Paper Presentation #1
Improved version of LC in attacking DES
CS548_
ADVANCED INFORMATION SECURITY
20103272 Jong Heon, Park / 20103616 Hyun Woo, Cho
2 / 30
Contents







Introduction
Before the paper…
Notations
Principle of the attack
Success Rate and Complexity
The Computer Experiment
Concluding Remarks
3 / 30
Paper Introduction


Linear Cryptanalysis
 Using

M. MATSUI. The first experimental
cryptanalysis of the data encryption
standard. LNCS, 839, 1994, 1-11.
CYRPTO '94.
two linear approximate equations
Known Plaintext attack (KPA)
4 / 30
Paper Introduction (Cont’)




Using 12 computer to experiment the attack
(HP9735/PA-RISC 99MHz)
Program described in C & assembly languages
to generate plaintexts and ciphertexts
Goal : Finding 56-bit Secret Key
Elapsed Time : 50 days
 Generating
plaintexts and ciphertexts : 40 days
 Searching key : only 10 days
5 / 30
Before the paper…

Hellman
 Linearity

between input and output of S-box
Shamir & Rueppel
 Some
S-boxes has linear approximate relation between
input and output bits.

M. Matsui
 Derive
linear approximate equations which consist of P,
C, and K bits
 Easier search if 247 known plaintext are available than
Exhaustive search
6 / 30
Before the paper… (Cont’)

M. Matsui
 Improved
 New

version of LC in breaking 16-round DES
linear approximate equations :
Reducing the number of required plaintexts
 Candidate

key in order of reliability :
Increasing the success rate of attack
7 / 30
Notations









P : plaintext; 64-bit data after the IP
C : ciphertext; 64-bit data before the IP-1
K : secret key; 56-bit data after the PC-1
PH, PL : upper/lower 32-bit data of P
CH, CL : upper/lower 32-bit data of C
Kr : r-th round 48-bit subkey
Fr(Xr, Kr) : r-th round F-function output
A[i] : i-th bit of A (A is any binary vector)
A[I,j,...,k] : A[i]A[j]…A[k]
8 / 30
Principle of the attack

We accept new linear approximate equations
 Iinear
approximate equations based on the best
14-round expression
 2round

~ 15round linear approximate equations
P, C, and K2-15
 Find
round key of 1round, 16round
 Effects : reduce the number of required plaintexts

What is the linear approximate equation?
P[ia,ib,ic…]  C[ja,jb,jc…] = K[ka,kb,kc…]
(probability(p) ≠ ½, randomly given P, C and fixed K)
 Best equation is |p-½| is maximal !!
 Choose
9 / 30
Principle of the attack (Cont’)
Two Best 14-round expressions
 PL[7,18,24]  CH[7,18,24,29]  CL[15]
= K2[22]  K3[44]  K4[22]  K6[22]  K7[44] 
K8[22]  K10[22]  K11[44]  K12[22]  K14[22]
 CL[7,18,24]  PH[7,18,24,29]  PL[15]
= K13[22]  K12[44]  K11[22]  K9[22]  K8[44]
 K7[22]  K5[22]  K4[44]  K3[22]  K1[22]
…probability : ½-1.19×2-21 (piling-up lemma)
10 / 30
Principle of the attack (Cont’)
Applying to F-functions from the 2nd to 15th round
 PH[7,18,24]  F1(PL, K1)[7,18,24]  CH[15] 
CL[7,18,24,29]  F16(CL ,K16)[15]
= K3[22]  K4[44]  K5[22]  K7[22]  K8[44] 
K9[22]  K11[22]  K12[44]  K13[22]  K15[22]
 CH[7,18,24]  F16(CL ,K16)[7,18,24]  PH[15] 
PL[7,18,24,29]  F1(PL ,K1)[15]
= K14[22]  K13[44]  K12[22] K10[22]  K9[44] 
K8[22]  K6[22]  K5[44]  K4[22]  K2[22]
11 / 30
12 / 30
Principle of the attack (Cont’)


First, we solve these equations to derive some of the
secret key bits
Consideration
 How
much memory is required?
 How many secret key bits can be derived?

