See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/246375728 Higher Order Derivatives and Differential Cryptanalysis Article · January 1994 DOI: 10.1007/978-1-4615-2694-0_23 CITATIONS READS 175 369 1 author: Xuejia Lai Shanghai Jiao Tong University 112 PUBLICATIONS 2,829 CITATIONS SEE PROFILE All content following this page was uploaded by Xuejia Lai on 04 May 2016. The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document and are linked to publications on ResearchGate, letting you access and read them immediately. Reprint of pp Communications and Cryptography Ed RBlahut et al Kluwer Academic Publishers Higher Order Derivatives and Dierential Cryptanalysis Xuejia Lai R Security Engineering AG CH Aathal Switzerland lairch Abstract Highorder derivatives of multivariable functions are studied in this pap er as a natural generalization of the basic concept used in dierential cryptanalysis Possible applications of such derivatives in cryptology are discussed I Intro duction In just after Jim and I published at Euro crypt our new blo ck cipher PES the previous version of the IDEA cipher dierential cryptanalysis was prop osed byBiham and Shamir as a chosenplaintext attack to nd the secretkey of an iterated blo ck cipher In Biham and Shamir showed that the full round DES can b e broken by dierential cryptanalysis using only encryptions which is the rst rep orted attack that nds the secretkey of DES with fewer encryptions than exhaustivekeysearch Besides DES dierential cryptanalysis has b een applied successfully to many other ciphers for example the blo ck ciphers FEAL Khafre REDOC LOKI and Lucifer Likeevery cipher designer who heard a new attack that can b e applied to his cipher we started to apply the dierential cryptanalysis to our own prop osal As I talked to Jim ab out the rst result of the analysis he noticed immediately that the use of the prop erties of a Markovchain is essential to dierential cryptanalysis This observation led to the concept of Markov Cipher whichwe presented in where it was shown that the dierential cryptanalysis of many if not all practical blo c k ciphers can b e formulated in terms of the theory of Markovchains For example the implication of the only Lemma in Biham and Shamirs pap er is that DES is a Markov cipher In particular a fairly tightlower b ound on the complexity of a dierential cryptanalysis attack on a cipher can b e derived in terms of parameters of the Markovchain Although dierential cryptanalysis requires far to o muchchosen plaintexts to b e a practical attack on a cipher the complexity of a dierential cryptanalysis attack is the b est measure of its cryptographic strength that is known to day In this pap er we consider a p ossible generalization of the original rstorder dif ferential cryptanalysis in terms of higherorder derivative which is dened in Section where some general prop erties of derivatives are studied In Section we consider some This work was carried out at the Signal and Information Pro cessing Lab oratory of the Swiss Federal Institute of TechnologyZurich Switzerland sp ecial prop erties of derivatives of binary functions Section discusses the applications of such higher order derivatives in cryptology In particular we consider the relation ship among derivatives dierential cryptanalysis and linear structure of cryptographic functions I I Higher order derivatives Denition Let S and T b e Ab elian groups For a function f S T the derivatives of the f at point a S is dened as f xf x a f x a Note that the derivativeof f is itself a function from S to T we can dene the ith i derivative of f at a a a as i i i f x f x a i a a a a i i i f x b eing the i th derivativeof f at a a a The th where i a a i derivativeof f x is dened to b e f x itself For example for i wehave f x f x a a a a f x a f x a f x a a f x a f x a f x f x a a f x a f x a f x It then follows that f x a a f x f x f xf x a a a a In general one can show the following result Prop osition n X X i f x f x a a a n a a j j i i j j n i Pro of For n it follows from the denition Supp ose holds for n Then n f x a a n n n f x a f x n a a a a n n n X X i A f x a f x a a a n n n a a j j i i j j n i n f x a a n n X X i f x a f x a a n n a a j j i i j j n i n n X X X X i i n A f x f x f x a a a a a a j j j j n i i i i j j n j j n i i n X X i f x a f x f x a a n n a a j j i i j j n i n X X i n A f x f x a a a a j j n i i j j n i n X X i f x a a f x n a n a a j j i i j j n i n X X i