Block ciphers 2
Session 4
Contents
• Linear cryptanalysis
• Differential cryptanalysis
2/48
Linear cryptanalysis
• Known plaintext attack
– The cryptanalyst has a set of plaintexts and the
corresponding ciphertexts
– The cryptanalyst has no way of guessing which
plaintext and the corresponding ciphertext were
used
3/48
Linear cryptanalysis
• Linear cryptanalysis
– Tries to take advantage of high probability
occurrences of linear expressions involving
plaintext bits, ciphertext bits (or round output
bits) and subkey bits
– The basic idea is to approximate the operation of
a portion of the cipher with a linear expression
– The approach is to determine such expressions
with high or low probability of occurrence
4/48
Linear cryptanalysis
• Example
xi1  xi2  xiu  y j1  y j2  y jv  0
– Here, i and j are the numbers of the rounds from
which the bits of the input vector X and the
output vector Y are taken, respectively
– u bits from the vector X and v bits from the vector
Y are taken
– Example
• i=1 and j=5 means X is taken from the input to the first
round and Y is taken from the output of the 5th round
5/48
Linear cryptanalysis
• Linear probability bias (1)
– If a block cipher displays a tendency for such
linear equations to hold with a probability much
higher (or much lower) than 1/2, this is evidence
of the cipher’s poor randomization abilities
– The deviation (bias) from the probability of 1/2 for
such an expression to hold is exploited in linear
cryptanalysis
– This deviation is called linear probability bias
6/48
Linear cryptanalysis
• Linear probability bias (2)
– Let the probability that the given linear equation
holds be pL
– The higher the magnitude of the linear probability
bias pL-1/2, the better the applicability of linear
cryptanalysis with fewer known plaintexts
required in the attack
7/48
Linear cryptanalysis
• Linear probability bias (3)
– pL=1 : catastrophic weakness – there is always a
linear relation in the cipher
– pL=0 : catastrophic weakness – there is an affine
relationship in the cipher (a complement of a
linear relationship)
8/48
Linear cryptanalysis
• Linear probability bias (4)
– Consider two random variables, X1 and X2
• X1X2=0 a linear expression – equivalent to X1=X2
• X1X2=1 an affine expression – equivalent to X1X2
– Assume the following probability distributions
 p1 , i  0
Pr  X 1  i   
 1  p1 ,i  1
 p2 , i  0
Pr  X 2  i   
 1  p 2 ,i  1
9/48
Linear cryptanalysis
• Linear probability bias (5)
– If X1 and X2 are independent, then
i  0, j  0
 p1 p2 ,
 p 1  p ,
i  0, j  1
 1
2
Pr  X 1  i , X 2  j   
i  1, j  0
 1  p1  p2 ,
 1  p1 1  p2 ,i  1, j  1
10/48
Linear cryptanalysis
• Linear probability bias (6)
– It can easily be shown that
Pr  X 1  X 2  0  Pr  X 1  X 2  
 Pr  X 1  0, X 2  0  Pr  X 1  1, X 2  1 
 p1 p2  1  p1 1  p2 .
11/48
Linear cryptanalysis
• Linear probability bias (7)
– With the probability bias introduced
p1=1/2+1
p2=1/2+2
-1/2 1, 2 1/2
we have
1
1
Pr  X 1  X 2  0   21 2   1,2
2
2
12/48
Linear cryptanalysis
• Linear probability bias (8)
– Extension to n random binary variables – the
piling-up lemma – Matsui, 1993
• For n independent random binary variables, X1, X2,…, Xn
n
1
n 1
Pr  X 1    X n  0   2   i
2
i 1
or equivalently
n
1,2 ,,n  2 n 1   i .
i 1
13/48
Linear cryptanalysis
• Linear probability bias (9)
– If pi=0 or 1 for all i, then Pr  X 1   X n  0  0 or 1
1
– If only one pi=1/2, then Pr  X 1    X n  0 
2
– In developing the linear approximation of a cipher,
the Xi values actually represent linear
approximations of the S-boxes
14/48
Linear cryptanalysis
• Example (1)
– Four random binary variables, X1, X2, X3 and X4
– Let Pr X  X  0  12   and Pr  X  X  0  12  
1
2
1,2
2
3
2 ,3
– Let us derive the expression for the sum of X1 and
X3 by adding
Pr  X 1  X 3  0  Pr X 1  X 2  X 2  X 3   0.
