page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Similar documents
Introduction to Cryptography. Lecture 3

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Introduction to Cryptography. Lecture 3

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Computer Security CS 526

Symmetric Encryption. Thierry Sans

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

7. Symmetric encryption. symmetric cryptography 1

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Cryptography 2017 Lecture 3

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Information Security CS526

Lecture 4: Symmetric Key Encryption

Double-DES, Triple-DES & Modes of Operation

3 Symmetric Cryptography

Chapter 3 Block Ciphers and the Data Encryption Standard

CSC 474/574 Information Systems Security

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Network Security Essentials Chapter 2

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Private-Key Encryption

Data Encryption Standard (DES)

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Content of this part

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Lecture 3: Symmetric Key Encryption

Block Cipher Operation. CS 6313 Fall ASU

Lecture 2: Secret Key Cryptography

1 Achieving IND-CPA security

Winter 2011 Josh Benaloh Brian LaMacchia

CENG 520 Lecture Note III

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Computer and Data Security. Lecture 3 Block cipher and DES

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Secret Key Algorithms (DES)

Symmetric Cryptography. Chapter 6

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

Stream Ciphers and Block Ciphers

Secret Key Cryptography

Goals of Modern Cryptography

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Symmetric key cryptography

Symmetric Encryption Algorithms

Cryptography [Symmetric Encryption]

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

CSC574: Computer & Network Security

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Stream Ciphers and Block Ciphers

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

P2_L6 Symmetric Encryption Page 1

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Computer Security 3/23/18

Network Security Essentials

Lecture 1 Applied Cryptography (Part 1)

Crypto: Symmetric-Key Cryptography

Some Aspects of Block Ciphers

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Modern Symmetric Block cipher

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Chapter 6 Contemporary Symmetric Ciphers

Symmetric Cryptography

The Rectangle Attack

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Block ciphers, stream ciphers

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Secret Key Cryptography (Spring 2004)

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

CSE 127: Computer Security Cryptography. Kirill Levchenko

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Information Security CS526

Solutions to exam in Cryptography December 17, 2013

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Chapter 6: Contemporary Symmetric Ciphers

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

EEC-484/584 Computer Networks

Practical Aspects of Modern Cryptography

Cryptography (cont.)

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Lecture 2: Shared-Key Cryptography

Fundamentals of Cryptography

Data Encryption Standard

symmetric cryptography s642 computer security adam everspaugh

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

AIT 682: Network and Systems Security

SECRET KEY: STREAM CIPHERS & BLOCK CIPHERS

CPSC 467: Cryptography and Computer Security

Symmetric Cryptography CS461/ECE422

Transcription:

Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1

Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher random u D D???? u =2n page 2 2

Pseudo-random generators Pseudo-random generator (PRG) G: {0,1} n {0,1} m A deterministic function, computable in polynomial time. It must hold that m > n. Let us assume m=2n. The function has only 2 n possible outputs. Pseudo-random property: polynomial time adversary D, (whose output is 0/1) if we choose inputs s R {0,1} n, u R {0,1} m, (in other words, choose s and u uniformly at random), then it holds that D(G(s)) is similar to D(u) namely, Pr[D(G(s))=1] - Pr[D(u)=1] is negligible page 3 3

P vs. NP If P=NP then PRGs do not exist (why?) So their existence can only be conjectured until the P=NP question is resolved. page 4 4

Using a PRG for Encryption Replace the one-time-pad with the output of the PRG Key: a (short) random key k {0,1} k. Message m= m 1,,m m. Use a PRG G : {0,1} k {0,1} m Key generation: choose k {0,1} k uniformly at random. Encryption: Use the output of the PRG as a one-time pad. Namely, Generate G(k) = g 1,,g m Ciphertext C = g 1 m 1,, g m m m This is an example of a stream cipher. page 5 5

Security of encryption against polynomial adversaries Perfect security (previous equivalent defs): (indistinguishability) m 0,m 1 M, c, the probability that c is an encryption of m 0 is equal to the probability that c is an encryption of m 1. (semantic security) The distribution of m given the encryption of m is the same as the a-priori distribution of m. Security of pseudo-random encryption (equivalent defs): (indistinguishability) m 0,m 1 M, no polynomial time adversary D can distinguish between the encryptions of m 0 and of m 1. Namely, Pr[D(E(m 0 ))=1] Pr[D(E(m 1 ))=1) (semantic security) m 0,m 1 M, a polynomial time adversary which is given E(m b ), where b r {0,1}, succeeds in finding b with probability ½. page 6 6