n A f x f x a a a a j j n i i j j n i n X X i f x a a f x n a a a n j j i i j j n i n X X i n A f x f x a a a a j j n i i j j n i n X X i A f x f x a a n a a a n j j i j j n i i Some basic prop erties of the derivative are as follows f g f g a a a f xg x f x a g x f xg x a a a Equation is rather obvious and Equation can b e obtained as follows f xg x f x ag x a f xg x a f x ag x a g x f x a f xg x f x a g x f xg x a a Prop osition Let deg f denote the nonlinear degree of a multivariable polynomial function f x Then deg f x deg f x a Pro of It follows from equation and from the facts that deg f g maxdeg f deg g and deg fg degf degg and that the derivativeofalinear function is a constant I I I Derivatives of binary functions In what follows we will consider only the binary functions and the group op eration is the bitwise XOR denoted by i Prop osition Let La a a be the list of al l possible linear combinations of i a a a Then i X i f x f x c a a i cLa a a i Weproveitby induction For i itisobvious Supp ose hold for i Pro of then by denition i i f x f x a i a a a a i i i i f x f x a i a a a a i i X X A A f x c a f x c i cLa a a cLa a a i i X f x c cLa a a i Corollary Derivatives of binary function is independent of the order in which the derivation is taken ie for any permutation pj of index j i i f x f x a a a a i p pi The ab ove results lead to the lower b ound on the probability of derivative function taking on a certain value This probability is essential in cryptanalysis using such derivatives n n F and linearly independent a a a in Prop osition For function f F i in n n i f xb is either or at least if x is uniformly F and for any b F P a a i random Pro of From equation if at input x the derivativetakes on value b then at all i inputs x c c La a a the derivative will takeonvalue b i i f x Prop osition If a is linearly dependent of a a a then i i a a i Pro of If a is linearly dep endentof a a thena is contained in the list i i i La a a Thus in wehave i X X f x c a f x c i cLa a a cLa a a i i which implies that the derivative is zero The ab ove result shows that derivatives should b e computed at the p oints that are linearly indep endent Otherwise the higher order derivatives will b e trivially zero such cases are of no interest for our purp ose n m Prop osition For any function f F F the nth derivative of f is a constant n n If f F F is invertible then n th derivative of f isaconstant Pro of Each comp onent function of f can have a nonlinear degree at most n When f is invertible the nonlinear degree of its comp onent function is at most n The pro of then follows from Prop osition Example For f x x x x x x x x x x x x x we compute the nd derivative at f x x x x f x x x x f x x x x x x x x x x x x x x Thus f x x x x Note that and are linearly inde p endent and function f has a nonlinear degree IV Cryptographic signicance of derivatives Dierential cryptanalysis and derivatives The basic concept of dierential crypt analysis is the probability of dierentials An dierential is a couple a b where a is the dierence of a pair of distinct inputs x and x and where b is a p ossible dierence for the resulting outputs y f x and y f x The probability of an dierential a b is the conditional probabilitythat b is the dierence y of the outputs given that the input pair x x has dierence x a when the x is uniformly random We denote this dierential probabilityby P y bjx a If the dierence is dened by the group op eration ie if x x x then f b P y bjx a P f x a f x bP a Prop osition The probability of a dierential a b is the probability that the rst derivative of function f x at point a takes on value b when x is uniformly random The success of dierential cryptanalysis is based on the fact that many practical blo ck ciphers are obtained from iterating a cryptographically weak round function If the dierence of a pair of inputs to the last round can b e anticipated with a high probability then the secret key used in the last round can usually b e derived from the pair of outputs and from the dierence at the input By using highorder derivatives the basic idea of dierential cryptanalysis can b e generalized to the case when more than two inputs are used simultaneously for deriving the secret key if a nontrivial ith derivative of r round function takes on a value with high probability then it is i possible to derive the key for the last round from the known outputs and from the anticipated derivative value Although some