SPNs Linear Cryptanalysis Differential Cryptanalysis Block Ciphers SPNs

- SPNs - Linear Cryptanalysis - Differential Cryptanalysis Block Ciphers: SPNs and Cryptanalysis CSCI 284 Spring 2004 GWU This slide set almost entirely from: H. M. Heys, "A Tutorial on Linear and Differential Cryptanalysis", Technical Report CORR 2001 -17, Centre for Applied Cryptographic Research, Department of Combinatorics and Optimization, University of Waterloo, Mar. 2001. (Also appears in Cryptologia, vol. XXVI, no. 3, pp. 189 -221, 2002. ) CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Substitution-Permutation Networks (SPNs) • Basic building block of all symmetric-key block ciphers (including DES, AES) • A substitution • A permutation • A pad with key • Repeated over many “rounds” 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 2

Single SP block One part of key “S” block permutations From: Hey’s paper 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 3

Example S-box Example Permutation 0 A 1 F 23 39 4 B 58 62 74 00 14 28 3 C 41 55 69 7 D 1/12/2022 8 E 90 AC B 1 C 5 D 6 ED F 7 82 96 AA BE C 3 D 7 EB FF CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 4

Invert single box? 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 5

4 Rounds Inversion: No permutation before mixing 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 6

An attack: linear cryptanalysis First concentrate on breaking a single S-box: Model S-box in terms of probbailities of linear relationships between input and output bits E. g. : x 1 x 4 = y 2 y 4 is true with what probability? If Sbox were truly random, what would be the probability of that equation being true? Difference is the bias – the higher it is, the easier an attack 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 7

Generate some of these 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 8

1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 9

Try using particular approximations for Sboxes 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 10

Errors • There are some errors in each approximation. What happens to them as concatenated? 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 11

Combined errors 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 12

Further 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 13

1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 14

Complexity of linear cryptanalysis Need known plaintext-ciphertext pairs O(1 / 2) 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 15

Differential Cryptanalysis • Like linear cryptanalysis, concentrate on breaking a single S-box: – Model S-box in terms of probabilities of output differences given input differences • E. g. : x = 1011 y = 0010 is true with what probability? If S-box were truly random, what would be the probability? • Difference is the bias – the higher the bias, the easier an attack 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 16

1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 17

1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 18

Then choose S-boxes Total probability = 27/1024 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 19

1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 20

Try all target sub-keys • Try all sub-keys and see which one gives the correct input to the last round most often. • That’s the most likely sub-key. 1/12/2022 CS 284/Spring 04/GWU/Vora/Block Ciphers: SPNs and Cryptanalysis. All equations, tables, figures and accompanying text from Heys 21