15/48
Linear cryptanalysis
• Example (2)
– Since we can consider X1X2 and X2X3 to be
independent, we can use the piling-up lemma to
determine
1
Pr  X 1  X 3  0   21,2  2 ,3
2
and consequently
1,3  21,2  2 ,3
16/48
Linear cryptanalysis
• Example (3)
– The expressions X1X2=0 and X2X3=0 are
analogous to linear approximations of S-boxes
– The expression X1X3=0 is analogous to a cipher
approximation where the intermediate bit X2 is
eliminated
– A real analysis is much more complex, involving
many S-box approximations
17/48
Linear cryptanalysis
• The sources of vulnerabilities regarding
linearity in block ciphers are S-boxes
• Example (1) – a 44 S-box
18/48
Linear cryptanalysis
• Example (2)
– The contents of the S-box
Addr. 0 1 2 3 4 5 6 7 8 9 A B C D E F
Cont. E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
– We consider the following equations
X2X3=Y1Y3Y4
X1X4=Y2
X3X4=Y1Y4
19/48
Linear cryptanalysis
• Example (3)
20/48
Linear cryptanalysis
• Example (4)
– The linear probability bias
• First equation: 12/16-1/2=1/4
• Second equation: 0
• Third equation: 2/16-1/2=-3/8
– The success of the attack depends on the
magnitude of the linear probability bias – the best
approximation of the S-box is the third equation
21/48
Linear cryptanalysis
• Linear approximation table (1)
– For the attack, we must enumerate all linear
approximations of the S-box – linear
approximation table
– Each element in the table represents the number
of matches between the linear equation in the
”Input sum” column and the sum of the output
bits represented in the ”Output sum” row
22/48
Linear cryptanalysis
• Linear approximation table (2)
– Dividing an element by 16 gives the probability
bias for the particular linear combination
– The ”Input sum” and the ”Output sum” are given
in hexadecimal
•
•
•
•
a1X1a2X2a3X3a4X4
b1Y1b2Y2b3Y3b4Y4
ai,bi{0,1}
The hexadecimal value represents the binary value
a1a2a3a4, resp. b1b2b3b4
23/48
Linear cryptanalysis
• Linear approximation table (3)
24/48
Linear cryptanalysis
• Example
– The probability bias of the linear equation
X3X4=Y1Y4 (hex input 3 and hex output 9) is
-6/16=-3/8
– The probability that this linear equation holds true
is 1/2-3/8=1/8
25/48
Linear cryptanalysis
• Once the linear approximation information
has been compiled for the S-boxes, we
proceed by determining linear approximations
for the overall cipher (if possible) or for certain
number of rounds
• Once an R-1 round linear approximation is
discovered for a cipher of R rounds with a
suitably large overall probability bias, it is
possible to recover bits of the last subkey
26/48
Linear cryptanalysis
• Complexity of the attack
– In the context of linear (and differential)
cryptanalysis, this means the number of plaintextciphertext pairs necessary to carry out the attack
– Matsui showed that the number of such pairs NL
could be given by
• NL1/2, where  is the overall probability bias for the
whole cipher (or the rounds to be cryptanalyzed)
27/48
Linear cryptanalysis
• Providing security against linear cryptanalysis
– Minimize the largest S-box bias
– Find structures to maximize the number of
S-boxes involved in the overall cipher
approximation
28/48
Differential cryptanalysis
• Differential cryptanalysis
– Exploits high probability of certain occurrences of
plaintext differences and differences in the last
round of a block cipher
– Example (1)
• Input: X=[X1,X2,…,Xn]
• Output: Y=[Y1,Y2,…,Yn]
• Consider two inputs X ’ and X ’’ with corresponding
outputs Y ’ and Y ’’
29/48
Differential cryptanalysis
– Example (2)
• The input difference
– X=X ’X ’’=[X1,X2,…,Xn]
• The output difference
– Y=Y ’Y ’’=[Y1,Y2,…,Yn]
• In an ideally randomized cipher, the
probability that a particular output difference
Y occurs given a particular input difference
X is 1/2n
30/48
Differential cryptanalysis
• Differential cryptanalysis seeks to exploit a
situation in which a particular Y occurs given
a particular X with a very high probability pD
(>>1/2n)
• The pair (X,Y ) is called a differential
• The attacker selects pairs of inputs, X ’ and X ’’
to satisfy a particular X for which a particular
Y occurs with high probability
31/48
Differential cryptanalysis
• We construct a differential (X,Y) involving
– Plaintext bits (as represented by X)
– Input to the last round (as represented by Y)
• This is carried out by examining highly likely
differential characteristics
32/48
Differential cryptanalysis
• Differential characteristic
– A sequence of input and output differences to the
rounds
• Output difference from one round corresponds to the
input difference for the next round
• Using the highly likely differential
characteristic enables exploiting information
coming into the last round
33/48
Differential cryptanalysis
• To construct highly likely differential
characteristics, we examine the properties of
individual S-boxes
• We then use these properties to determine
the complete differential characteristic
34/48
Differential cryptanalysis
• We consider the input and output differences
of the S-boxes in order to determine a high
probability difference pair.
