7 Cryptanalysis - DCU School of Computinghamilton/teaching/CA642/notes/Cryptanalysis.pdf7...

CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

7 CryptanalysisCryptanalysisAttacks such as exhaustive key-search do not exploit any properties of the encryptionalgorithm or implementation.Structural attacks exploit structural weaknesses in the algorithm.Two main types:

• Differential cryptanalysis

• Linear cryptanalysis

Side channel cryptanalysis exploits weaknesses in the implementation.

7.1 Structural AttacksStructural AttacksThese attacks lead to important design criteria (go back to Shannon):

• Nonlinearity (in plaintext and in key input): ‘confusion’

• Spreading of statistics over all bits: ‘diffusion’

If ciphers are ‘too linear’, the following known plaintext attacks can succeed:

P1→C1P2→C2

⇒ (P1 +P2)→ (C1 +C2)

Also dangerous:

• (P1 +P2)→C3 ≈ (C1 +C2)

• (P1 +P2)→ (C1 +C2) with large probability.

Structural Attacks

If C[1] is only function of P[1], K[1], then the cryptanalyst can solve separate ‘sub-ciphers’.If C[1] depends only very weakly on K[i], P[ j], then the cryptanalyst can solve separateproblems.

Geoff Hamilton


Structural AttacksConsider the following example S-Box:

00 01 10 110 10 01 11 001 00 10 01 11

For input bits x0x1x2, x0 gives the row, and x1x2 gives the column.For example, Sbox(010) = 11.Consider the two inputs X1 = 110 and X2 = 010, and key K = 011.X1⊕K = 101, X2⊕K = 001, so Sbox(X1⊕K) = 10, Sbox(X2⊕K) = 01.If K is unknown, but the inputs and corresponding outputs to the S-Box are known thenX1⊕K ∈ 000,101 and X2⊕K ∈ 001,110.Since X1 and X2 are known, K ∈ 110,011∩011,100, so K = 011.

7.2 Differential CryptanalysisDifferential CryptanalysisDifferential cryptanalysis: propagation of differences:

P1 → C1P1 +δ → C1 + ε

Look for special values of ε

• Probabilistic attack.

• First proposed by Murphy in 1990 for the cryptanalysis of FEAL-4.

• Further elaborated by Biham and Shamir in a series of papers.

• A chosen plaintext attack.

• Exploits the over-use of the XOR function in many contemporary block ciphers.

Differential CryptanalysisDifferential cryptanalysis exploits the linearity of operations in block ciphers.Some commonly used linear operations in block ciphers:

• a = b⊕ c

• a = the bits of b in (a known) permuted order

Linear relations can be found by solving a system of linear equations.In a Feistel structure Ri = Li−1⊕F(Ri−1,Ki) and Li = Ri−1.if F is linear (e.g. F(Ri−1,Ki) = Ri−1⊕Ki), we can solve and find Ki.F must therefore be non-linear: this is often achieved through the use of non-linearS-Boxes (e.g. DES).

Geoff Hamilton


Differential Cryptanalysis

1. Start with 2 known plaintexts P0 and P1 with known XOR difference (called thecharacteristic) ΩP = P0⊕P1, and trace through a probable pattern of differencesafter each round to obtain a difference for the ciphertext.

• The assumption is that many pairs (P0,P1) with a given difference ΩP yieldthe same output difference if the same subkey Ki is used.

• That is F(P0,Ki)⊕F(P1,Ki) is a function of ΩP with high probability.

2. Submit P0 and P1 for encryption to determine the actual differences under theunknown key.

3. If there is a match between the two values we suspect that all intermediate roundsare correct.

4. Can then work backwards through all the rounds to recover all the subkeys.

Differential CryptanalysisConsider the previous S-Box being used in a cipher in which the input to a round isXORed with the round key before being input into the S-Box.For input X1, the input to the S-Box is X1⊕K and for input X2 the input to S-Box isX2⊕K, where the key K is unknown.The S-box input difference is (X1⊕K)⊕ (X2⊕K) = X1⊕X2.So the input difference is independent of the key K.This is the fundamental observation that enables differential cryptanalysis to work.

