Scribd
Upload
116 views35 pages

Differential Cryptanalysis

The document provides an overview of differential cryptanalysis, a technique introduced by Biham and Shamir for attacking the DES encryption algorithm. It explains the method of predicting ciphertext differences based on plaintext differences to recover encryption keys. Additionally, it discusses the properties of S-boxes, the design of AES, and automated tools for cryptanalysis.

Uploaded by

220084
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
116 views35 pages

Differential Cryptanalysis

The document provides an overview of differential cryptanalysis, a technique introduced by Biham and Shamir for attacking the DES encryption algorithm. It explains the method of predicting ciphertext differences based on plaintext differences to recover encryption keys. Additionally, it discusses the properties of S-boxes, the design of AES, and automated tools for cryptanalysis.

Uploaded by

220084
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Introduction


Context and Idea

1
2
Differential Cryptanalysis – Overview isec.tugraz.at

Proposed by Biham and Shamir [BS90] for DES


DES designers (IBM, NSA) apparently knew about a similar attack before
One of the two major statistical attack techniques and design criteria
Chosen-plaintext attack

Main idea:
1 Predict effect of plaintext difference ∆M = A M ⊕ A M∗ on ciphertext

difference ∆C = # C ⊕ # C∗ without knowing ø K


2 Use prediction as distinguisher to recover the key

3
8
Differential Cryptanalysis – Idea isec.tugraz.at

Method Attack Goals


∆X ∆X ∆X
EK EK EK

p p
···
∆Y ∆Y
Kr ∆Y
p 0
key recovery collision,
forgery
∆Y 4
9
Example: A Toy Block Cipher isec.tugraz.at

⊕K0
S S S S

⊕K1 x 0123456789abcdef
S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b
S S S S

⊕K2
S S S S

5
11 ⊕K3
6
Let’s Flip a Bit isec.tugraz.at

K0

“active” S S S S

K1
S S S S

K2
S S S S

7
12 K3
8
Differential Properties of S-boxes (Confusion) isec.tugraz.at

∆in = 8 → ∆out =?

x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

9
13
Differential Properties of S-boxes (Confusion) isec.tugraz.at

∆in = 8 → ∆out =?
∆in = 8

x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

∆out = 3

10
13
Differential Properties of S-boxes (Confusion) isec.tugraz.at

∆in = 8 → ∆out =?
∆in = 8

x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

∆out = d

11
13
Differential Properties of S-boxes (Confusion) isec.tugraz.at

∆in = 8 → ∆out =?
∆in = 8

x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

∆out = a

12
13
Differential Properties of S-boxes (Confusion) isec.tugraz.at

∆in = 8 → ∆out ∈ {3, a, c, d}

x 0 1 2 3 4 5 6 7 8 9 a b c d e f
S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

Knowing the value tells us the difference → derivative function:


S∆in (x) := S(x ⊕ ∆in) ⊕ S(x) = ∆out

Knowing the difference tells us (something about) the value:


solutions(∆in, ∆out) := {x : S(x ⊕ ∆in) ⊕ S(x) = ∆out} 13
13
14
Difference Distribution Table (DDT): #solutions(∆in, ∆out)isec.tugraz.at
∆in \ ∆out 0 1 2 3 4 5 6 7 8 9 a b c d e f
0 16 - - - - - - - - - - - - - - -
1 - 4 4 - - - - 4 - - - - 4 - - -
2 - - 4 4 - - 4 - - - - - - - - 4
3 - 4 - 4 4 - - - - - - - - - 4 -
4 - - 4 - 4 4 - - - - - 4 - - - -
5 - - - 4 - 4 - 4 - 4 - - - - - -
6 - - - - 4 - 4 4 - - - - - 4 - -
7 - 4 - - - 4 4 - - - 4 - - - - -
8 - - - 4 - - - - - - 4 - 4 4 - -
9 - 4 - - - - - - - - - 4 - 4 - 4
a - - - - - 4 - - - - - - 4 - 4 4
b - - 4 - - - - - - 4 - - - 4 4 -
c - - - - - - - - 16 - - - - - - -
d - - - - 4 - - - - 4 4 - - - - 4
e - - - - - - - 4 - - 4 4 - - 4 -
f - - - - - - 4 - - 4 - 4 4 - - -
15
15
16
Let’s Flip a Bit isec.tugraz.at

K0
∆ p
8000 1
S S S S

K1
S S S S

K2
S S S S

K3
S S S S 17
17
Let’s Flip a Bit isec.tugraz.at

K0
∆ p
8000 1
S S S S ·2−2
−2
3000 2
K1
S S S S

K2
S S S S

K3
S S S S 18
17
Let’s Flip a Bit isec.tugraz.at

K0
∆ p
8000 1
S S S S ·2−2
−2
3000 2
·1
K1 0280 2−2
S S S S

K2
S S S S

K3
S S S S 19
17
Let’s Flip a Bit isec.tugraz.at

K0
∆ p
8000 1
S S S S ·2−2
−2
a000 2
·1
K1 8200 2−2
S S S S

K2
S S S S

K3
S S S S 20
17
21
Let’s Flip a Bit isec.tugraz.at

K0
∆ p
8000 1
S S S S ·2−2
−2
d000 2
·1
K1 a080 2−2
S S S S

K2
S S S S

K3
S S S S 22
17
Let’s Flip a Bit isec.tugraz.at

K0
∆ p
8000 1
S S S S ·2−2
−2
c000 2
·1
K1 a000 2−2
S S S S ·2−2
−4
c000 2
·1
K2 a000 2−4
S S S S
.. ..
. .
K3
S S S S 23
17
Design of AES – Properties of the Round Function isec.tugraz.at

Let’s flip a bit:


             
00 00 00 40 00 00 00 6a 00 00 00 6a MC 00 00 00 d4 00 00 00 2b 00 00 00 2b SR cd 61 a3 56
00 00 00 00 SB  00 00 00 00 SR  00 00 00 00 AK  00 00 00 6a SB  00 00 00 61 SR 00 00 61 00 MC  cd a3 c2 2b
  7−→  7−→  7−→  7−→  7−→  7−→ 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 00 00 61 00 61 00 00 4c c2 61 2b
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 00 00 00 cd cd 00 00 00 81 61 61 7d

2−6 2−6×4

Max differential probability (MDP) of the 8 × 8 S-box: 2−6


Mixing layer (based on Maximum Distance Separable code, MDS) with B = 5
(in 2 rounds → ≥ 5 active S-boxes)
Actually, in 4 rounds → ≥ 25 active S-boxes → p ≤ 2−6×25 = 2−150

24
21
AES – Example for Optimal Pattern with 25 active S-boxes isec.tugraz.at

K0 K1

SB SR MC SB SR MC
M
| Round 1 | Round 2 |

K2 K3

SB SR MC SB SR MC

| Round 3 | Round 4 |
25
22
Automated tools for cryptanalysis isec.tugraz.at

Motivation:
Finding the best (or very good) characteristics can be very hard
Necessary to evaluate new primitives
Solvers:
{ By hand
Ó General-purpose solvers:
SAT/SMT (Boolean SATisfiability/Sat. Modulo Theories)
MILP (Mixed Integer Linear Programming)
CP (Constraint Programming)
Ó Dedicated solvers
26
24
An r-Round Differential isec.tugraz.at

K0
∆ p ≥ 2−2·r
8000
S S S S

?
K1
S S S S
≥ 2−2·r
K2
S S S S

K3 a000
27
35
28
For Forgeries isec.tugraz.at

Example: Forgery with success probability p for CBC-MAC

M1 ··· Mℓ−1
∆M ℓ−1 Mℓ ℓ
∆M

EK ··· EK EK

T
This is useful if p > 2−block size (= 2−tag size ).
29
36
Case 2
For Key Recovery isec.tugraz.at

M, M∗ : ∆M r−1 rounds
Assume ∆M −−−−−→ ∆Y has probability p ≫ 2−block size
Query about 1/p chosen-plaintext pairs (M, M∗ ) → (C, C∗ )
Decrypt each pair 1 round with each possible last-round key Kr
p If we get ∆Y, upvote candidate Kr m

Kr Upvote counter
0000 m
∆Y
0001 mm
Kr 0002 mmmm
0003 mm
C, C∗ . .. .. .
30
37
Key Recovery Example: 8-Round Toy Cipher isec.tugraz.at

K0
∆ p ≥ 2−2·7
8000
S S S S

7 rounds
S S
K1
S S
≥ 2−2·7 = 2−14

K2 a000
S S S S We can filter out incompatible (C, C∗ )
Then guess only 4 key bits and
K8 check for difference a at S-box input
→ we learn 4 key bits, brute-force the rest
but how many (P, P∗ ) exactly are enough?
31
38
32
Conclusion isec.tugraz.at

Differential cryptanalysis is one of the two major statistical attack techniques


Attacker tries to find high-probability characteristics
Designer tries to show that none exist (but there is no general proof of
security)

It is very versatile
many different variants (truncated, impossible, higher-order, ...)
many different goals (key, forgery, collision, ...)

The analysis relies on a number of assumptions & approximations.


They are usually “reasonably close” to reality, but need to check!
33
42
34
35

You might also like