linear cryptanalysis of des m. matsui. 1.linear cryptanalysis method for des cipher. eurocrypt 93,...
DESCRIPTION
Using Linear Approximations of DESTRANSCRIPT
![Page 1: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/1.jpg)
Linear Cryptanalysis of DES
M. Matsui.1. Linear Cryptanalysis Method for DES Cipher.
EUROCRYPT 93, 1994. 2. The first experimental cryptanalysis of the Data Encryp
tion Standard. CRYPT0 94, 1994.
![Page 2: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/2.jpg)
Linear Approximations• A function with one bit output is a linear function
over if output is XOR of input bits and constants.– Examples:
• If the function f in DES is linear then we can break DES.
• g has a p-linear approximation if with probability p the output is equal to a linear function.– Example: has a 3/4-linear approximation.
• Every function has a ½-approximation.
2Z
![Page 3: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/3.jpg)
Using Linear Approximations of DES• Assume that 1 bit of the output has a linear approx.• Example: Assume that if we pick M at random and
C=DES(M,K), then with probability 0.51
Attack: – Get a random message and its encryption:
• (M, C= DES(M,K)).– Compute and conclude that with probability 0.51.
• Increasing the probability: repeat many times and take majority.
• Can use exhaustive search with complexity
[56] [17] [17] [23]C M K K
[17] [23]K K b
[56] [17]b C M
![Page 4: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/4.jpg)
Using Linear Approximations of DES
How do we find linear approximations in DES?
• consider 3-round DES, without IP and IP-1.
• start with an S-BOX – S5.
![Page 5: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/5.jpg)
The S-Box S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
2 1 2 3 452 with probability 0.864
x y y y y
S5
3x2x 4x
6x1x
5x
4y3y2y1y
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
Does not look random:• 1,2 ,7,11 appears only in left side• 4,12,13 appear 3 times in left side• 8,10,14 appear 2 times in each side• 0,3,5,9,15 appears only in right
side• 6 appears 3 times in right side• The XOR of the numbers in left-side
is 1
![Page 6: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/6.jpg)
The f function of DES
17—20
![Page 7: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/7.jpg)
The permutation P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
We need to trace the bits 17-20 that come from to S5
After P they are bits 3,8,14,25
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
![Page 8: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/8.jpg)
The f function of DES
Bits 3,8,14,25
17-20
26
Bit 26 in k
26
![Page 9: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/9.jpg)
The Expansion function E
We need bit 26 – the second bit that goes to S5
![Page 10: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/10.jpg)
The f function of DES
Bits 3,8,14,25
17-20
26
Bit 26 in k
26
Bit 17 in R
![Page 11: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/11.jpg)
3 Round DES
Bit 26
Bit 17
Bits 3,8,14,25
Bits 3,8,14,25
Bit 26
Bits 3,8,14,25
Bit 17
Bit 17
0 1 0 1 0 1 0 1 0 1( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]L R L R L R L R R K
Bits 3,8,14,25
![Page 12: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/12.jpg)
The Attack on 3 Round DES
0 1 0 1 0 1 0 1 0 1( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]L R L R L R L R R K
3 1 3 1 3 1 3 1 3 3( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]R R R R R R R R L K
• From third round with probability 52/64
• From first round with probability 52/64
• Thus, with probability (52/64) 2+(12/64)2 0.7
• Finds one bit of the key
0 0 0 0 3 3 3 3 0 3
1 3
( [3] [8] [14] [25]) ( [3] [8] [14] [25]) [17] [17] [26] [26]L L L L R R R R R L
K K
![Page 13: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/13.jpg)
Linear cryptanalysis: Learning One Bit
• If a bit of the outputs has a 1/2+p linear approximation in i-round DES, then – Get O(1/p2) message, encryption pairs
• For each pair compute “the bit” of the key• Take the value that appears more times
• Get correct value with high probability• Learn one bit of key• Can do better…
![Page 14: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/14.jpg)
4 Round DES
Bits 3,8,14,25
KK
?
Bit 26
Bit 26
Bits 3,8,14,25 Bit 17
K4
Bit 17 Bits 3,8,14,25
• Only 6 bits in K4 affect bit 17 of
• With the correct 6 bits the 3-round approximation holds with prob. 0.7• With incorrect 6 bits is random• Check 26 options of these bits and find the correct bits• Found 7 bits of key!
3 4( , )f L K
4 4
0 0 0 0 3 3 3 3 0 3
1 3
( [3] [8] [14] [25]) ( [3] [8] [14] [25]) [17] [17] [26] [26]L L L L R R R R R L
K K
𝐿4𝐿4
𝐿4
𝐿4
𝐿3 [17 ]⊕ 𝑓 (𝐿4 ,𝐾 4 ) [ 17 ]=𝑅4[17]
?
![Page 15: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/15.jpg)
Linear cryptanalysis
• If a bit of the outputs has a 1/2+p linear approximation in i-round DES, then we choose O(1/p2) messages in (i+1)-round DES and compute 7 bits of the key.
• Can do the same trick with first round and last i-rounds, get another 7 bits
• Use exhaustive search to find the other 42 bits.
![Page 16: Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The](https://reader036.vdocument.in/reader036/viewer/2022062413/5a4d1b667f8b9ab0599b03e7/html5/thumbnails/16.jpg)
Known Attacks
• 8 rounds: 221 plaintexts (40 seconds)• 12 rounds: 233 plaintexts (50 hours)• 16 rounds: 243 plaintexts (50 days, 12
computers)– Uses two 14-rounds approximation– Using each approximation it finds 13 bits– Finds 30 bits by exhaustive search