A Basic Substitution Permutation Network Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 15/52
A Basic Substitution Permutation Network Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 16/52
A Basic Substitution Permutation Network SPN P 1 . . . . . . P 16 Plaintext Sub-key k (1) Mixing S 11 S 12 S 13 S 14 Round 1 Sub-key k (2) Mixing S 21 S 22 S 23 S 24 Round 2 Sub-key k (3) Mixing S 31 S 32 S 33 S 34 Round 3 Sub-key k (4) Mixing Round 4 S 41 S 42 S 43 S 44 Sub-key k (5) Mixing C 1 . . . Ciphertext . . . C 16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys’s Tutorial). 17/52
A Basic Substitution Permutation Network Substitution 16-bit data block broken into four 4-bit sub-blocks. 18/52
A Basic Substitution Permutation Network Substitution 16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same. 18/52
A Basic Substitution Permutation Network Substitution 16-bit data block broken into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-Box. S-Box is a highly non-linear mapping. Assume that all the S-Boxes are the same. Input 0 1 2 3 4 5 6 7 Output E 4 D 1 2 F B 8 Input 8 9 A B C D E F Output 3 A 6 C 5 9 0 7 18/52
A Basic Substitution Permutation Network Permutation Input 1 2 3 4 5 6 7 8 Output 1 5 9 13 2 6 10 14 Input 9 10 11 12 13 14 15 16 Output 3 7 11 15 4 8 12 16 19/52
A Basic Substitution Permutation Network Key Mixing & Decryption Key Mixing Bit-wise exclusive-OR. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA. 20/52
A Basic Substitution Permutation Network Key Mixing & Decryption Key Mixing Bit-wise exclusive-OR. Assume, that subkeys are independently generated and unrelated, rather than being generated from master key using KSA. Decryption Also an SPN. S-boxes are the inverse of the encryption S-boxes. The sub-keys are applied in the reverse order and is moved around according to the permutation. 20/52
Linear Cryptanalysis Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 20/52
Linear Cryptanalysis Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 21/52
Linear Cryptanalysis Goal The main aim in linear cryptanalysis is to find linear expressions of the form X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0 , which have a high or low probability of occurrence. 22/52
Linear Cryptanalysis Goal The main aim in linear cryptanalysis is to find linear expressions of the form X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0 , which have a high or low probability of occurrence. Let, p L = Pr [ X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0] , then linear probability bias b L = | p L − 1 2 | . 22/52
Linear Cryptanalysis Goal The main aim in linear cryptanalysis is to find linear expressions of the form X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0 , which have a high or low probability of occurrence. Let, p L = Pr [ X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0] , then linear probability bias b L = | p L − 1 2 | . Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. 22/52
Linear Cryptanalysis Goal The main aim in linear cryptanalysis is to find linear expressions of the form X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0 , which have a high or low probability of occurrence. Let, p L = Pr [ X i 1 ⊕ X i 2 ⊕ · · · X i u ⊕ Y j 1 ⊕ Y j 2 ⊕ · · · Y j v = 0] , then linear probability bias b L = | p L − 1 2 | . Tries to take advantage of high probability occurrences of linear expressions involving plaintext, ciphertext and sub-key bits. It is a known plaintext attack. 22/52