Differential CryptanalysisGiven any S-Box, we can analyze it for useful input differences.For each possible input value X , find all X1, X2 s.t. X = X1⊕X2.Compute the corresponding output differences: Sbox(X1) ⊕ Sbox(X2).By tabulating the results, we can find the most biased input values:

X1⊕X2 00 01 10 11000 8 0 0 0001 0 0 4 4010 0 8 0 0011 0 0 4 4100 0 0 4 4101 4 4 0 0110 0 0 4 4111 4 4 0 0

Geoff Hamilton


7.3 Linear CryptanalysisLinear CryptanalysisFirst described by Matsui.Based on the idea of finding a linear correlation between the input and output.A known plaintext attack.Originally devised to attack DES: key can be found given 247 known plaintexts.Can also be used to attack FEAL-4.

Linear Cryptanalysis

1. For cipher with n-bit plaintext and ciphertext blocks and m-bit keys: let plaintextP = p1 . . . pn, ciphertext C = c1 . . .cn and key K = k1 . . .km.

2. Find fixed locations 1 ≤ α1 < α2 < .. .αp ≤ n, 1 ≤ β1 < β2 < .. .βc ≤ n, 1 ≤γ1 < γ2 < .. .γk ≤ m such that:

(pα1 ⊕ . . .⊕ pαp)⊕ (cβ1 ⊕ . . .⊕ cβc) = (kγ1 ⊕ . . .⊕ kγk)

holds with probability 6= 12 (the further from 1

2 the more effective the equation).

3. Compute results for the LHS of the equation for a large number of plaintext/ciphertextpairs. If the result is 0 more than half the time, then guess RHS is 0 (similarlyfor 1). This gives us a linear equation on key bits. Then try to find more suchequations.

Linear CryptanalysisFor the previous S-Box, we denote the three input bits as x0x1x2 and the two output bitsas y1y2.We tabulate the number of values for which each possible linear approximation holds:

y0 y1 y0⊕ y10 4 4 4x0 4 4 4x1 4 6 2x2 4 4 4

x0⊕ x1 4 2 2x0⊕ x2 0 4 4x1⊕ x2 4 6 6

x0⊕ x1⊕ x2 4 6 2

So P(y0 = x0⊕ x2⊕1) = 1 and P(y0⊕ y1 = x1⊕ x2) = 3/4.

7.4 Tiny DESTiny DESTiny DES (or TDES) is a much simplified version of DES that employs:

Geoff Hamilton


• A 16-bit block size

• A 16-bit key size

• Four rounds

• Two S-Boxes, each mapping 6 bits to 4 bits

• A 12-bit subkey in each round

TDES has no P-box, initial or final permutation.

Tiny DESTDES is a Feistel cipher, where for each round i = 1, 2, 3, 4:

Li = Ri−1Ri = Li−1⊕F(Ri−1,Ki)

where the plaintext is (L0,R0) and the ciphertext is (L4,R4).

Tiny DESA single round of TDES looks as follows:

Tiny DESTDES has two S-Boxes denoted by SboxLeft(X) and SboxRight(X).Both S-Boxes map 6 bits to 4 bits, as in standard DES.We define the function:

F(R,K) = Sboxes(expand(R)⊕K)

Geoff Hamilton


where:

Sboxes(x0x1x2 . . .x11) = (SboxLeft(x0x1 . . .x5),SboxRight(x6x7 . . .x11))

The expansion permutation is given by:

expand(R) = expand(r0r1r2r3r4r5r6r7) = (r4r7r2r1r5r7r0r2r6r5r0r3)

