differential cryptanalysis
play

Differential Cryptanalysis - quite similar to linear cryptanalysis - PowerPoint PPT Presentation

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z


  1. Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z ′ and Z ′′ is the bitwise XOR of the strings, i.e, M Z = Z ′ ⊕ Z ′′ - why look at the difference? because in an SPN, the key does not influence the value of the difference!

  2. Differential Cryptanalysis In a perfectly randomized cipher, the probability of a given output difference M Y, given an input difference M X, is (½) m , where m is the number of bits. The pair ( M X, M Y) is a differential. We will look for cases where this probability is much larger than (½) m . We will look at pairs of plaintexts that have a certain input difference. This is why differential cryptanalysis is a chosen-plaintext attack. As in the case of linear cryptanalyis, we will first look at the S-boxes.

  3. Differential Characteristics of S-boxes The S-box from the linear cryptanalysis slides ( π S ): 0 1 2 3 4 5 6 7 8 9 A B C D E F E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7 For M X an input difference and M Y an output difference, we will compute N D ( M X, M Y): the number of pairs with input difference equal to M X and output difference equal to M Y. For example, N D (1011, 0010) = 8 (see Table 6). You can find all values in Table 7. In an ideal S-box, N D ( M X, M Y) = 1. Such an S-box is not mathematically possible.

  4. Propagation Ratio From N D ( M X, M Y) we can compute the propagation ratio: R p ( M X, M Y) = N D ( M X, M Y) / 2 m Notice: R p ( M X, M Y) = Pr[ output-difference = M Y | input-difference = M X ] For example, in our S-box, R P (1011,0010) = 1/2.

  5. Differential Characteristics We will combine the differential characteristics of the S-boxes to obtain a differential characteristic of the whole cipher. We will look at the same example SPN as for linear cryptanalysis (Figure 1). We will look at the following S-boxes and difference pairs (Figure 5). S 1,2 : R p (1011, 0010) = 1/2 S 2,3 : R p (0100, 0110) = S 3,2 : R p (0010, 0101) = S 3,3 : R p (0010, 0101) = We assume that these propagation ratios are independent. This assumption works well in practice.

  6. Differential Characteristics All other S-boxes will have all 0s as input difference, and thus all 0s as output difference. Combining the S-boxes, we obtain the following propagation ratio for the first three rounds of the SPN: R p (0000 1011 0000 0000, 0000 0101 0101 0000) = 1/2(3/8) 3 = 27/1024. This implies that the propagation ratio “from the plaintext to U4” is given by R p (0000 1011 0000 0000, 0000 0110 0000 0110) = 27/1024.

  7. Extracting Key Bits We will use the above propagation ratio to determine part of subkey K 5 . Suppose we have a large number of plaintext pairs (X ′ ,X ′′ ) such that M X = X ′ ⊕ X ′′ = 0000 1011 0000 0000. Let (Y ′ ,Y ′′ ) be the corresponding ciphertexts. We will partially decrypt each pair of ciphertexts and see if the resulting decryptions have difference equal to 0000 0110 0000 0110. As in the linear case, we have to go through all (2 8 ) possibilities for the subkey bits K 5,5 , K 5,6 , K 5,7 , K 5,8 , K 5,13 , K 5,14 , K 5,15 , K 5,16 .

  8. Extracting Key Bits For each candidate subkey, partially decrypt each pair of ciphertexts (by XOR-ing with the candidate subkey and running the data backwards through the S-boxes), and compute the probability that the difference of the decryptions = 0000 0110 0000 0110. The idea is that this fraction is largest for the correct 8 key bits. See Table 8. Note: Often, it is not necessary to partially decrypt Y ′ and Y ′′ to see that they don’t fulfill the required differential. Why not? This observation is useful in speeding up the algorithm.

  9. Extracting Key Bits How many plaintext pairs do we need ? As a rule-of-thumb, if the propagation ratio is equal to ² , the number of pairs of plaintexts with the chosen difference value and corresponding ciphertexts needed is c ² − 1 for some “small” constant c.

  10. Advanced Issues To strengthen the attacks you could • Combine different linear approximations for the cipher. • Combine different differential characteristics for the cipher. • Combine linear and differential cryptanalysis. • Look at something other than XOR in differential cryptanalysis. • … We have not discussed how to determine the best linear and differential attack.

Recommend


More recommend