Linear Cryptanalysis Notations P and C denotes the 16-bit plaintext and ciphertext, respectively. 23/52
Linear Cryptanalysis Notations P and C denotes the 16-bit plaintext and ciphertext, respectively. X i denotes the i th bit of the input X = [ X 1 , X 2 , X 3 , X 4 ] to the S-box. Y i denotes the i th bit of the output Y = [ Y 1 , Y 2 , Y 3 , Y 4 ] to the S-box. X 1 X 2 X 3 X 4 S-box Y 1 Y 2 Y 3 Y 4 Figure : S-box Mapping (Courtesy: Heys’s Tutorial). 23/52
Linear Cryptanalysis Notations (Cont.) U ( i ) represents the input to the i th round S-box and U ( i ) j represents the j th bit of block U ( i ) . V ( i ) represents the output of the i th round S-box and V ( i ) j represents the j th bit of block V ( i ) . 24/52
Linear Cryptanalysis Notations (Cont.) U ( i ) represents the input to the i th round S-box and U ( i ) j represents the j th bit of block U ( i ) . V ( i ) represents the output of the i th round S-box and V ( i ) j represents the j th bit of block V ( i ) . Let, k ( i ) represent the i th round key. 24/52
Linear Cryptanalysis Piling-Up Lemma Piling-Up Lemma (Matsui) For n independent, random binary variables, X 1 , X 2 , . . . , X n n Pr [ X 1 ⊕ · · · ⊕ X n = 0] = 1 2 + 2 n − 1 � ε i i =1 or, equivalently, n ε 1 , 2 ,..., n = 2 n − 1 � ε i , i =1 where ε 1 , 2 ,..., n represents the bias of X 1 ⊕ · · · ⊕ X n = 0 . 25/52
Linear Cryptanalysis How to construct such linear expressions? 26/52
Linear Cryptanalysis How to construct such linear expressions? This is done by considering the cipher’s non-linear components. 26/52
Linear Cryptanalysis How to construct such linear expressions? This is done by considering the cipher’s non-linear components. In this case, the S-Box. 26/52
Linear Cryptanalysis S-Box Analysis X 1 X 2 X 3 X 4 Y 1 Y 2 Y 3 Y 4 X 2 ⊕ X 3 Y 1 ⊕ Y 3 ⊕ Y 4 X 1 ⊕ X 4 Y 2 X 3 ⊕ X 4 Y 1 ⊕ Y 4 0 0 0 0 1 1 1 0 0 0 0 1 0 1 0 0 0 1 0 1 0 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1 1 0 0 1 1 0 0 0 1 1 0 0 0 1 1 1 1 0 0 1 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 1 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 0 0 1 1 1 1 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 1 1 0 0 1 0 0 1 0 0 0 1 1 0 1 0 0 0 0 0 1 1 0 0 1 0 0 1 1 0 1 1 1 1 1 0 0 0 1 1 1 1 0 0 1 1 0 1 0 1 0 1 0 0 0 1 0 1 1 1 1 1 0 1 0 1 0 1 1 0 0 1 1 0 0 0 1 0 0 1 1 0 0 0 0 0 0 0 1 0 1 0 0 1 1 1 0 1 1 1 0 0 0 1 0 1 Table : Sample Difference Pairs of the S-box. 27/52
Linear Cryptanalysis S-Box Analysis (cont.) Input Mask in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F +8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -2 -2 0 0 -2 +6 +2 +2 0 0 +2 +2 0 0 1 0 0 -2 -2 0 0 -2 -2 0 0 +2 +2 0 0 -6 +2 2 Output Mask in Hexadecimal 0 0 0 0 0 0 0 0 +2 -6 -2 -2 +2 +2 -2 -2 3 0 +2 0 -2 -2 -4 -2 0 0 -2 0 +2 +2 -4 +2 0 4 0 -2 -2 0 -2 0 +4 +2 -2 0 -4 +2 0 -2 -2 0 5 0 +2 -2 +4 +2 0 0 +2 0 -2 +2 +4 -2 0 0 -2 6 0 -2 0 +2 +2 -4 +2 0 -2 0 +2 0 +4 +2 0 +2 7 0 0 0 0 0 0 0 0 -2 +2 +2 -2 +2 -2 -2 -6 8 0 0 -2 -2 0 0 -2 -2 -4 0 -2 +2 0 +4 +2 -2 9 0 +4 -2 +2 -4 0 +2 -2 +2 +2 0 0 +2 +2 0 0 A 0 +4 0 -4 +4 0 +4 0 0 0 0 0 0 0 0 0 B 0 -2 +4 -2 -2 0 +2 0 +2 0 +2 +4 0 +2 0 -2 C 0 +2 +2 0 -2 +4 0 +2 -4 -2 +2 0 +2 0 0 +2 D E 0 +2 +2 0 -2 -4 0 +2 -2 0 0 -2 -4 +2 -2 0 0 -2 -4 -2 -2 0 +2 0 0 -2 +4 -2 -2 0 +2 0 F Table : Linea Approximation Table of the S-box Represented by Table. 28/52
Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher Linear approximation of the overall cipher is achieved by concatenating appropiate S-boxes. By constructing a linear approximation involving plaintext bits and the data bits from the output of the second last round, it is possible to attack the cipher by recovering a subset of the subkey bits that follow the last round. 29/52
Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) P 5 P 7 P 8 k ( 1 ) k ( 1 ) k ( 1 ) 5 7 8 S 11 S 12 S 13 S 14 Round 1 k ( 2 ) 6 S 21 S 22 S 23 S 24 Round 2 k ( 3 ) k ( 3 ) 6 14 S 31 S 32 S 33 S 34 Round 3 k ( 4 ) k ( 4 ) k ( 4 ) k ( 4 ) 6 14 6 14 U ( 4 ) U ( 4 ) U ( 4 ) 14 U ( 4 ) 6 8 16 Round 4 S 41 S 42 S 43 S 44 k ( 5 ) 5 . . . k ( 5 ) k ( 5 ) 13 . . . k ( 5 ) 8 16 Figure : Sample Linear Approximation (Courtesy: Heys’s Tutorial). 30/52
Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) We use the following approximation of the S-box : S 12 : X 1 ⊕ X 3 ⊕ X 4 = Y 2 with probability 12 16 and bias + 1 4 16 and bias − 1 4 S 22 : X 2 = Y 2 ⊕ Y 4 with probability 4 16 and bias − 1 4 S 32 : X 2 = Y 2 ⊕ Y 4 with probability 4 16 and bias − 1 4 S 34 : X 2 = Y 2 ⊕ Y 4 with probability 4 31/52
Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) Notice, U (1) = P ⊕ k (1) . For S 12 , we have V (1) U (1) ⊕ U (1) ⊕ U (1) = 6 5 7 8 = ( P 5 ⊕ K 1 , 5 ) ⊕ ( P 7 ⊕ K 1 , 7 ) ⊕ ( P 8 ⊕ K 1 , 8 ) . This holds with probability 3 4 . 32/52
Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) Continuing . . . � U 4 , 6 ⊕ U 4 , 8 ⊕ U 4 , 14 ⊕ U 4 , 16 ⊕ P 5 ⊕ P 7 ⊕ P 8 ⊕ = 0 , K where � = K 1 , 5 ⊕ K 1 , 7 ⊕ K 1 , 8 ⊕ K 2 , 6 ⊕ K 3 , 6 ⊕ K 3 , 14 ⊕ K 4 , 6 ⊕ K 4 , 8 ⊕ K 4 , 14 ⊕ K 4 , 16 . K 33/52
Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) � K is fixed to either 0 or 1 depending on the key of the cipher. Using piling-up lemma � 3 � 3 � � 1 p L = 1 4 − 1 4 − 1 = 15 2 + 2 3 32 . 2 2 Therefore, b L = − 1 32 . 34/52
Linear Cryptanalysis Constructing Linear Approximation For The Complete Cipher (cont.) Depending on whether � K = 0 or 1, the expression U 4 , 6 ⊕ U 4 , 8 ⊕ U 4 , 14 ⊕ U 4 , 16 ⊕ P 5 ⊕ P 7 ⊕ P 8 holds with either probability p L = 15 32 or 1 − p L = 17 32 . 35/52
Linear Cryptanalysis Extracting Key Bits Once an r − 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4. 36/52
Linear Cryptanalysis Extracting Key Bits Once an r − 1 round linear approximation is discovered for a cipher of r rounds with a suitably large enough linear probability bias, it is conceivable to attack the cipher by recovering bits of the last sub-key. In our example r = 4. We shall refer to the bits to be recovered from the last sub-key as the target partial sub-key . In our example k (5) 5 , k (5) 6 , k (5) 7 , k (5) 8 , k (5) 13 , k (5) 14 , k (5) 15 , k (5) 16 . 36/52
Linear Cryptanalysis Extracting Key Bits: Algorithm 1 Generate about L many known plaintext/ ciphertext pairs. b 2 37/52
Linear Cryptanalysis Extracting Key Bits: Algorithm 1 Generate about L many known plaintext/ ciphertext pairs. b 2 Assume that we have 10000 plaintext/ ciphertext pairs encrypted under a particular key. 37/52
Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : 38/52
Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. 38/52
Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. - Do a inverse substitution (S-Box − 1 ) to get U (4) 6 , U (4) 8 , U (4) 14 , U (4) 16 . 38/52
Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. - Do a inverse substitution (S-Box − 1 ) to get U (4) 6 , U (4) 8 , U (4) 14 , U (4) 16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. 38/52
Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. - Do a inverse substitution (S-Box − 1 ) to get U (4) 6 , U (4) 8 , U (4) 14 , U (4) 16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. - Find the | bias | = | count − 5000 | . 10000 38/52
Linear Cryptanalysis Extracting Key Bits: Algorithm (Cont.) For each of the of the 256 possible values of K 5 , 5 , K 5 , 6 , K 5 , 7 , K 5 , 8 , K 5 , 13 , K 5 , 14 , K 5 , 15 , K 5 , 16 , do the following : - For each plaintext/ ciphertext pair we exclusive-OR the partial ciphertext [ C 5 , . . . , C 8 , C 13 , . . . , C 16 ] with the guessed key value. - Do a inverse substitution (S-Box − 1 ) to get U (4) 6 , U (4) 8 , U (4) 14 , U (4) 16 . - Count the number of plaintext/ ciphertext pairs that satisfy the 4-round linear approximation. - Find the | bias | = | count − 5000 | . 10000 Select the guess with the maximum bias as our target sub-key. 38/52
Linear Cryptanalysis Experimental Results (Partial) Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal | bias | | bias | [ k (5) 5 , . . . , k (5) 8 , k (5) 13 , . . . , k (5) [ k (5) 5 , . . . , k (5) 8 , k (5) 13 , . . . , k (5) 16 ] 16 ] 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048 Table : Experimental Result (Partial) for Linear Attack. 39/52
Linear Cryptanalysis Experimental Results (Partial) Target Sub-key in Hexadecimal Target Sub-key in Hexadecimal | bias | | bias | [ k (5) 5 , . . . , k (5) 8 , k (5) 13 , . . . , k (5) [ k (5) 5 , . . . , k (5) 8 , k (5) 13 , . . . , k (5) 16 ] 16 ] 0x1C 0.0031 0x2A 0.0044 0x1D 0.0078 0x2B 0.0186 0x1E 0.0071 0x2C 0.0094 0x1F 0.0170 0x2D 0.0053 0x20 0.0025 0x2E 0.0062 0x21 0.0220 0x2F 0.0133 0x22 0.0211 0x30 0.0027 0x23 0.0064 0x31 0.0050 0x24 0.0336 0x32 0.0075 0x25 0.0106 0x33 0.0162 0x26 0.0096 0x34 0.0218 0x27 0.0074 0x35 0.0052 0x28 0.0224 0x36 0.0056 0x29 0.0054 0x37 0.0048 Table : Experimental Result (Partial) for Linear Attack. Note that the experimental bias = 0 . 0336 is very close to the 1 expected value of 32 = 0 . 03125 . 39/52
Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. 40/52
Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. - This is done by careful structural analysis of the block cipher. 40/52
Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. 40/52
Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: 40/52
Linear Cryptanalysis Summary Linear Cryptanalysis: Approximate r − 1 rounds of a r round block cipher by a linear function , which deviates “ substantially ” from uniform. - This is done by careful structural analysis of the block cipher. Use this deviation to somehow extract information about the secret key (target sub-key) in time faster than brute force. Prevention: Wide trail strategy. “ Stronger ” S-boxes or non-linear function. . . . 40/52
Differential Cryptanalysis Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 40/52
Differential Cryptanalysis Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear Cryptanalysis 4 Differential Cryptanalysis 5 Appendix 6 41/52
Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. 42/52
Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. 42/52
Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. 42/52
Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. 42/52
Differential Cryptanalysis Idea In an ideally randomizing cipher, the probability that a particular output difference ∆ Y occurs, given a particular 1 input difference ∆ X is 2 n where n is the number of bits. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. Differential Cryptanalysis is a Chosen Plaintext Attack. Using the highly likely differential characteristics, gives the attacker the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of sub-keys. In order to determine a high probability difference pair, we consider the input-output differences of the S-Boxes. 42/52
Differential Cryptanalysis Notations Let X 1 , X 2 ∈ { 0 , 1 } n . Define, ∆ X = X 1 ⊕ X 2 . Let, ∆ X = [∆ X 1 , . . . , ∆ X n ]. A differential (∆ X , ∆ Y ): for a given input difference ∆ X , ∆ Y is the difference in output. Differential Characteristics: A sequence of input and output differences to the rounds so that the output difference from one round corresponds to the input difference for the next round. 43/52
Differential Cryptanalysis Sample Difference Pairs of the S-BOX ∆ Y X Y ∆ X = 1011 ∆ X = 1000 ∆ X = 0100 0000 1110 0010 1101 1100 0001 0100 0010 1110 1011 0010 1101 0111 0101 0110 0011 0001 0010 1011 1001 0100 0010 0101 0111 1100 0101 1111 1111 0110 1011 0110 1011 0010 1011 0110 0111 1000 1101 1111 1001 0000 0011 0010 1101 0110 0001 1010 0111 1110 0011 0010 0110 0010 0101 0110 0011 1100 0010 1011 1011 0100 0101 1101 0111 0110 0101 1001 0010 0110 0011 0110 0000 1111 1011 0110 0111 0111 0101 1111 1011 Table : Sample Difference Pairs of the S-box. 44/52
Differential Cryptanalysis Difference Distribution Table Input Difference in Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 2 0 2 4 0 4 2 0 0 1 Output Difference in Hexadecimal 0 0 0 2 0 6 2 2 0 2 0 0 0 0 2 0 2 0 0 2 0 2 0 0 0 0 4 2 0 2 0 0 4 3 0 0 0 2 0 0 6 0 0 2 0 4 2 0 0 0 4 0 4 0 0 0 2 2 0 0 0 4 0 2 0 0 2 5 0 0 0 4 0 4 0 0 0 0 0 0 2 2 2 2 6 0 0 2 2 2 0 2 0 0 2 2 0 0 0 0 4 7 0 0 0 0 0 0 2 2 0 0 0 4 0 4 2 2 8 0 2 0 0 2 0 0 4 2 0 2 2 2 0 0 0 9 0 2 2 0 0 0 0 0 6 0 0 2 0 0 4 0 A 0 0 8 0 0 2 0 2 0 0 0 0 0 2 0 2 B C 0 2 0 0 2 2 2 0 0 0 0 2 0 6 0 0 0 4 0 0 0 0 0 4 2 0 2 0 2 0 2 0 D 0 0 2 4 2 0 0 0 6 0 0 0 0 0 2 0 E 0 2 0 0 6 0 0 0 0 4 0 2 0 0 2 0 F Table : Difference Distribution Table for the S-box Represented by Table. 45/52
Differential Cryptanalysis Keyed S-BOX W 1 W 2 W 3 W 4 K 1 K 2 K 3 � � � � K 4 X 1 X 2 X 3 X 4 S-box Y 1 Y 2 Y 3 Y 4 Figure : Keyed S-box. 46/52
Differential Cryptanalysis Sample Differential Cryptanalysis ∆P = [ 0000 , 1011 , 0000 , 0000 ] S 11 S 12 S 13 S 14 Round 1 S 21 S 22 S 23 S 24 Round 2 S 31 S 32 S 33 S 34 Round 3 ∆U ( 4 ) . . . ∆U ( 4 ) ∆U ( 4 ) 13 . . . ∆U ( 4 ) 5 8 16 Round 4 S 41 S 42 S 43 S 44 k ( 5 ) 5 . . . k ( 5 ) k ( 5 ) 13 . . . k ( 5 ) 8 16 Figure : Sample Differential Characteristic. 47/52
Differential Cryptanalysis Probability of the Differential Characteristics Active S-Boxes: S 12 : ∆ X = B → ∆ Y = 2 with probability 8/16. S 23 : ∆ X = 4 → ∆ Y = 6 with probability 6/16 S 32 : ∆ X = 2 → ∆ Y = 5 with probability 6/16 S 33 : ∆ X = 2 → ∆ Y = 5 with probability 6/16 48/52
Recommend
More recommend