Tiny DESSboxLeft(X) and SboxRight(X) in hex notation are:

x1x2x3x4x0x5 0 1 2 3 4 5 6 7 8 9 A B C D E F

0 6 9 A 3 4 D 7 8 E 1 2 B 5 C F 01 9 E B A 4 5 0 7 8 6 3 2 C D 1 F2 8 1 C 2 D 3 E F 0 9 5 A 4 B 6 73 9 0 2 5 A D 6 E 1 8 B C 3 4 7 F

x1x2x3x4x0x5 0 1 2 3 4 5 6 7 8 9 A B C D E F

0 C 5 0 A E 7 2 8 D 4 3 9 6 F 1 B1 1 C 9 6 3 E B 2 F 8 4 5 D A 0 72 F A E 6 D 8 2 4 1 7 9 0 3 5 B C3 0 A 3 C 8 2 1 E 9 7 F 6 B 5 D 4

Tiny DESAs with DES, each row in a TDES S-Box is a permutation of the hexadecimal digits0,1,2, . . . ,E,F.The 16-bit key is denoted

K = k0k1k2k3k4k5k6k7k8k9k10k11k12k13k14k15

The subkey is generated as follows. Let:

LK0 = k0k1 . . .k7RK0 = k8k9 . . .k15

Then for each round i = 1,2,3,4:

LKi = rotate LKi−1 left by 2RKi = rotate RKi−1 left by 1

Tiny DESSubkey Ki is obtained by selecting bits 0, 2, 3, 4, 5, 7, 9, 10, 11, 13, 14, and 15 of(LKi,RKi).The subkeys Ki can be given explicitly as follows:

K1 = k2k4k5k6k7k1k10k11k12k14k15k8K2 = k4k6k7k0k1k3k11k12k13k15k8k9K3 = k6k0k1k2k3k5k12k13k14k8k9k10K4 = k0k2k3k4k5k7k13k14k15k9k10k11

Geoff Hamilton


7.5 Differential Cryptanalysis of Tiny DESDifferential Cryptanalysis of Tiny DESThe differential analysis of Tiny DES focuses on the right S-Box.We tabulate SboxRight(X1) ⊕ SboxRight(X2) for all pairs X1 and X2 with X1⊕X2 =001000.Some useful properties:X1⊕X2 = 001000 implies SboxRight(X1) ⊕ SboxRight(X2) = 0010 with probability3/4.X1⊕X2 = 000000 implies SboxRight(X1) ⊕ SboxRight(X2) = 0000

Differential Cryptanalysis of Tiny DESChoose plaintext P = (L,R) and P′ = (L′,R′) such that:

P⊕P′ = 0000 0000 0000 0010 = 0x0002

F(R,K)⊕F(R′,K) = Sboxes(expand(R)⊕K)⊕Sboxes(expand(R′)⊕K)From the definition of expand:

expand(0000 0010) = 000000 001000

Since expand is linear, if X1⊕X2 = 0000 0010 then:

expand(X1)⊕ expand(X2) = expand(X1⊕X2)= expand(0000 0010)= 000000 001000

Differential Cryptanalysis of Tiny DESFor the chosen plaintext, R⊕R′ = 0000 0010F(R,K)⊕F(R′,K) = Sboxes(expand(R)⊕K)⊕Sboxes(expand(R′)⊕K)

= (SboxLeft(A⊕K),SboxRight(B⊕K))⊕(SboxLeft(A′⊕K),SboxRight(B′⊕K))

= (SboxLeft(A⊕K)⊕SboxLeft(A′⊕K)),(SboxRight(B⊕K)⊕SboxRight(B′⊕K))

Where A⊕A′ = 000000 and B⊕B′ = 001000.So F(R,K)⊕F(R′,K) = 0000 0010 with probability 3/4.

Differential Cryptanalysis of Tiny DES(L0,R0) = P (L′0,R

′0) = P′ P⊕P′ = 0x0002 Probability

L1 = R0 L′1 = R′0R1 = L0⊕F(R0,K1) R′1 = L′0⊕F(R′0,K1) (L1,R1)⊕ (L′1,R

′1) = 0x0202 3/4


′2) = 0x0200 (3/4)2


′3) = 0x0002 (3/4)2


′4) = 0x0202 (3/4)3

Geoff Hamilton


Differential Cryptanalysis of Tiny DESP⊕P′ = 0000 0000 0000 0010So:

R0⊕R′0 = 0000 0010L0⊕L′0 = 0000 0000

Therefore:R1⊕R′1 = (L0⊕F(R0,K1))⊕ (L′0⊕F(R′0,K1))

= (L0⊕L′0)⊕ (F(R0,K1)⊕F(R′0,K1))= 0000 0000 ⊕ 0000 0010 with probability 3/4= 0000 0010 with probability 3/4

Differential Cryptanalysis of Tiny DESFrom this it follows that:

R2⊕R′2 = (L1⊕F(R1,K2))⊕ (L′1⊕F(R′1,K2))= (L1⊕L′1)⊕ (F(R1,K2)⊕F(R′1,K2))= (R0⊕R′0)⊕ (F(R1,K2)⊕F(R′1,K2))= 0000 0010 ⊕ 0000 0010 with probability (3/4)2

= 0000 0000 with probability (3/4)2

R3⊕R′3 and R4⊕R′4 are obtained in a similar manner.

Differential Cryptanalysis of Tiny DESWe now derive an algorithm to recover some of the unknown key bits.Since Tiny DES is a Feistel cipher:

R4 = L3⊕F(R3,K4)R′4 = L′3⊕F(R′3,K4)

L4 = R3 and L′4 = R′3, so:

R4 = L3⊕F(L4,K4)R′4 = L′3⊕F(L′4,K4)

Or equivalently:

L3 = R4⊕F(L4,K4)L′3 = R′4⊕F(L′4,K4)

Differential Cryptanalysis of Tiny DESIf C⊕C′ = 0x0202, it is likely that L3⊕L′3 = 0000 0000 (i.e. L3 = L′3).So:

R4⊕F(L4,K4) = R′4⊕F(L′4,K4)

Or equivalently:

R4⊕R′4 = F(L4,K4)⊕F(L′4,K4)

Also, since C⊕C′ = (L4,R4)⊕ (L′4,R′4) = 0x0202:

R4⊕R′4 = 0000 0010L4⊕L′4 = 0000 0010

Geoff Hamilton


Differential Cryptanalysis of Tiny DESLet L4 = l0l1l2l3l4l5l6l7 and L′4 = l′0l′1l′2l′3l′4l′5l′6l′7.li = l′i for i = 0,1,2,3,4,5,7 and l6 6= l′6.So:

0000 0010 = (SboxLeft(l4l7l2l1l5l7⊕ k0k2k3k4k5k7),SboxRight(l0l2l6l5l0l3⊕ k13k14k15k9k10k11))

⊕(SboxLeft(l′4l′7l′2l′1l′5l′7⊕ k0k2k3k4k5k7),

SboxRight(l′0l′2l′6l′5l′0l′3⊕ k13k14k15k9k10k11))

We gain no information about the subkey K4 from the left S-Box since li = l′i for alli 6= 6.

Differential Cryptanalysis of Tiny DESWe use the following algorithm for recovering the bits of subkey K4 from the rightS-Box:

for i = 0 to 63count[i] = 0

next ifor i = 1 to iterations

Choose P and P’ with P ⊕ P’ = 0x0002Obtain corresponding C = c0c1 . . .c15 and C’ = c′0c

′1 . . .c

′15

if C ⊕ C’ == 0x0202 thenfor K = 0 to 63

if (SboxRight(c0c2c6c5c0c3 ⊕ K)⊕ SboxRight(c′0c

′2c′6c′5c′0c′3 ⊕ K)) == 0010 then

increment count[K]end if

next Kend if

next i

Differential Cryptanalysis of Tiny DESIf, for example, 100 pairs of plaintexts P and P′ that satisfy P⊕P′ = 0x0002 weregenerated and 47 of the resulting ciphertext pairs satisfied C⊕C′ = 0x0202.The algorithm can then be run for each of these 47 ciphertext pairs.Say we found that each of the four subkeys 000001, 001001, 110000, and 000111 hadthe maximum count of 47, while no other had a count greater than 39.We can conclude that subkey K4 must be one of these four values:

