Differential Cryptanalysis

advertisement
Hiu Nam Cheung
CS265
April 4, 2004
Differential Cryptanalysis on SDES
SDES Overview
SDES is a simplified version of DES with 16 bits block and key sizes, 12 bits sub-key,
4 rounds, 2 S-boxes (left and right S-box), and a round function F such that F(right half,
sub-key) equals S-box(expand(right half)  sub-key). Since SDES is linear except
S-boxes, we can then focus our attack on the S-boxes.
General Idea: Chosen Plaintext Attack
Recall that a S-box has 6 bits input and 4 bits output. For any 6 bits value X, there are
64 possible distinct value pairs Y and Z such that their difference is X. If a person feeds
each such Y and Z into a S-box and studies the outcomes, he might find some clues on
the unknown key since the output distribution has biases.
In SDES, consider two 6 bits values Y and Z, differ only at the second bit (001000),
then outcomes of the right S-box will differ by (0010) with probability 3/4. In another
words, if Y and Z are input for the right S-box and Y  Z = 001000, then with 3/4 chance
the output difference will equal to 0010.
However, attacker does not have direct access to S-boxes and there are multiple
rounds. In addition, each round before the right half goes into S-boxes, it first has to be
expanded to 12 bits and xor with the sub-key.
Extend Attack To One And More Rounds
Suppose r represents original 8 bits and x represents resulting 12 bits, the expansion
permutation will look like:
x0x1x2x3x4x5 x6x7x8x9x10x11 = r4r7r2r1r5r7
r0r2r6r5r0r3
As one might see, if two 8 bits values Y and Z differ at the 6-bit (0000 0010), then
the expanded results will differ by (000000 001000). Since the first six expanded result
bits are identical, inputting them into any S-box will get the same output. Meanwhile, the
last six bits of the result have a difference of (001000), thus outputs from the right S-box
will differ by (0010) with probability 3/4. As a result, if a person feeds such expanded
result into S-boxes, outputs will differ by (0000 0010) with probability 3/4.
Recall that the round function F = S-box(expand(right half)  sub-key), and
anything xor with the same thing twice will cancel out the effect. Thus, if inputs Y and Z
have a difference of (0000 0010), then F(Y, sub-key)  F(Z, sub-key) will still equal to
(0000 0010) with probability 3/4, regardless of what the sub-key is.
Consider all facts stated above, input difference is the same as output difference with
probability 3/4, and attacker can then chain through multiple rounds.
Look Inside The Encryption Process
Recall that SDES has block size of 16 bits. Suppose there are two plaintext blocks
P1 and P2, we can minimize the number of active S-boxes by selecting a P2 such that it is
identical to P1 except the second last bit. In another words, choose P1 and P2 such that
P1  P2 = 0x0002.
Difference chain through multiple rounds:
(L0,R0) = P
(L0,R0) = P
P  P = 0x0002
L1 = R0
L1 = R0
With probability 3/4
R1 = L0  F(R0,K1)
R1 = L0  F(R0,K1)
(L1,R1)  (L1,R1) = 0x0202
L2 = R1
L2 = R1
With probability (3/4)2
R2 = L1  F(R1,K2)
R2 = L1  F(R1,K2)
(L2,R2)  (L2,R2) = 0x0200
L3 = R2
L3 = R2
With probability (3/4)2
R3 = L2  F(R2,K3)
R3 = L2  F(R2,K3)
(L3,R3)  (L3,R3) = 0x0002
L4 = R3
L4 = R3
With probability (3/4)3
R4 = L3  F(R3,K4)
R4 = L3  F(R3,K4)
(L4,R4)  (L4,R4) = 0x0202
C = (L4,R4)
C = (L4,R4)
C  C = 0x0202
Note: K is the sub-key, and K1 means the sub-key of round one
Source: Dr. Mark Stamp’s cs265 course note
Let’s examine the first round in detail. Since SDES is a Feistel cipher, plaintext is
divided into left and right halves, P = (L, R). The old right half is the new left half, and
the old left half  F(old right, sub-key) is the new right half. After the first round, the two
new left halves’ difference is (0000 0010) since they are the old right halves, and we
choose P1 and P2 with 0x0002 difference. For the two new right halves, since both L0 are
identical, output difference will only depend on F(R0, K1). Recall that if Y  Z = (0000
0010), then F(Y, sub-key)  F(Z, sub-key) will also equal to (0000 0010) with probability
3/4. Therefore, two new right halves will differ by (0000 0010), and the complete output
will have a difference of 0x0202. We will repeat the same process until we reach the
fourth round, and our final output will have a difference of 0x0202 with probability down
to (3/4)3.
Algorithm To Find The Rightmost 6 Bits Of K4
By looking at the pervious example, we know that if P1  P2 = 0x0002, then C1 
C2 = 0x0202 and R4 = L3  F(R3, K4). In order to solve the equation, we need to know L3
and R3 but we only know L4 and R4. Since old right half is new left half in Feistel cipher,
we can replace R3 with L4 and get a new equation R4 = L3  F(L4, K4). In addition, we
rearrange the equation to L3 = R4  F(L4, K4).
Base on the fact that (L3, R3)  (L3, R3) = 0x0002, we know both L3 are identical.
Therefore, if we can find any key K that make R4  F(L4, K) == R4  F(L4, K) always
hold true, we are likely to find the correct sub-key K4.
Since we choose P1 and P2 only differ at the 14-bit, we can focus only on the right
most 4 bits of R4 and the rightmost 6 bits of K4. Since 26 = 64, there are 64 possible keys
to try. We can count the number of times each such key satisfies the condition R4  F(L4,
K) = R4  F(L4, K), then all keys with maximum count are possible partial sub-keys.
Consider the fact that the rightmost 6 bits of K4 is k13k14k15k9k10k11 of the original key,
we know this 6 bits group is in the set of all possible partial sub-keys.
Conclusion
Notice differential attack on SDES does not guarantee a solution. Although
differential attack only suggests the k13k14k15k9k10k11 bit of the correct key K, attacker can
still use this information to take advantage and get a reasonable guess on K.
Download