Effective text/key bits
 which
affect the left side of each equations
13 / 30
Principle of the attack (Cont’)
14 / 30
Principle of the attack (Cont’)

Each equation, we found 13 secret key bits
 12
effective key bits + one bit of right side
 Using just 13 text bits (plaintext + ciphertext)

Total : 26 secret key bits
 Using

26 text bits
Substitution of incorrect key value for K1, K16..
 P(the
left side = 0) ≒ ½
 So, we count #(left side=0) for each key candidate
15 / 30
Principle of the attack (Cont’)
[ Algorithms for breaking 16-round DES ]
 Data Counting Phase of first equation
213 counters TAa (0 ≤ a < 213) where a
corresponds to each value on 13 effective text bits
 For each plaintext and corresponding ciphertext,
compute the value of effective text bits(=a) and count
up the TAa by one.
 Prepare
16 / 30
Principle of the attack (Cont’)

Key Counting Phase of first equation
212 counters KAb (0 ≤ b < 213) where a
corresponds to each value on 12 effective key bits.
 For each b, KAb is the sum of TAa such that left side of
first equation (be uniquely determined by a, b)
equal to zero.
 Rearrange KAb in order of |KAb – N/2| and rename
them KAcb (0 ≤ c < 212) Then, for each c..
 Prepare
 If
(KAcb – N/2) ≤ 0, guess that right side of equation is 0.
 If (KAcb – N/2) > 0, guess that right side of equation is 1.

Second equation can be solved in the same manner.
17 / 30
Principle of the attack (Cont’)

Total of 26 secret key bits (after the PC-1)
 K[0],
K[1], K[3], K[4], K[8], K[9], K[14], K[15], K[18],
K[19], K[24], K[25], K[31], K[32], K[38], K[39], K[41],
K[42], K[44], K[45], K[50], K[51], K[54], K[55],
K[5]  K[13]  K[17]  K[20]  K[46],
K[2]  K[7]  K[11]  K[22]  K[26]  K[37]  K[52]

Exhaustive Search Phase(Finding remaning 30 key bits)
 Let
Wm (m=0,1,2…) be a series of candidates for the
26 key bits arranged in order of their reliabiity
 For each Wm, search for the remaining key bits until
the correct value is found
18 / 30
Success Rate and Complexity

DES reduced to 8 rounds
(6)

Left side of equation is essentially the same
(7)

Best 6-round expression
19 / 30
Success Rate and Complexity(cont’)

Full 16 round DES to 8-round DES
Equation of number of N random plaintext, success
rate

Depend on

20 / 30
Success Rate and Complexity(cont’)


Full 16 round DES to 8-round DES
Lemma 1.

Let N be the number of given random plaintexts and p be the probability that
the following eq holds.

Assuming |p-1/2| is small
21 / 30
Success Rate and Complexity(cont’)

Full 16 round DES to 8-round DES
8 round DES
16 round DES
22 / 30
Success Rate and Complexity(cont’)




Full 16 round DES to 8-round DES
Lemma 1.
Success rate of our attack on 8-round DES with N8
Same that on 16round DES with N16 plaintexts

equivalent to
23 / 30
Success Rate and Complexity(cont’)


Computer experiments in Solving eq (6)
100,000 times to estimate (4)
24 / 30
Success Rate and Complexity(cont’)
25 / 30
The Computer Experiment




First computer experiment in breaking DES
Implemented software only
C and assembly languages 1000 lines
1Mbyte in running
26 / 30
The Computer Experiment(cont’)
27 / 30
The Computer Experiment(cont’)
28 / 30
Concluding Remarks




Improvement of linear cryptanalysis
Presented the first successful experiment
Breaking full 16-round DES
Remaining 30 Key bits – it also Possible
Result fig.2, fig.3 – Simple function, Formalized
- New combination will give more effective
29 / 30
Nowdays.

EFF made DES attack Hardware in 1998
 Decode
56hours (56bit Key)
 22hours in 1999

More than 128bit Keys Safe in present.
30 / 30
References








National Bureau of Standards: Data Encryption Standard. (1977)
Matsui, M.: Linear Cryptanalysis Method for DES cipher. Matsui M.: On correlation
between the order of S-boxes and the strength of DES.(1993)
Matsui, M.: On correlation between the order of S-boxes and the strength of
DES.(1994)
Hellman, M., Merkle, R., Schroeppel, R., Washinton, L., Diffie, W., Pohlig, S.,
Schweizer, P.: Results of an initial attempt to cryptanalyze the NBS Data Encryption
Standard. (1976)
Shamir, A: On the security of DES.(1985)
Davies, D., Murphy, S.: Pairs and triplets of DES s-boxes.(preprint)
Ruepple, R.A. ,: Analysis and design of stream ciphers. (1986)
김광조 : DES의 선형 해독법에 관한 해설(3) 한국정보보호학회, 정보보호학회
지 通信情報保護學會誌 第4卷 第1號, 1994. 3, pp. 30 ~ 43 (14pages)
Any Question?
Korex527 at gmail.com
Betelgs at chol.com