k13k14k15k9k10k11 ∈ 000001,001001,110000,111000

Or equivalently:k13k14k9k10k11 ∈ 00001,11000

Geoff Hamilton


Differential Cryptanalysis of Tiny DESWe can then exhaustively search over the remaining 211 unknown key bits, and for eachof these try both of these possibilities, giving a total of 212 possible keys.We expect to try about half of the possibilities (about 211 keys) before finding thecorrect key.The total expected work to recover the entire key by this method is about 211 encryp-tions, plus the work required for the differential attack, which is insignificant in com-parison.We can recover the entire 16-bit key with a work factor of about 211 encryptions, whichis much better than an exhaustive key search, which has an expected work of 215 en-cryptions.This shows that a shortcut attack exists, and as a result Tiny DES is insecure.

7.6 Linear Cryptanalysis of Tiny DESLinear Cryptanalysis of Tiny DESThe linear cryptanalysis of Tiny DES focuses on the left S-Box.If y0y1y2y3 = SboxLeft(x0x1x2x3x4x5) then y1 = x2 and y2 = x3 with probability 3/4.If the plaintext P = (L0,R0) and R0 = r0r1r2r3r4r5r6r7 then the expansion permutationis given by:

expand(R0) = expand(r0r1r2r3r4r5r6r7) = (r4r7r2r1r5r7r0r2r6r5r0r3)

The input to the left S-Box in the first round is given by:

expand(R0)⊕K1 = r4r7r2r1r5r7⊕ k2k4k5k6k7k1

For the left S-Box, y1 = r2⊕ k5 and y2 = r1⊕ k6 with probability 3/4.

Linear Cryptanalysis of Tiny DESIf L0 = l0l1l2l3l4l5l6l7 and R1 = r′0r′1r′2r′3r′4r′5r′6r′7The output of the left S-Box from the first round is XORed with l0l1l2l3 to give r′0r′1r′2r′3.So r′1 = r2⊕ k5⊕ l1 and r′2 = r1⊕ k6⊕ l2 with probability 3/4.Similar results hold for subsequent rounds, where the specific key bits depend on thesubkey Ki, so we can chain the linear approximation through multiple rounds.Since L4 = c0c1c2c3c4c5c6c7, we can determine that k0⊕ k1 = c1⊕ p10 and k7⊕ k2 =c2⊕ p9 with probability (3/4)3.Since c1, c2, p9, and p10 are all known, we have obtained some information about thekey bits k0, k1, k2, and k7.

Linear Cryptanalysis of Tiny DES

Geoff Hamilton


(L0,R0) = (p0 . . . p7, p8 . . . p15) Bits 1 and 2 ProbabilityL1 = R0 p9, p10 1R1 = L0⊕F(R0,K1) p1⊕ p10⊕ k5, p2⊕ p9⊕ k6 3/4L2 = R1 p1⊕ p10⊕ k5, p2⊕ p9⊕ k6 3/4R2 = L1⊕F(R1,K2) p2⊕ k6⊕ k7, p1⊕ k5⊕ k0 (3/4)2

L3 = R2 p2⊕ k6⊕ k7, p1⊕ k5⊕ k0 (3/4)2

R3 = L2⊕F(R3,K4) p10⊕ k0⊕ k1, p9⊕ k7⊕ k2 (3/4)3

L4 = R3 p10⊕ k0⊕ k1, p9⊕ k7⊕ k2 (3/4)3

R4 = L3⊕F(R3,K4)

Linear Cryptanalysis of Tiny DESGiven known plaintexts P = p0 p1 p2 . . . p15 along with corresponding ciphertexts C =c0c1c2 . . .c15, we increment counters depending on whether:

1. c1⊕ p10 = 0 or c1⊕ p10 = 1

2. c2⊕ p9 = 0 or c2⊕ p9 = 1

If, for example, with 100 known plaintexts the following results were obtained:

• c1⊕ p10 = 0 occurred 38 times




We conclude that it is likely that k0⊕ k1 = 1 and k7⊕ k2 = 0.

Linear Cryptanalysis of Tiny DESWe have only recovered the equivalent of two bits of information.We can then exhaustively search over the remaining 214 unknown key bits.We expect to try about half of the possibilities (about 213 keys) before finding thecorrect key.The total expected work to recover the entire key by this method is about 213 encryp-tions, plus the work required for the linear attack, which is insignificant in comparison.We can recover the entire 16-bit key with a work factor of about 213 encryptions, whichis better than an exhaustive key search, which has an expected work of 215 encryptions.This shows that another shortcut attack exists, and as a result Tiny DES is insecure.

7.7 FEAL-4FEALFast data Encryption ALgorithm.Designed as replacement for DES.Designed to be fast and efficient with modest security.Original version (FEAL-4) found to be weak.

Geoff Hamilton


• Many “improved” versions followed

• All are flawed to some degree

Important in history of cryptanalysis.Differential cryptanalysis developed for FEAL.Good example to illustrate both linear and differential attacks.

FEAL-4We will look more closely at FEAL-4 to analyse its weaknesses.

• 4-round Feistel cipher with a 64-bit block and 64-bit key.

• A key scheduler expands a 64-bit key into 12 16-bit subkeys or round keys.

• Some of these subkeys are used for key whitening, in which they are combinedwith portions of the data using XOR before the first and after the last round.

• The cipher can be simplified to an equivalent cipher in which some of the whiten-ing has been removed and 6 32-bit subkeys K0, . . . ,K5 are used.

• Round function F maps 32 bits to 32 bits.

FEAL-4

Geoff Hamilton


FEAL-4To define the round function F , we first define:

• G0(a,b) = (a+b (mod 256))<<< 2

• G1(a,b) = (a+b+1 (mod 256))<<< 2

Where <<< is left cyclic shift (rotation)Then F(x0,x1,x2,x3) = (y0,y1,y2,y3) where:

• y0 = G0(x0,y1)

• y1 = G1(x0⊕ x1,x2⊕ x3)

• y2 = G0(y1,x2⊕ x3)

• y3 = G1(y2,x3)

FEAL-4The round function F can be viewed schematically as follows:

7.8 Differential Cryptanalysis of FEAL-4Differential Cryptanalysis of FEAL-4Some useful properties:

• A0⊕A1 = 0 implies F(A0) = F(A1)

• A0⊕A1 = 0x80800000 implies F(A0)⊕F(A1) = 0x02000000

Differential attack is based on this:

• Choose plaintext P0 and P1 such that P0⊕P1 = 0x8080000080800000

Geoff Hamilton


• Determine ciphertexts C0 and C1 corresponding to P0 and P1 respectively.

• Let P′ = P0⊕P1 and C′ =C0⊕C1

• Consider what happens to P′ as it passes through the cipher.

Differential Cryptanalysis of FEAL-4

Differential Cryptanalysis of FEAL-4Characteristic for P′ gets us half way through.We can then work backwards from C′ and try to meet in the middle.Y ′ = L′⊕R′, which gives us Y ′ (L′ and R′ are known).X ′ = 0x80800000⊕Y ′, which gives us X ′

Z′ = 0x02000000⊕L′, which gives us Z′ (L′ is known).Now that we have calculated the differentials, we attack the final subkey K3.

Differential Cryptanalysis of FEAL-4To determine K3, we need to know the actual text inputs into the last round function(not the differentials).For ciphertext C0 = (L0,R0) we compute Y0 = L0⊕R0and for ciphertext C1 = (L1,R1) we compute Y1 = L1⊕R1We guess K3 and compute Z0 = F(Y0⊕K3) and Z1 = F(Y1⊕K3)We then compare the true value of Z′ to the guessed value Z0⊕Z1 and the key value

Geoff Hamilton


with the most matches survives.

Differential Cryptanalysis of FEAL-4Using 4 chosen plaintext pairs:

• Work is of order 232.

• Expect one K3 to survive.

Good divide and conquer strategy

• Divides large search space for overall key into smaller search spaces for subkeys.