Proofs by reduction We don t know how to prove unconditional proofs of computational security; we must rely on assumptions. We can simply assume that the encryption scheme is secure. This is bad. Instead, we will assume that some low-level problem is hard to solve, and then prove that the cryptosystem is secure under this assumption. (For example, the assumption might be that a certain function G is a pseudo-random generator.) Advantages of this approach: It is easier to design a low-level function. There are (very few) established assumptions in cryptography, and people prove the security of cryptosystem based on these assumptions. page 7 7

Using a PRG for Encryption: Security The output of a pseudo-random generator is used instead of a one-time pad. Proof of security by reduction: The assumption is that the PRG is strong (its output is indistinguishable from random). We want to prove that in this case the encryption is strong (it satisfies the indistinguishability definition above). In other words, prove that if one can break the security of the encryption (distinguish between encryptions of m 0 and of m 1 ), then it is also possible to break the security of the PRG (distinguish its output from random). page 8 8

Proof of Security Polynomially indistinguishable? Same distribution (1) (2) (3) (4) Enc(m 0 ) with Enc(m 1 ) with Enc(m 0 ) with Enc(m 1 ) with PRG PRG one-time pad Suppose that there is a D() which distinguishes between (1) and (2) We know that no D() can distinguish between (3) and (4) one-time pad We are given a string S and need to decide whether it is drawn from a pseudorandom distribution or from a uniformly random distribution We will use S as a pad to encrypt a message. page 9 9

Proof of Security Polynomially indistinguishable? Same distribution (1) (2) (3) (4) Enc(m 0 ) with Enc(m 1 ) with Enc(m 0 ) with Enc(m 1 ) with PRG PRG one-time pad one-time pad Recall: we assume that there is a D() which always distinguishes between (1) and (2), and which distinguishes between (3) and (4) with probability ½. Choose a random b {0,1} and compute m b S. Give the result to D(). if S was chosen uniformly, D() must distinguish (3) from (4). (prob=½) if S is pseudorandom, D() must distinguish (1) from (2). (prob=1) If D() outputs b then declare pseudorandom, otherwise declare random. if S was chosen uniformly we output pseudorandom with prob ½. if is pseudorandom we output pseudorandom with prob 1. page 10 10

Proof of Security Polynomially indistinguishable? Same distribution (1) (2) (3) (4) Enc(m 0 ) with Enc(m 1 ) with Enc(m 0 ) with Enc(m 1 ) with PRG PRG one-time pad one-time pad Recall: we assume that there is a D() which always distinguishes between (1) and (2), and which distinguishes between (3) and (4) with probability ½. Choose a random b {0,1} and compute m b S. Give the result to D(). if S was chosen uniformly, D() must distinguish (3) from (4). (prob=½) if S is pseudorandom, D() must distinguish (1) from (2). (prob=½+δ) If D() outputs b then declare pseudorandom, otherwise declare random. if S was chosen uniformly we output pseudorandom with prob ½. if is pseudorandom we output pseudorandom with prob ½+δ. page 11 11

Stream ciphers Stream ciphers are based on pseudo-random generators. Usually used for encryption in the same way as OTP Examples: A5, SEAL, RC4. Very fast implementations. RC4 is popular and secure when used correctly, but it was shown that its first output bytes are biased. This resulted in breaking WEP encryption in 802.11. Some technical issues: Stream ciphers require synchronization (for example, if some packets are lost in transit). page 12 12

RC4 Designed by Ron Rivest. Intellectual property belongs to RSA Inc. Designed in 1987. Kept secret until the design was leaked in 1994. Used in many protocols (SSL, etc.) Byte oriented operations. 8-16 machine operations per output byte. First output bytes are biased page 13 13

RC4 initialization Word size is a single byte. 1. j = 0 2. S 0 = 0; S 1 = 1; ; S 255 = 255 3. Let the key be k 0 ; ;k 255 (repeating bits if key has fewer bits) 4. For i = 0 to 255 j = (j + S i + k i ) mod 256 Swap S i and S j page 14 14

RC4 keying stream generation An output byte B is generated as follows: i = i + 1 mod 256 j = j + S i mod 256 Swap S i and S j r = S i + S j mod 256 B = S r B is xored to the next byte of the plaintext. Bias: The probability that the first two output bytes are 0 is 2-16 +2-23 page 15 15

