Block Ciphers - Analysis, Design and Applications Lars Ramkilde Knudsen July 1, 1994 2 Contents 1 Introduction 11 1.1 Birthday Paradox ......................... 12 2 Block Ciphers - Introduction 15 2.1 Substitution Ciphers . ..................... 16 2.2 Simple Substitution . ..................... 16 2.2.1 Caesar substitution .................... 16 2.3 Polyalphabetic Substitution . ................ 17 2.3.1 The Vigen´ere cipher . ................ 17 2.4 Transposition Systems . ..................... 17 2.4.1 Row transposition cipher . ................ 18 2.5 Product Systems ......................... 18 3 Applications of Block Ciphers 21 3.1 Modes of Operations . ..................... 21 3.2 Cryptographic Hash Fhctions . ................ 24 3.3 Digital Signatures ......................... 31 3.3.1 Private digital signature systems ............ 31 3.3.2 Public digital signature systems . ............ 32 4 Security of Secret Key Block Ciphers 39 3 4 CONTENTS 4.1 The Model of Reality . ..................... 39 4.2 Classification of Attacks ..................... 40 4.3 Theoretical Secrecy . ..................... 41 4.4 Practical Secrecy ......................... 44 4.4.1 Other modes of operation ................ 50 5 Cryptanalysis of Block Ciphers 53 5.1 Introduction . ......................... 53 5.2 Differential Cryptanalysis .................... 54 5.2.1 Iterative characteristics . ................ 64 5.2.2 Iterative characteristics for DES-like ciphers . .... 64 5.2.3 Differentials . ..................... 67 5.2.4 Higher order differentials . ................ 69 5.2.5 Attacks using higher order differentials . ........ 70 5.2.6 Partial differentials .................... 76 5.2.7 Differential cryptanalysis in different modes of operation 79 5.3 Linear Cryptanalysis . ..................... 80 5.3.1 The probabilities of linear characteristics ........ 84 5.3.2 Iterative linear characteristics for DES-like ciphers . 85 5.4 Analysis of the Key Schedules . ................ 89 5.4.1 Weak and pairs of semi-weak keys ............ 89 5.4.2 Simple relations . ..................... 90 5.4.3 Weak hash keys . ..................... 91 6Analysis of Specific Block Ciphers 95 6.1DES................................ 96 6.1.1 Iterative characteristics . ................ 97 6.1.2 Analysis of the key schedule . ............103 6.1.3 Higher order differentials . ................110 CONTENTS 5 6.1.4 Partial differentials ....................111 6.1.5 Linear cryptanalysis . ................117 6.1.6 Epilogue . .........................122 6.2 LOKI’91 . .............................123 6.2.1 Differential cryptanalysis of LOKI’91 . ........123 6.2.2 The F-function of LOKI’91 ................127 6.2.3 A chosen plaintext attack reducing key search . ....128 6.2.4 Weak hash keys for LOKI’89 and LOKI’91 . ....132 6.2.5 Conclusion and open problems . ............133 6.3 s2-DES . .............................134 6.4 s3-DES . .............................137 6.5 xDESi ...............................138 6.5.1 A chosen plaintext attack on xDES1 ..........139 6.5.2 A differential attack on xDES2 .............140 7 Design of Block Ciphers 145 7.1 Design Principles .........................145 7.2 Sufficiently Large Block and Key Size . ............147 7.3 Resistance Against Differential Attacks . ............148 7.3.1 Differentially uniform mappings . ............154 7.4 Markov Ciphers and Differentials ................156 7.4.1 Feistel ciphers . .....................159 7.5 Resistance Against Linear Attacks ................162 7.6 Ciphers Resistant to Differential and Linear Attacks . ....170 7.6.1 Iterated cipher . .....................170 7.6.2 DES-like iterated cipher . ................170 7.7 Strong Key Schedules . .....................171 7.8 A Test for Nonlinear Order ....................174 6 CONTENTS 7.9 Cascade Ciphers . .........................175 7.9.1 Multiple encryption ....................176 8 Cryptanalysis of Hash Functions 185 8.1 The Solving One-half Attack . ................186 8.1.1 Attacks on a large class of double block length hash functions of hash rate 1 . ................188 8.1.2 Attacks on all double block length hash functions of hash rate 1 ........................190 8.2 Analysis of Specific Hash Functions . ............193 8.2.1 Parallel-DM . .....................193 8.2.2 The PBGV hash function ................194 8.2.3 The LOKI DBH mode . ................195 8.2.4 The AR hash function . ................196 8.3 Attacks based on Differential Cryptanalysis . ........203 8.3.1 Single block length hash functions based on DES-variants205 8.3.2 New characteristics for differential collision attacks . 