It is possible to do better.

• Can reduce work to about 217

Differential Cryptanalysis of FEAL-4For 32-bit word W = (b0,b1,b2,b3), define M(W ) = (0,b0⊕b1,b2⊕b3,0)For all possible A=(0,a0,a1,0), compute Q0 = F(M(Y0)⊕A) and Q1 = F(M(Y1)⊕A)Can be used to find 16 bits of K3When A = M(K3) by definition of F , we have 〈Q0⊕Q1〉8...23 = 〈Z′〉8...23 where 〈X〉i... jis bits i to j of XCan recover K3 with about 217 work.Once K3 is known, can successively recover K2, K1, K0 and finally K4, K5.

• Attack is similar in each case

• Some require different characteristics

• There are a few subtle points

Geoff Hamilton


Differential Cryptanalysis of FEAL-4Primary algorithm for recovering K3:

Differential Cryptanalysis of FEAL-4Secondary algorithm for recovering K3:

Differential Cryptanalysis of FEAL-4In FEAL-4, the differential for K3 holds with probability 1In most differential attacks, probability is small:

• Increases chosen plaintext requirement

• Increases work factor

Geoff Hamilton


Differential cryptanalysis seldom practical.Usually only a theoretical tool.

7.9 Linear Cryptanalysis of FEAL-4Linear Cryptanalysis of FEAL-4Equivalent form for FEAL-4:

Linear Cryptanalysis of FEAL-4Let X be 32-bit word, X = x0 . . .x31Define Si, j(X) = xi⊕ x j and Si(X) = xiAttack uses fact that for bytes a and b: S7(a⊕b) = S7(a+b(mod 256))Recall G0(a,b) = (a+b(mod 256))<<< 2, so S5(G0(a,b)) = S7(a⊕b)Also, S5(G1(a,b)) = S7(a⊕b)⊕1Let Y = F(X), where X , Y are 32-bit wordsThen it can be shown that:

• S13(Y ) = S7,15(X)⊕S23,31(X)⊕1

• S5(Y ) = S15(Y )⊕S7(X)

• S15(Y ) = S21(Y )⊕S23,31(X)

• S23(Y ) = S29(Y )⊕S31(X)⊕1

Linear Cryptanalysis of FEAL-4

Geoff Hamilton


We label the FEAL-4 intermediate steps:

Linear Cryptanalysis of FEAL-4S23,29(Y3) = S31(X3⊕K3)⊕1

= S31(L4⊕K4⊕R4⊕K5⊕K3)⊕1= S31(L4⊕R4)⊕S31(K4⊕K5⊕K3)⊕1

S23,29(Y1) = S23,29F(X1⊕K1)= S23,29F(K1⊕Y0⊕L0)= S31(K1)⊕S31(Y0)⊕S31(L0)⊕1

S31(Y0) = S31F(X0⊕K0)= S31F(L0⊕R0⊕K0)

Combining all of these results and rearranging terms, we obtain:

a = S23,29(L0⊕R0⊕L4)⊕S31(L0⊕L4⊕R4)⊕S31(F(L0⊕R0⊕K0))(4.37)

Where a = S31(K1⊕K3⊕K4⊕K5)⊕S23,29(K4)Treat a as unknown, but constant.

Linear Cryptanalysis of FEAL-4

Geoff Hamilton


Linear attack to find K0:

Linear Cryptanalysis of FEAL-4Perform exhaustive search over all choices for K0Test all known plaintext/ciphertext pairs.If a is not constant, then guess for K0 is incorrectPossible to improve on linear attack:

• Exhaust for 12 bits of K0 first

• Work is much less than 232

Can extend this attack to recover other subkeys.

Linear Cryptanalysis of FEAL-4We define: K0 = M(K0) = (0,〈K0〉0...7⊕〈K0〉8...15,〈K0〉16...23⊕〈K0〉24...31,0)We then calculate the following fixed, but unknown, constant:

S5,13(L0⊕R0⊕L4)⊕S21(L0⊕R0⊕L4)⊕S15(L0⊕L4⊕R4)⊕S15(F(L0⊕R0⊕ K0))(∗)

S15(F(L0⊕R0⊕ K0)) depends only on the bits of 〈K0〉9...15,17...23Also, bits 9 and 17 of K0 are XORed in (∗), so these bits can also be treated as constant(but unknown) values.We are left with an expression that depends only on the 12 unknown key bits 〈K0〉10...15,18...23This allows for an exhaustive search for 12 bits of K0.The remaining bits can also be found by deriving similar expressions and performingan exhaustive search.

7.10 Side Channel CryptanalysisSide Channel CryptanalysisA correct implementation of a strong protocol is not necessarily secure.Failures can be caused by

Geoff Hamilton


• Defective computation

• Information leaked during secret key operations

• Timing information

• Invasive measuring techniques

• Electromagnetic emanations

Simple Power Analysis (SPA)Focus on the use of visual inspection techniques to identify relevant power fluctuationsduring cryptographic operations.Interpretation of power traces:

• Power consumption measurements taken across a cryptographic operation

• Typically current used by a device over time

Simple Power Analysis of DES

Simple Power Analysis of DES

Geoff Hamilton


SPA DES trace showing differences in power consumption of different microprocessorinstructions:

Simple Power Analysis of DESSimple Power analysis can reveal sequence of instructions executed.It can be use to break cryptographic implementations in which the execution path de-pends on the data being processed:

• DES key schedule

• DES permutations

• Comparisons

• Multipliers

• Exponentiators

Simple Power AnalysisIn general, techniques to prevent Simple Power Analysis are fairly simple:

• Avoid procedures that use secret intermediates or keys for conditional branchingoperations

• Hard-wired implementations of symmetric cryptography algorithms

Differential Power AnalysisUse of statistical analysis and error correction techniques to extract information corre-lated to secret keys.Based on the effects correlated to data values being manipulated.More powerful than Simple Power Analysis and is much more difficult to prevent.

Geoff Hamilton


Differential Power AnalysisData collection:

• Capture power traces T1 . . .Tm[1 . . .k] containing k samples each

• Record the ciphertexts C1 . . .Cm

• Knowledge of plaintext is not required

Data analysis:

• Differential Power Analysis selection function D(C,b,Ks)→0,1

• Compute k-sample differential trace ∆D[1 . . .k], where:

Differential Power AnalysisDifferential Power Analysis selection function D(C,b,Ks) is defined as:

• Returning the value of bit b of the DES intermediate L at the beginning of the16th round (0≤ b < 32)

• C is the corresponding ciphertext

• Ks is the 6 key bits entering the S-Box corresponding to bit b (0≤ Ks < 26)

Repeat procedure to find all Ks values (8) to get the entire subkey

Geoff Hamilton


Differential Power AnalysisDifferential Power Analysis traces for DES:

Differential Power AnalysisQuantitative Differential Power Analysis measurements:

Geoff Hamilton


Differential Power AnalysisNoise can be a problem:

• Electronic radiation and thermal noise

• Quantization errors

• Uncorrected temporal misalignment

Differential Power Analysis variations:

• Automated template Differential Power Analysis

• High-order Differential Power Analysis

In general, Differential Power Analysis can be used to break any symmetric or asym-metric algorithm

• Asymmetric operations tend to produce stronger signals leaking than symmetricones.

Differential Power AnalysisPreventing Differential Power Analysis:

• Reduce signals size

• Introducing noise into power consumption measurements

• Designing cryptosystems with realistic assumptions about the underlying hard-ware.

– Balanced hardware and software (i.e. leak tolerant design)

– Incorporating randomness

– Algorithm and protocol-level countermeasures

Geoff Hamilton

7 Cryptanalysis - DCU School of Computinghamilton/teaching/CA642/notes/Cryptanalysis.pdf7...

Documents

Transcript of 7 Cryptanalysis - DCU School of Computinghamilton/teaching/CA642/notes/Cryptanalysis.pdf7...