• Then we combine S-box difference pairs from
round to round so that the non-zero output
difference bits from one round correspond to
the non-zero input difference bits of the next
round
35/48
Differential cryptanalysis
• This enables finding a high probability
differential consisting of the plaintext
difference and the difference of the input to
the last round
• The subkey bits disappear from the difference
expression because they are involved in both
data sets
36/48
Differential cryptanalysis
• Example (1)
37/48
Differential cryptanalysis
• Example (2)
– The contents of the S-box
Addr. 0 1 2 3 4 5 6 7 8 9 A B C D E F
Cont. E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
– Input: X=[X1,X2,X3,X4]
– Output: Y=[Y1,Y2,Y3,Y4]
38/48
Differential cryptanalysis
• All difference pairs of an S-box (X,Y) can be
examined and the probability of Y given X
can be derived by considering input pairs
(X’,X’’) such that X’X’’=X
• Ordering of the pair is not relevant
– For a 44 S-box we need only consider all 16
values for X’ and derive X’’=X’X
39/48
Differential cryptanalysis
• Example
X=1011 (hex B)
X=1000 (hex 8)
X=0100 (hex 4)
• Given X and X and having the S-box truth
table, for the pair (X,XX) we get the pair
(Y,YY)
• Then we easily get Y
40/48
Differential cryptanalysis
41/48
Differential cryptanalysis
• Example
– The number of occurrences of Y=0010 for
X=1011 is 8 out of 16 possible values (i.e. a
probability 1/2)
– The number of occurrences of Y=1011 for
X=1000 is 4 out of 16 possible values (i.e. a
probability 1/4)
– The number of occurrences of Y=1010 for
X=0100 is 0 out of 16 possible values (i.e. a
probability 0)
42/48
Differential cryptanalysis
• An ”ideal” S-box would have the number of
occurrences of difference pair values all 1, to
give a probability of 1/16 of the occurrence of
a particular Y given X
• It turns out that such an ”ideal” S-box does
not exist
43/48
Differential cryptanalysis
• Difference distribution table
– The rows represent X values (in hex)
– The columns represent Y values (in hex)
– Each element of the table represents the number
of occurrences of the corresponding output
difference Y given the input difference X
44/48
Differential cryptanalysis
45/48
Differential cryptanalysis
• Once the differential information has been
compiled for the S-boxes, we proceed by
determining differential characteristic for the
overall cipher (if possible) or for certain
number of rounds.
• Once an R-1 round differential characteristic is
discovered for a cipher of R rounds with a
suitably large overall probability, it is possible
to recover bits of the last subkey
46/48
Differential cryptanalysis
• Complexity of the attack
– This means the number of plaintext-ciphertext
pairs necessary to carry out the attack
– The number of such pairs ND could be given by
• NDc/pD, where pD is the overall differential
characteristic probability for the whole cipher (or the
rounds to be cryptanalyzed) and c is a small constant
47/48
Differential cryptanalysis
• Providing security against differential
cryptanalysis
– Minimize the differential pair probability of an
S-box
– Find structures to maximize the number of
S-boxes with a non-zero differential
48/48