209 9 Conclusions 215 A A Pictorial Illustration 217 B Tedious Proofs 223 B.1 Iterative Characteristics for the DES . ............223 B.2 Key Enumeration in LOKI’91 . ................229 C The Data Encryption Standard 235 D LOKI’91 241 E Dansk resume 245 Acknowledgements First of all, I would like to thank my supervisor, Ivan Bjerre Damg˚ard for his support during my two and half years as a Ph.D. student. For always patiently listening to and commenting on my ideas and research topics and for not laughing whenever I “broke” the DES algorithm. Also, thank you Ivan for suggesting me to study differential cryptanalysis for my Masters thesis. A very special thank you to the referee Bart Preneel for many comments that improved this thesis and for answering my many questions about hash functions. Also thank you Bart and Ria for your hospitality during my visit in Leuven. My interest in cryptography started in a course given by Peter Landrock. We were given a sheet of ciphertext, some plaintext encrypted using the Vigenere cipher. I was very amazed that one week later, we implemented an attack, which on input this ciphertext output the plaintext a few seconds later, without knowledge of neither the key nor the plaintext in advance. So, thank you Peter for lighting my cryptographic candle and for your humour. Also a big thank you to my colleagues, Torben Pedersen, Lidong Chen, and Jørgen Brandt of Aarhus University for many helpful comments and discussions and a big thanks to Torben for proof reading. A special thank you to my dear co-authors, Kaisa Nyberg, Xuejia Lai, and Luke O’Connor for working with me on those specific projects and for many helpful comments and discussions in general and to Don Coppersmith for valuable comments on one of the papers. I would like to thank the people at the ETH in Z¨urich, Kenny Paterson, Shirlei Serconek, Atsushi Fujioka, Gerhard Kr¨amer, and last but not least James L. Massey. Thank you Jim for allowing me to stay at the ETH and 7 8 CONTENTS for your and your wife Lis’ big hospitality during my stay in Switzerland. Thank you Lis for the “wild card” to the ATS seminar 1993. Also thank you Tor Helleseth for arranging the Nordic crypto course in June 1992, and to Eli Biham, Kwangjo Kim, Willi Meier, Yuliang Zheng, and B. Schneier [105] for helpful comments and discussions. Big thanks to D.A.T.˚ and the boys for having me on tonight, to the Rolling Stones, Chuck Berry, and Jack D. for general inspiration. It’s only cryptography, but I like it. Finally, thank you Heather for being; the most lovely and loving person, I have ever met. Arhus,˚ July 1, 1994 Lars Ramkilde Knudsen Abstract In this thesis we study cryptanalysis, applications and design of secret key block ciphers. In particular, the important class of Feistel ciphers is studied, which has a number of rounds, where in each round one applies a crypto- graphically weak function. Applications The main application of block ciphers is that of encryption. We study the available modes of operation for encryption, introduce a new taxonomy for attacks on block ciphers and derive a new theoretical upper bound for attacks on block ciphers. Also another important application of block ciphers is studied; as building blocks for cryptographic hash functions. Finally we examine how to use block ciphers as building blocks in the design of digital signature schemes. In particular we analyse Merkle’s proposed scheme and show that under suitable and reasonable conditions, Merkle’s scheme is secure and practical. Cryptanalysis We study the most important known attacks on block ciphers, linear crypt- analysis and differential cryptanalysis and introduce a new attack based on simple relations. Differential cryptanalysis makes use of so-called differen- tials (A, B), i.e., a pair of plaintexts with difference A, which after a certain number of rounds result in a difference B with a non-negligible probability. This fact can be used to derive (parts of) the secret key. Ideas of how to 9 10 CONTENTS find the best such differentials are given. Also it is shown that higher or- der differentials, where more than two plaintexts are considered at a time, and partial differentials, where only a part of (A, B) can be predicted, both have useful applications. The above attacks and our new methods of attacks on block ciphers, are applied to the specific block ciphers, DES, LOKI’91, s2-DES, xDES1 and xDES2. Attacks on hash functions based on block ciphers are studied and new attacks on a large class of hash functions based on a block cipher, including three specific proposed schemes, are given. Also a fourth scheme, the AR Hash function, belonging to another class of hash functions based on block ciphers is studied. The scheme is faster than the known standard ones and was used in practice by German banks. It is shown that the scheme is completely insecure. Design We discuss principles for the design of secure block ciphers.