. • Remaining 30 key bits were found by an exhaustive search. • The biggest threat was the “thunder attack”. One of the 12 computers (PA-RISC 99MHz) 18 © Mitsubishi Electric Corporation DES variants with permuted S-boxes • Best linear/differential path search for all (8!=40320) permutations. • For permuted DES variants, partial results were known [Matsui94] The only following paths were searched: – (differential) Biham-Shamir’s two-round iterative characteristics. – (linear) one active S-box per round (type I) or two-round iterative characteristics (type II). • Complete search for all permutation patterns [Unpublished] – (differential) confirmed that known best is actually best. – (linear) better paths newly found for some permutations. 19 © Mitsubishi Electric Corporation Biham-Shamir’s 2-round Iterative Characteristic Three adjacent active S-boxes in every other round 0 19600000 S1 Δ퐼 =03 Δ푂푆1=00 푆1 Δ푂 =0 Δ퐼 =19600000 1 1 S2 Δ퐼푆 =32 F Δ푂푆2=00 2 S3 Δ퐼 =2C Δ푂푆3=00 푆3 Δ푂 =0 Δ퐼 =0 2 F 2 0 19600000 For all permuted DES variants, this type of characteristic achieves best path (part of design criteria of DES). 20 © Mitsubishi Electric Corporation Distribution of Best 16-round Differential Char Probability of Permuted DES Variants 9000 8000 7680 6816 DES: -61.97 7000 6336 6000 5024 5000 4576 4000 2880 3000 2208 1920 Number of permutations of Number 2000 960 960 1000 784 0 0 0 160 16 0 -49 -50 -51 -52 -53 -54 -55 -56 -57 -58 -59 -60 -61 -62 -63 -64 -65 Best 16-round differential characteristic probability (log2) 21 © Mitsubishi Electric Corporation Distribution of Best 15-round Differential Char Probability of Permuted DES Variants 10000 9024 8640 9000 8256 8000 7680 7000 6000 5000 DES: -55.10 4000 2880 3000 Number of permutations of Number 2000 960 960 832 832 1000 0 0 0 0 256 0 -43 -44 -45 -46 -47 -48 -49 -50 -51 -52 -53 -54 -55 -56 -57 Best 15-round differential characteristic probability (log2) 22 © Mitsubishi Electric Corporation Distribution of Best 16-round Linear Correlation of Permuted DES Variants 12000 10841 10375 10000 DES: -22.42 8000 6000 5664 4320 4000 3024 2792 Number of permutations of Number 2000 1440 720 879 237 27 1 0 -20 -21 -22 -23 -24 -25 -26 -27 -28 -29 -30 -31 -32 Best 16-round linear correlation (log2) 23 © Mitsubishi Electric Corporation Distribution of Best 15-round Linear Correlation of Permuted DES Variants 30000 25000 23972 DES: -20.74 20000 15000 10000 5760 4902 Number of permutations of Number 5000 2277 720 0 1411 1048 190 40 0 -19 -20 -21 -22 -23 -24 -25 -26 -27 -28 -29 Best 15-round linear correlation (log2) 24 © Mitsubishi Electric Corporation Some Observations • Some interesting linear paths: Ex.1: Non iterative 16-round best path 7 – 7 8 7 – 7 8 7 – 7 32 7 – 7 5 2-28.68 (3 perms) Ex.2: 11-round best path with 3 active S-boxes in a round 1 5 – 5 1 456 1 5 – 5 1 2-18.98 (29 perms) • The permutation choice of the original DES is very weak.