cryptanalysis on substitution- permutation networks jen-chang liu, 2005 ref: cryptography: theory...

Cryptanalysis on Substitution-Permutation Networks

Jen-Chang Liu, 2005

Ref: Cryptography: Theory and Practice, D. R. Stinson

Outline Substitution-permutation networks

(SPN) Linear cryptanalysis

Linear approximation of S-boxes Bias and pilling-up lemma A linear attack on an SPN

Differential cryptanalysis Differential distribution table of S-boxes

Substitution-permutation networks (1)

Substitution function (S-box)

1,01,0: S

z 0 1 2 3 4 5 6 7 8 9 A B C D E F

S(z)

E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

Ex. =4, 4-bit input


Permutation function

mmP ,,2,1,,2,1:

z 1 2 3 4 5 6 7 8 9 10

11

12

13

14

15

16

P(z)

1 5 9 13

2 6 10

14

3 7 11

15

4 8 12

16

Ex. =m=4, 16-bit input

0 1 0 0 0 1 0 1 1 1 0 1 0 0 0 1

00 1 0 1 1 1 0 0 0 0 0 0 1 1 1

SPN exampleRound 1

Round 2

Round 3

Round 4(no permutation)

Ki : subkeysXOR with input

whitening:Prevent attack


Implementation issues: S-Box: using look-up tables

4-bit input: 244=26 bits memory space 16-bit input: 21616=220 bits memory space DES: 6-bits to 4-bits, AES: 8-bits to 8-bits

Variations of SPN: Different S-Boxes in each round, ex. DES Include invertible linear transformation in

addition to permutation, ex. AES

Question about S-box: Are these S-boxes secure?

We will try to find some probabilistic relationship between (differential) input and (differential) output to S-boxes

Linear approximation table (1)

S-box z 0 1 2 3 4 5 6 7 8 9 A B C D E F

S(z)

E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

Input 4-bits Output 4-bits


considerT=X1 X4 Y2


Pr[T=0]=1/2

Pr[T=1]=1/2


considerT=X3X4Y1Y4


Pr[T=0]=1/8

Pr[T=1]=7/8


XOR of input and output bits can be taken as linear combination

ii

iii

i

baT YX4

1

4

1

T=X1 X4 Y2 a :(1 0 0 1) b :(0 1 0 0)

T=X3X4Y1Y4 a :(0 0 1 1) b :(1 0 0 1)

For all a and b, we computeNL (a,b): number of occurrences such that T=0


Idea: away from 8 means some probabilistic relationshipbetween input and output

Bias of a random variable X is a random variable taking on values

from {0, 1}

Pr[X=0]=p

Pr[X=1]=1-p

Bias of X is defined to be

=p-1/2

* Bias with high absolute value implies non-randomness

Ex. Pr[X=0]=1/2 bias = 0

Ex. Pr[X=0]=1 bias = 1/2

Pilling-up lemma Let T denotes the bias of the random

variable T=X1X2... Xk

Then

Ex. T=X1X2, bias T = 212

k

ii

kT

1

12

A Linear Attack onan SPN (1)

T1 has bias 1/4

T2 has bias -1/4

T3 has bias -1/4

T4 has bias -1/4

T1T2T3T4

has bias

32

1

4

1

4

12

33


T1T2T3T4

X1 X2 X3

X1X2X3

(subkey bits)

U1 U2 U3 U4

=U1U2U3 U4

=T1T2T3T4

X1X2X3

(subkey bits)

U1U2U3 U4

A Linear Attack on an SPN (3)

Previous result:

Fix the subkey bits (assume the same key)

Thus,

=T1T2T3T4

X1X2X3 (subkey bits)U1U2U3 U4

=T1T2T3T4

X1X2X3 (0 or 1)U1U2U3 U4

X1X2X3U1U2U3 U4has the same bias asT1T2T3T4(may have different sign, depending on subkey bits)


T1T2T3T4

has bias32

1

X1 X2 X3

U1 U2 U3 U4

X1X2X3

U1U2U3 U4

has bias32

1

Known-plaintext attack

Assume 8000 (x, y) pairs are known

x

y

Goal: solve the 8-bit subkey

Initialize: Counter[256]

For each (x,y) pairFor subkey value s=0 to 255

determine

U1 U2 U3 U4

U1,U2,U3,U4

If X1X2X3

U1U2U3 U4 =0

X1 X2 X3

Counter[s] ++

Final: Find s, such that Counter[s]/8000

32

1

2

1

Linear cryptanalysis on DES

1994, Matsui (inventor of linear cryptanalysis) Using 243 plaintext-ciphertext pairs

(generated using the same key) : it takes 40 days

Use linear cryptanalysis to find the key: 10 days

However, it is unlikely to accumulate such a large number of plaintext-ciphertext pairs

Differential cryptanalysis Two binary streams

Differential cryptanalysis Find the probabilistic relationship between

XOR of two inputs and XOR of two output

0101100….01110

1001010….01100

1100110….00010

Different bits will be labeled as 1 after XOR

44 S-box ： input X =[X1 X2 X3 X4], output Y =[Y1 Y2 Y3 Y4]

input pair (X’, X’’),

by

Analyzing the Cipher Components

XXXXXX ''"'

XXXX '"' ,Y

Y Y

Y

Given Δx, we want to determine the associatedprobabilities for each ΔY

Difference distribution table

X

Y

= 0010, =1011 (hex B), probability = 8/24 = 8/16Y X

= 1011, =1000 (hex 8), probability = 4/16Y X

= 1010, =0100 (hex 4), probability = 0/16Y X

ΔX=[0000 1011 0000 0000]

ΔU=[xxxx 0110 xxxx 0110]with prob. = 0.0264

5000 chosen plaintext pairs:[0000 1011 0000 0000, 0000 0000 0000 0000][0000 1011 0000 0001, 0000 0000 0000 0001][0000 1011 0000 0010, 0000 0000 0000 0010]

…

5000 ciphertext pairs: [Y1, Y’1], [Y2, Y’2], [Y3, Y’3], …

Differential Cryptanalysis on DES

Biham and Shamir, 1993 Complexity: order of 247 , requiring 247

chosen plaintext Recall: brute-force search: 255

In fact, the DES designers knew differential cryptanalysis early in 1974 They had strengthened S-boxes

Programming project#2 Generate tables for the following DES S-

Box linear approximation table difference distribution table

Output your results in well-formatted ASCII text file

Due date: 11/1

Notes for Programming Project#1

You must submit PowerPoint slides, which includes

Description of your DES source code, how to use it (write a small sample program to demo how to use it)

How do you evaluate the avalanche effects of DES? The results of your experiments

All programs

cryptanalysis on substitution- permutation networks jen-chang liu, 2005 ref: cryptography: theory...

Documents