Linear Cryptanalysis. Objectives

Similar documents
Few Other Cryptanalytic Techniques

Lecture 4: Symmetric Key Encryption

Lecture 3: Symmetric Key Encryption

7. Symmetric encryption. symmetric cryptography 1

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

Symmetric Key Cryptosystems. Definition

Cryptographic Hash Functions. Debdeep Mukhopadhyay

Block Cipher Involving Key Based Random Interlacing and Key Based Random Decomposition

Encryption Details COMP620

L2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

The Rectangle Attack

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Dr. V.U.K.Sastry Professor (CSE Dept), Dean (R&D) SreeNidhi Institute of Science & Technology, SNIST Hyderabad, India

Improved Truncated Differential Attacks on SAFER

Integral Cryptanalysis of the BSPN Block Cipher

Symmetric Cryptography. Chapter 6

Name of chapter & details.

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Computational Security, Stream and Block Cipher Functions

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Block Encryption and DES

A Weight Based Attack on the CIKS-1 Block Cipher

A New Improved Key-Scheduling for Khudra

Linear Cryptanalysis of Reduced Round Serpent

Secret Key Algorithms (DES)

On the Design of Secure Block Ciphers

Differential Cryptanalysis

BLIND FAULT ATTACK AGAINST SPN CIPHERS FDTC 2014

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

A Modified Playfair Cipher for a Large Block of Plaintext

Introduction to Modern Symmetric-Key Ciphers

A Chosen-Plaintext Linear Attack on DES

Secret Key Cryptography

Cryptography and Network Security. Sixth Edition by William Stallings

PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems

Sankalchand Patel College of Engineering, Visnagar B.E. Semester V (CE/IT) INFORMATION SECURITY Practical List

Fundamentals of Cryptography

CPS2323. Block Ciphers: The Data Encryption Standard (DES)

A Brief Outlook at Block Ciphers

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Attacks on Advanced Encryption Standard: Results and Perspectives

New Cryptanalytic Results on IDEA

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Software Performance Characterization of Block Cipher Structures Using S-boxes and Linear Mappings

Network Security Technology Project

2 What does it mean that a crypto system is secure?

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

Symmetric Encryption Algorithms

S. Erfani, ECE Dept., University of Windsor Network Security. 2.3-Cipher Block Modes of operation

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Gurevich Lev. 31st March 2005

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

Chapter 3 Block Ciphers and the Data Encryption Standard

Jordan University of Science and Technology

Content of this part

RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT

New Cryptanalytic Results on IDEA

Piret and Quisquater s DFA on AES Revisited

Private-Key Encryption

Classical Cryptography

Computer Security CS 526

CSC 474/574 Information Systems Security

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

GENETIC ALGORITHMS, TABU SEARCH AND SIMULATED ANNEALING: A COMPARISON BETWEEN THREE APPROACHES FOR THE CRYPTANALYSIS OF TRANSPOSITION CIPHER

Cryptography Functions

Sharing Several Secrets based on Lagrange s Interpolation formula and Cipher Feedback Mode

A Methodology for Differential-Linear Cryptanalysis and Its Applications

Attack on DES. Jing Li

K Anup Kumar et al,int.j.comp.tech.appl,vol 3 (1), 32-39

Secret Key Cryptography (Spring 2004)

Cryptography. Submitted to:- Ms Poonam Sharma Faculty, ABS,Manesar. Submitted by:- Hardeep Gaurav Jain

Some Aspects of Block Ciphers

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

A Differential Fault Attack against Early Rounds of (Triple-)DES

Goals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010

Differential-Linear Cryptanalysis of Serpent

NON LINEAR FEEDBACK STREAM CIPHER

Module 13 Network Security. Version 1 ECE, IIT Kharagpur

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

An overview and Cryptographic Challenges of RSA Bhawana

Report on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation)

Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)

Analysis of Involutional Ciphers: Khazad and Anubis

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Cryptography and Network Security. Sixth Edition by William Stallings

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Syrvey on block ciphers

CSCE 813 Internet Security Symmetric Cryptography

An Improved Truncated Differential Cryptanalysis of KLEIN

EE 595 (PMP) Introduction to Security and Privacy Homework 1 Solutions

Cryptographic Techniques. Information Technologies for IPR Protections 2003/11/12 R107, CSIE Building

Transcription:

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Linear Approximations and bias value Piling Up Lemma Linear Approximation Tables Performing the Attack Security IIT Kharagpur 1

Product Ciphers Most modern day ciphers are product ciphers. Sequence of Substitutions and Permutations Also called iterated ciphers Description includes: round description key schedule Cipher Transformations Round function, say g takes two inputs round key, K r current state, w r-1 next state, w r =g(w r-1,k r ) Plain-text: w 0 Cipher-text: w Nr, where Nr is the number of rounds of the cipher Decryption is thus achieved by the transformation, g -1. Security IIT Kharagpur 2

Definition of SPN Ciphers Block length: lm, l and m are integers Substitution, S: {0,1} l {0,1} l Known as S-Box Permutation, P: {0,1} lm {0,1} lm Known as P-Box Except the last round all rounds will perform m substitutions, using S, followed by a Permutation. Algorithm Input, x: {0,1} lm, K 0 : {0,1} lm Output, y: {0,1} lm Key-schedule: generates (K 0, K 1,, K Nr ) w 0 =x for r=1 to Nr-1 u r =w r-1 ^ K r-1 for i = 1 to m do v r i = S(ur i ) w r =v r P(1), vr P(2),, vr P(lm) u Nr =v Nr-1 ^ K Nr-1 for i = 1 to m do v Nr i = S(uNr i ) y=v Nr ^ K Nr Nr-1 rounds last round Key Whitening Security IIT Kharagpur 3

Example: GPig Cipher l=m=nr=4 Thus plain text size is 16 bits It is divided into 4 groups of 4 bits each. S-Box works on each of the 4 bits Consider a S-Box (substitution table) GPig (contd.) The Permutation Table is as follows: Permutation is the transposition of bits There are lm=16 bits, which are transposed using the above table Security IIT Kharagpur 4

The Cipher Diagram Modifications or Variations of the SPN Structure Examples: DES, AES Different S-Boxes instead of a single one As done in DES, there are 8 different S-Boxes Have an additional invertible linear transformation As done in AES Is the GPig Cipher secure? Security IIT Kharagpur 5

Key Scheduling Consider the key to be 32 bits (too small) A simple key schedule: Kr is made by taking 16 successive bits from the key starting at (4r + 1) bit position. Example: Input Key, K: 0011 1010 1001 0100 1101 0110 0011 1111 K 0 = 0011 1010 1001 0100 K 1 = 1010 1001 0100 1101 K 2 = 1001 0100 1101 0110 K 3 = 0100 1101 0110 0011 K 4 = 1101 0110 0011 1111 What is Linear Crypatanalysis (LC)? Aims at obtaining linear approximations relating the plaintext and the states of the ciphers prior to last round The probability of the approximation should be bounded away from ½, to be called a good approximation The attacker has a large number of plaintext and ciphertext pairs. What kind of attack model is this? Now we start guessing the last round keys and decrypting the ciphertext to obtain the state previous to the last round. Security IIT Kharagpur 6

LC (Basics) We check if the approximation is satisfied. We update a frequency table for all the candidate keys The correct candidate key will have the largest tally, if the experiment is performed for a large number of times. Note that the attack would not have worked if the cipher was a random function, with all approximations having a probability ½ LC is nothing but a distinguisher Piling Up Lemma Consider independent random variables: X 1, X 2, let Pr[X 1 =0]=p 1 => Pr[X 1 =1]=1-p 1 let Pr[X 2 =0]=p 2 => Pr[X 2 =1]=1-p 2 Thus, Pr[X 1^ X 2 ]=0 is p 1 p 2 + (1-p 1 )(1-p 2 ) Not let Є 1 =p 1-1/2 and Є 2 =p 2-1/2 (these are called bias values of the rv.s) Thus, Pr[X 1^ X 2 ]=0 = 2Є 1 Є 2 Security IIT Kharagpur 7