Block Ciphers Plaintexts, ciphertexts of fixed length, m. Usually, m =64 or m =128 bits. The encryption algorithm E k is a permutation over {0,1} m, and the decryption D k is its inverse. (They are not permutations of the bit order, but rather of the entire string.) Ideally, use a random permutation. Can only be implemented using a table with 2 m entries Instead, use a pseudo-random permutation *, keyed by a key k. Implemented by a computer program whose input is m,k. (*) will be explained shortly m 1,,m m Block cipher c 1,,c m page 16 16

Block Ciphers Modeled as a pseudo-random permutation. Encrypt/decrypt whole blocks of bits Might provide better encryption by simultaneously working on a block of bits One error in ciphertext affects whole block Delay in encryption/decryption There was more research on the security of block ciphers than on the security of stream ciphers. Different modes of operation (for encrypting longer inputs) m 1,,m m Block cipher c 1,,c m page 17 17

Pseudo-random functions F : {0,1} * {0,1} * {0,1} * The first input is the key, and once chosen it is kept fixed. For simplicity, assume F : {0,1} n {0,1} n {0,1} n F(k,x) is written as F k (x) F is pseudo-random if F k () (where k is chosen uniformly at random) is indistinguishable (to a polynomial distinguisher D) from a function f chosen at random from all functions mapping {0,1} n to {0,1} n There are 2 n choices of F k, whereas there are (2 n ) 2n choices for f. The distinguisher D s task: We choose a function G. With probability ½ G is F k (where k R {0,1} n ), and with probability ½ it is a random function f. D can compute G(x 1 ),G(x 2 ), for any x 1,x 2, it chooses. D must say if G=F k or G=f. F k is pseudo-random if D succeeds with prob ½+negligible.. page 18 18

Pseudo-random permutations F k (x) is a keyed permutation if for every choice of k, F k () is one-to-one. Note that in this case F k (x) has an inverse, namely for every y there is exactly one x for which F k (x)=y. F k (x) is a pseudo-random permutation if It is a keyed permutation It is indistinguishable (to a polynomial distinguisher D) from a permutation f chosen at random from all permutations mapping {0,1} n to {0,1} n. 2 n possible values for F k (2 n )! possible values for a random permutation page 19 19

Block ciphers A block cipher is a function F k (x) of a key k and an m bit input x, which has an m bit output. F k (x) is a keyed permutation How can we encrypt plaintexts longer than m? Different modes of operation were designed for this task. page 20 20

ECB Encryption Mode (Electronic Code Book) P 1 P 2 P 3 E k E k E k C 1 C 2 C 3 Namely, encrypt each plaintext block separately. page 21 21

Properties of ECB Simple and efficient Parallel implementation is possible Does not conceal plaintext patterns Enc(P 1, P 2, P 1, P 3 ) Active attacks are easy (plaintext can be easily manipulated by removing, repeating, or interchanging blocks). page 22 22

Encrypting bitmap images in ECB mode original encrypted using ECB mode encrypted using a secure mode page 23 23

CBC Encryption Mode (Cipher Block Chaining) IV P 1 P 2 P 3 E k E k E k C 1 C 2 C 3 Previous ciphertext is XORed with current plaintext before encrypting current block. An initialization vector IV is used as a seed for the process. IV can be transmitted in the clear (unencrypted). page 24 24

CBC Mode Encryption: IV P 1 E k C 1 Decryption: IV P 1 D k C 1 P 2 E k C 2 P 2 D k C 2 P 3 E k C 3 P 3 D k C 3 page 25 25

Properties of CBC Asynchronous: the receiver can start decrypting from any block in the ciphertext. Errors in one ciphertext block propagate to the decryption of the next block (but that s it). Conceals plaintext patterns (same block different ciphertext blocks) If IV is chosen at random, and E K is a pseudo-random permutation, CBC provides chosen-plaintext security. But if IV is fixed, CBC does not even hide not common prefixes. No parallel implementation is known Plaintext cannot be easily manipulated Standard in most systems: SSL, IPSec, etc. page 26 26

OFB Mode (Output FeedBack) IV E k E k E k P 1 P 2 P 3 C 1 C 2 C 3 An initialization vector IV is used as a seed for generating a sequence of pad blocks E k (IV), E k (E k (IV)), E k (E k (E k (IV))), Essentially a stream cipher. IV can be sent in the clear. Must never be repeated. page 27 27

Properties of OFB Essentially implements a synchronous stream cipher. I.e., the two parties must know s 0 and the current bit position. A block cipher can be used instead of a PRG. The parties must synchronize the location they are encrypting/decrypting. Conceals plaintext patterns. If IV is chosen at random, and E K is a pseudo-random permutation, CBC provides chosen-plaintext security. Errors in ciphertext do not propagate Implementation: Pre-processing is possible No parallel implementation is known Active attacks (by manipulating the plaintext) are possible page 28 28

CTR (counter) Encryption Mode P 1 P 2 P 3 IV is selected as a random value IV E k IV+1 E k IV+2 E k easy parallel implementation random access C 1 C 2 C 3 preprocessing page 29 29

Design of Block Ciphers More an art/engineering challenge than science. Based on experience and public scrutiny. Diffusion : each intermediate/output bit affected by many input bits Confusion : avoid structural relationships between bits Cascaded (round) design: the encryption algorithm is composed of iterative applications of a simple round page 30 30

Confusion-Diffusion and Substitution-Permutation Networks Construct a PRP for a large block using PRPs for small blocks Divide the input to small parts, and apply rounds: Feed the parts through PRPs ( confusion ) Mix the parts ( diffusion ) Repeat Why both confusion and diffusion are necessary? Design musts: Avalanche effect. Using reversible s-boxes. page 31 31

AES (Advanced Encryption Standard) Design initiated in 1997 by NIST Goals: improve security and software efficiency of DES 15 submissions, several rounds of public analysis The winning algorithm: Rijndael Input block length: 128 bits Key length: 128, 192 or 256 bits Multiple rounds (10, 12 or 14), but does not use a Feistel network page 32 32

Rijndael animation page 33 33

Reversible s-boxes Substitution-Permutation networks must use reversible s-boxes Allow for easy decryption However, we want the block cipher to be as random as possible s-boxes need to have some structure to be reversible Better use non-invertible s-boxes Enter Feistel networks A round-based block-cipher which uses s-boxes which are not necessarily reversible Namely, building an invertible function (permutation) from a non-invertible function. page 34 34

Feistel Networks Encryption: Input: P = L i-1 R i-1. L i-1 = R i-1 L i = R i-1 R i = L i-1 F(K i, R i-1 ) Decryption? No matter which function is used as F, we obtain a permutation (i.e., F is reversible even if f is not). The same code/circuit, with keys in reverse order, can be used for decryption. Theoretical result [LubRac]: If f is a pseudo-random function then a 4 rounds Feistel network gives a pseudo-random permutation page 35 35

DES (Data Encryption Standard) A Feistel network encryption algorithm: How many rounds? How are the round keys generated? What is F? DES (Data Encryption Standard) Designed by IBM and the NSA, 1977. 64 bit input and output 56 bit key 16 round Feistel network Each round key is a 48 bit subset of the key Throughput software: 10Mb/sec, hardware: 1Gb/sec (in 1991!). page 36 36

Security of DES Criticized for unpublished design decisions (designers did not want to disclose differential cryptanalysis). Very secure the best attack in practice is brute force 2006: $1 million search machine: 30 seconds cost per key: less than $1 2006: 1000 PCs at night: 1 month Cost per key: essentially 0 (+ some patience) Some theoretical attacks were discovered in the 90s: Differential cryptanalysis Linear cryptanalysis: requires about 2 40 known plaintexts The use of DES is not recommend since 2004, but 3- DES is still recommended for use. page 37 37

Double DES DES is out of date due to brute force attacks on its short key (56 bits) Why not apply DES twice with two keys? Double DES: DES k1,k2 = E k2 (E k1 (m)) Key length: 112 bits But, double DES is susceptible to a meet-in-the-middle attack, requiring 2 56 operations and storage. Compared to brute a force attack, requiring 2 112 operations and O(1) storage. page 38 38

Meet-in-the-middle attack Meet-in-the-middle attack c = E k2 (E k1 (m)) D k2 (c) = E k1 (m) The attack: Input: (m,c) for which c = E k2 (E k1 (m)) For every possible value of k 1, generate and store E k1 (m). For every possible value of k 2, generate and store D k2 (c). Match k 1 and k 2 for which E k1 (m) = D k2 (c). Might obtain several options for (k 1,k 2 ). Check them or repeat the process again with a new (m,c) pair (see next slide) The attack is applicable to any iterated cipher. Running time and memory are O(2 k ), where k is the key size. page 39 39

Meet-in-the-middle attack: how many pairs to check? The plaintext and the ciphertext are 64 bits long The key is 56 bits long Suppose that we are given one plaintext-ciphertext pair (m,c) The attack looks for k1,k2, such that D k2 (c) = E k1 (m) The correct values of k1,k2 satisfies this equality There are 2 112 (actually 2 112-1) other values for k 1,k 2. Each one of these satisfies the equalities with probability 2-64 We therefore expect to have 2 112-64 =2 48 candidates for k 1,k2. Suppose that we are given one pairs (m,c), (m,c ) The correct values of k1,k2 satisfies both equalities There are 2 112 (actually 2 112-1) other values for k 1,k 2. Each one of these satisfies the equalities with probability 2-128 We therefore expect to have 2 112-128 <1 false candidates for k 1,k 2. page 40 40

Triple DES 3DES k1,k2 = E k1 (D k2 (E k1 (m)) Why use Enc(Dec(Enc( )))? Backward compatibility: setting k 1 =k 2 is compatible with single key DES Only two keys Effective key length is 112 bits Why not use three keys? There is a meet-in-the-middle attack with 2 112 operations 3DES provides good security. Widely used. Less efficient. page 41 41

Attacking DES Initial permutation of bit locations: - not secret - makes implementations in software less efficient page 42 42

DES F functions Expansion to 48 bits page 43 43

The S-boxes Very careful design (it is now known that random choices for the S-boxes result in weak encryption). Each s-box maps 6 bits to 4 bits: A 4 16 table of 4-bit entries. Bits 1 and 6 choose the row, and bits 2-5 choose column. Each row is a permutation of the values 0,1,,15. Therefore, given an output there are exactly 4 options for the input Changing one input bit changes at least two output bits avalanche effect. page 44 44

Differential Cryptanalysis of DES DES diagram: S-boxes page 45 45

Differential Cryptanalysis [Biham-Shamir 1990] The first attack to reduce the overhead of breaking DES to below exhaustive search Very powerful when applied to other encryption algorithms Depends on the structure of the encryption algorithm Observation: all operations except for the s-boxes are linear Linear operations: a = b c a = the bits of b in (known) permuted order Linear relations can be exposed by solving a system of linear equations page 46 46

A Linear F in a Feistel Network? Suppose F(R i-1,k i ) = R i-1 K i Namely, that F is linear Then R i = L i-1 R i-1 K i L i = R i-1 Write L 16, R 16 as linear functions of L 0, R 0 and K. Given L 0 R 0 and L 16 R 16 Solve and find K. F must therefore be non-linear. F is the only source of nonlinearity in DES. page 47 47

DES F functions Source of non-linearity page 48 48

Differential Cryptanalysis The S-boxes are non-linear We study the differences between two encryptions of two different plaintexts Notation: The plaintexts are P and P* Their difference is dp = P P* Let X and X* be two intermediate values, for P and P*, respectively, in the encryption process. Their difference is dx = X X* Namely, dx is always the result of two inputs page 49 49

Differences and S-boxes S-box: a function (table) from 6 bit inputs to 4 bit output X and X* are inputs to the same S-box. We can compute their difference dx = X X*. Y = S(X) When dx=0, X=X*, and therefore Y=S(X)=S(X * )=Y*, and dy=0. When dx 0, X X* and we don t know dy for sure, but we can investigate its distribution. For example, page 50 50

Distribution of Y for S1 dx=110100 There are 2 6 =64 input pairs with this difference, { (000000,110100), (000001,110101), } For each pair we can compute the xor of outputs of S1 E.g., S1(000000)=1110, S1(110100)=1001. dy=0111. Table of frequencies of each dy: 0000 0001 0010 0011 0100 0101 0110 0 8 16 6 2 0 0 1000 1001 1010 1011 1100 1101 1110 6 0 0 0 0 8 0 0111 12 1111 6 page 51 51

Differential Probabilities The probability of dx dy is the probability that a pair of inputs whose xor is dx, results in a pair of outputs whose xor is dy (for a given S-box). Namely, for dx=110100 these are the entries in the table divided by 64. Differential cryptanalysis uses entries with large values dx=0 dy=0 Entries with value 16/64 (Recall that the outputs of the S-box are uniformly distributed, so the attacker gains a lot by looking at differentials rather than the original values.) page 52 52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback