Embed Size (px)
Citation preview
Session 6: Introduction to cryptanalysis
part 2
Symmetric systems
The sources of vulnerabilities regarding linearity in block ciphers are S-boxes.
Example – a 44 S-box:
Symmetric systems
The contents of the S-box:
We consider the following equations:• X2X3=Y1Y3Y4
• X1X4=Y2
• X3X4=Y1Y4
Addr. 0 1 2 3 4 5 6 7 8 9 A B C D E F
Cont. E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
Symmetric systems
The probability bias:• First equation: 12/16-1/2=1/4
• Second equation: 0
• Third equation: 2/16-1/2=-3/8
The success of the attack depends on magnitude of the probability bias – the best approximation of the S-box is the third equation.
Symmetric systems For the attack, we must enumerate all
linear approximations of the S-box – linear approximation table:• Each element in the table represents the
number of matches between the linear equation in the ”Input sum” column and the sum of the output bits represented in the ”Output sum” row.
• Dividing an element by 16 gives the probability bias for the particular linear combination.
Symmetric systems
Linear approximation table (cont.):• The ”Input sum” and the ”Output sum” are given in
hexadecimal:
• a1X1a2X2a3X3a4X4
• b1Y1b2Y2b3Y3b4Y4
• ai,bi{0,1}
• The hexadecimal value represents the binary value a1a2a3a4, resp. b1b2b3b4.
Symmetric systems
Example:• The probability bias of the linear equation
X3X4=Y1Y4 (hex input 3 and hex output 9) is -6/16=-3/8.
• The probability that this linear equation holds true is 1/2-3/8=1/8.
Symmetric systems
Once the linear approximation information has been compiled for the S-boxes, we proceed by determining linear approximations for the overall cipher (if possible) or for certain number of rounds.
Symmetric systems
Once an R-1 round linear approximation is discovered for a cipher of R rounds with a suitably large overall probability bias, it is possible to recover bits of the last subkey.
Symmetric systems
Complexity of the attack• In the context of linear (and differential)
cryptanalysis, this means the number of plaintext-ciphertext pairs necessary to carry out the attack.
• Matsui showed that the number of such pairs NL could be given by
• NL1/2, where is the overall probability bias for the whole cipher (or the rounds to be cryptanalyzed).
Symmetric systems
Providing security against linear cryptanalysis:• Minimize the largest S-box bias
• Find structures to maximize the number of S-boxes involved in the overall cipher approximation.
This approach was used in the design of Rijndael.
Symmetric systems
Differential cryptanalysis• Exploits high probability of certain
occurrences of plaintext differences and differences into the last round of a block cipher.
• Example:• Input: X=[X1,X2,…,Xn]
• Output: Y=[Y1,Y2,…,Yn]
• Consider two inputs X ’ and X ’’ with corresponding outputs Y ’ and Y ’’.
Symmetric systems
The input difference:X=X ’X ’’=[X1,X2,…,Xn]
The output difference:Y=Y ’Y ’’=[Y1,Y2,…,Yn]
In an ideally randomized cipher, the probability that a particular output difference Y occurs given a particular input difference X is 1/2n.
Symmetric systems
Differential cryptanalysis seeks to exploit a situation in which a particular Y occurs given a particular X with a very high probability pD (>>1/2n).
The pair (X,Y ) is called a differential. The attacker selects pairs of inputs, X ’
and X ’’ to satisfy a particular X for which a particular Y occurs with high probability.
Symmetric systems
We construct a differential (X,Y) involving:• plaintext bits (as represented by X)
• input to the last round (as represented by Y)
This is carried out by examining highly likely differential characteristics.
Symmetric ciphers
Differential characteristic• A sequence of input and output differences to
the rounds• Output difference from one round corresponds to
the input difference for the next round.
Using the highly likely differential characteristic enables exploiting information coming into the last round.
Symmetric ciphers
To construct highly likely differential characteristics, we examine the properties of individual S-boxes.
We then use these properties to determine the complete differential characteristic.
Symmetric ciphers
We consider the input and output differences of the S-boxes in order to determine a high probability difference pair.
Then we combine S-box difference pairs from round to round so that the non-zero output difference bits from one round correspond to the non-zero input difference bits of the next round.
Symmetric ciphers
This enables finding a high probability differential consisting of the plaintext difference and the difference of the input to the last round.
The subkey bits disappear from the difference expression because they are involved in both data sets.
Symmetric ciphers
Consider the S-box
Symmetric ciphers
The contents of the S-box
Input: X=[X1,X2,X3,X4]
Output: Y=[Y1,Y2,Y3,Y4]
Addr. 0 1 2 3 4 5 6 7 8 9 A B C D E F
Cont. E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
Symmetric systems
All difference pairs of an S-box (X,Y) can be examined and the probability of Y given X can be derived by considering input pairs (X ’,X ’’) such that X ’X ’’=X.
Ordering of the pair is not relevant – for a 44 S-box we need only consider all 16 values for X ’ and derive X ’’=X ’X.
Symmetric ciphers
ExampleX=1011 (hex B)
X=1000 (hex 8)
X=0100 (hex 4)
Given X and X and having the S-box truth table, for the pair (X,XX) we get the pair (Y,YY).
Then we easily get Y.
Symmetric systems Example:
• The number of occurrences of Y=0010 for X=1011 is 8 out of 16 possible values (i.e. a probability 1/2).
• The number of occurrences of Y=1011 for X=1000 is 4 out of 16 possible values (i.e. a probability 1/4).
• The number of occurrences of Y=1010 for X=0100 is 0 out of 16 possible values (i.e. a probability 0).
Symmetric systems
An ”ideal” S-box would have the number of occurrences of difference pair values all 1, to give a probability of 1/16 of the occurrence of a particular Y given X.
It turns out that such an ”ideal” S-box does not exist.
Symmetric systems
Difference distribution table• The rows represent X values (in hex)
• The columns represent Y values (in hex).
• Each element of the table represents the number of occurrences of the corresponding output difference Y given the input difference X.
Symmetric systems
Once the differential information has been compiled for the S-boxes, we proceed by determining differential characteristic for the overall cipher (if possible) or for certain number of rounds.
Symmetric systems
Once an R-1 round differential characteristic is discovered for a cipher of R rounds with a suitably large overall probability, it is possible to recover bits of the last subkey.
Symmetric systems
Complexity of the attack• This means the number of plaintext-ciphertext
pairs necessary to carry out the attack.
• The number of such pairs ND could be given by
• NDc/pD, where pD is the overall differential characteristic probability for the whole cipher (or the rounds to be cryptanalyzed) and c is a small constant.
Symmetric systems
Providing security against differential cryptanalysis:• Minimize the differential pair probability of an
S-box
• Find structures to maximize the number of S-boxes with a non-zero differential.
This approach was used in the design of Rijndael.
Asymmetric systems
To attack an asymmetric cryptosystem, we have to attack the underlying mathematical problem• RSA – factorization of a large number
• ElGamal – solving the discrete logarithm problem
• ...
Asymmetric systems
In general, it is very difficult to find a solution to these problems, provided the corresponding cryptosystems have been implemented well.
Errors of implementation (for example ”small” number to be factorised or low exponent or short plaintext in RSA) can be exploited by a cryptanalyst.
Asymmetric systems
Some theorems that illustrate this: Theorem 1
• Let n=pq have m digits. If we know the first m/4, or the last m/4, digits of p, we can efficiently factor n.
Theorem 2• Suppose (n,e) is an RSA public key and n has m
digits. Let d be the decryption exponent. If we have at least the last m/4 digits of d, we can efficiently find d in time that is linear in elog2e.