Generalized lemma Note that if there is one bias on the RHS which is 0, then LHS is also 0 Reminder Piling Up lemma works only when the random variables are independent. Next we see how to obtain linear approximations of the S-Box Security IIT Kharagpur 8

Linear Approximations of mxn S-Box Input tuple: (x 1,x 2,,x m ), x i s are values which r.v X i takes Output tuple: (y 1,y 2,,y n ), y j s are values which r.v Y j takes. The values are {0,1} Note that the outputs are not independent among themselves or from the inputs. Computing the probability of linear approximation Pr[ X1 = x1,..., Xm = xm, Y1 = y1,..., Yn = yn) = 0 if ( y,..., y ) S( x,..., x ) 1 n 1 Pr[ X1 = x1,..., Xm = xm, Y1 = y1,..., Yn = yn) = 2 if ( y,..., y ) = S( x,..., x ) 1 n 1 m m m Security IIT Kharagpur 9

S-Box in terms of the random variables What is the bias of X 1 ^ X 4 ^ Y 2? There are 8 cases when X1 ^ X4 ^ Y2=0 Thus the probability is 8/16=1/2 So, the bias is zero. Consider, X 3^ X 4 ^ Y 1 ^ Y 4 The bias turns out to be -3/8 Representing the Approximations Any expression can be written in the form: Here a i Є{0,1} and b i Є{0,1} Thus each of a and b can be denoted by hexadecimal numbers from 0 to F They can be stored in a table Security IIT Kharagpur 10

Linear Approximation Table (LAT) for X3^ X4 ^ Y1 ^ Y4 a=(0011)=3 b=(1001)=9 Thus T[3,9]=2 Bias = 2/16-1/2=-3/8 Thus Bias =(T[a,b]/16)-1/2 Linear Attack We need to form a linear approximation, involving the plaintext, key and the state before the last rounds, which has a good bias. The non-linear components in the cipher are only the S-Boxes. So, we use the LAT to obtain the good linear approximations. Security IIT Kharagpur 11

Linear Approximations of the 3(=4-1) round Cipher Approximations of the S-Boxes with high values: If we assume that the 4 random variables are independent we can combine them by the Piling Up Lemma. Linear Approx (contd.) So, the bias of: is 2 3 (1/4)(-1/4) 3 =-1/32 This is by Piling Up lemma T 1, T 2, T 3 and T 4 have the property that their input and output are expressible in terms of Plaintext, the key bits and u 4 (the input to the last round of S-Boxes) Security IIT Kharagpur 12

Linear Approx (contd.) Security IIT Kharagpur 13

Linear Approx (contd.) = has a bias of -1/32. The following equations are substituted in the above equation: Linear Approx (contd.) Note that the final expression involves the plaintext, key bits and u 4 : Note that the bias of the expression is 1/32. Also note that the term, can either be 1 or 0. Hence the bias of is ±1/32 Security IIT Kharagpur 14

The Attack Note that the expression has bits in U 4, which are there in the second and fourth S-Box of the last round. The attacker obtain large number of ciphertexts from the plaintexts he knows. Then he guesses 8 key bits, K 5 [5-8], K 5 [13-16] He makes a frequency table, where for each key a count is stored to denote the number of cases the above expression is satisfied. If we inspect T plaintext, ciphertext pairs then for a wrong guess in T/2 cases the expression will be satisfied. For a correct guess, in case of about T/2±T/32, the expresssion is satisfied. Roughly, T=8000. Security IIT Kharagpur 15

Further Reading Douglas Stinson, Cryptography Theory and Practice, 2 nd Edition, Chapman & Hall/CRC B. A. Forouzan, Cryptography and Network Security, TMH Howard Heys, A Tutorial on Linear and Differential Cryptanalysis, 2001 Exercise Security IIT Kharagpur 16

Next Days Topic Differential Cryptanalysis Security IIT Kharagpur 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback