Professional Documents
Culture Documents
1
Differential cryptanalysis is a method for
breaking certain classes of cryptosystems
2
Differential cryptanalysis is efficient when the
cryptanalyst can choose plaintexts and obtain
ciphertexts (chosen plaintext cryptanalysis)
3
Differential cryptanalysis is applicable to the
iterated ciphers with a weak round function
(so-called Feistel ciphers)
4
Notation
5
DES (DEA):
Data Encryption Standard (Algorithm)
28 28
IP
32 32 RL1 RL1
32 32
+ F 28
48 PC-2
48 K1 28
RL1 RL1
+ F PC-2
K2
RL2 RL2
+ F PC-2
K3
RL1 RL1
+ F PC-2
K16
FP
7
The round function of DES
R (32 BITS)
S1 S2 S3 S4 S5 S6 S7 S8
32 BITS
8
The Expansion E
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
9
Differential Cryptanalysis of DES
10
Biham and Shamir observed that with a fixed
key, the differential behavior of DES does
not exhibit pseudorandomness
11
S-box Non-Differential Uniformity
S1
E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8
4 1 E 8 D 6 2 B F C 9 7 3 A 5 0
F C 8 2 4 9 1 7 5 B 3 E A 0 6 D
13
S1 Differential Distribution Table
Input Output y
x 01 23 456 78 9 AB CD EF
00 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
01 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4
02 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2
03 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0
...
0C 0 0 0 8 0 6 6 0 0 6 6 4 6 6 14 2
...
34 0 8 16 6 2 0 0 12 6 0 0 0 0 8 0 6
...
3E 4 8 2 2 2 4 4 14 4 2 0 2 0 8 4 4
3F 44 42 402 44 2 4 8 8 6 2 2
14
The 6-bit differential input x takes 64 values:
00 (hex) to 3F (hex)
15
The later rows are more interesting:
16
Consider the input XOR 34. The possible out-
put XORs are
Output: 1 2 3 4 7 8 D F
Occurs: 8 16 6 2 12 6 8 6
13 = 01 0011
27 = 10 0111
13 ⊕ 27 = 11 0100
= 34
S1(13) = 0110
S1(27) = 0010
S1(13) ⊕ S1(27) = 0100
= 4
17
List of possible input values for S1 box with
input XOR 34
34 → 4: 13, 27
18
Determination of the key:
34: 01, 35
S1E S1K
+
S1I 34: 06, 10, 16, 1C
22, 24, 28, 32
S1
S1O D:
19
Also since
06 ⊕ 01 = 07 06 ⊕ 35 = 33
10 ⊕ 01 = 11 10 ⊕ 35 = 25
16 ⊕ 01 = 17 16 ⊕ 35 = 23
1C ⊕ 01 = 1D 1C ⊕ 35 = 29
22 ⊕ 01 = 23 22 ⊕ 35 = 17
24 ⊕ 01 = 25 24 ⊕ 35 = 11
28 ⊕ 01 = 29 28 ⊕ 35 = 1D
32 ⊕ 01 = 33 32 ⊕ 35 = 07
20
Furthermore, suppose we know two inputs to
S1 as 21 and 15 which XORs to 34, and the
output XOR as 3
34: 21, 15
S1E S1K
+
S1I 34: 01, 02, 15, 21
S1 35, 36
S1O 3:
21
The correct key value must appear in both of
these sets:
{17, 23}
Thus, the key value is either 17 or 23
22
Characteristic
Two observations:
S I = SE ⊕ S K
SI∗ = SE
∗ ⊕S
K
SI ⊕ SI∗ = SE ⊕ SK ⊕ SE
∗ ⊕S
K
SI = SE ⊕ SE
∗
SI = SE
23
A 2-Round Characteristic
(00 80 82 00 , 60 00 00 00)
B’=00 00 00 00 b’=00 00 00 00
+ f(R,K) p=1
(00 00 00 00 , 60 00 00 00)
24
6 = 0110 goes to S1 and 0 = 0000 goes to
S2, . . . , S8
25
The S-box outputs go through the permuta-
tion P before becoming the output f (R, K)
A = P (E0 00 00 00) = 00 80 82 00
26
Differential Cryptanalysis
of 2-Round DES
P = P ⊕ P ∗ = 00 80 82 00 60 00 00 00
00 80 82 00 60 00 00 00
to generate P ∗
27
Step 2: Give the plaintext pair (P, P ∗) to your
opponent who enciphers it and gives you the
ciphertext pair (T, T ∗)
(chosen plaintext cryptanalysis)
00 00 00 00 60 00 00 00
If it does not, the characteristic has not oc-
curred and this pair is not used. Go to Step 1
and generate a new plaintext pair.
If T is equal to
00 00 00 00 60 00 00 00
then the characteristic has occurred, and we
know the values of A and B . Go to Step 4.
28
Step 4: Since S2, . . . , S8 have their differential
inputs equal to zero, no information can be
gained about S2K , . . . , S8K
a = 60 00 00 00
to produce
A = 00 80 82 00
These 14 allowable values can be determined
by XORing each possible S1K with the corre-
sponding six bits of S1E and S1∗E , computing
S1’s differential output S1O and checking if it
is equal to E
29
Step 5: Compute the intersection of these
tables
30
Step 6: At this point we have recovered the
6 bits of the key comprising S1K
31
Probabilistic Cryptanalysis
32
4-Round Differential Attack
(20 00 00 00 , 00 00 00 00)
(00 00 00 00 , 20 00 00 00)
33
Differential Cryptanalysis
of 4-Round DES
(20 00 00 00 , 00 00 00 00)
B’ b’=20 00 00 00 p2
+ f(R,K)
C’ c’=B’
f(R,K) p3
+
D’ f(R,K)
d’ p4
+
(d’ , D’ + B’)
34
Observations:
35
Note that b = 20 00 00 00 causes the differ-
ential inputs to S2 through S8 in the second
round to be all zeros in their middle four bits
A’=04 00 00 00 b’=00 54 00 00
+ f(R,K) p=10x16/642
=P(00 10 00 00)
C’=0 c’=0
f(R,K) p=1
+
D’=04 00 00 00 d’=00 54 00 00
+ f(R,K) p=10x16/642
=P(00 10 00 00)
F’ f’=40 5C 00 00
+ f(R,K)
=P(x0 xx 00 00)
G’ g’=F’ + e’
+ f(R,K)
H’ h’
+ f(R,K)
38
We are right only one time in 10,000; we need
several times this number of differential pairs
P −1(R8
⊕ 04 00 00 00) ⊕ (x0 xx 00 00)
39
Step 4: Test each of the 64 possible 6-bit sub-
keys K8,2 associated with S2 in the 8th round
to see which case the observed (x, x∗) to pro-
duce the y computed for S2 in Step 3
40
Step 6: If each of the 5 tables is nonempty,
the characteristic may have occurred
41
Step 7: For each of the K’s generated in Step
6, increment a counter corresponding to that
value
42
Known-Plaintext Attack
These form
√
(232 2m)2
= 264m
2
possible pairs of plaintexts.
43
Each pair has an XOR. Since the block size is
64, there are 264 possible plaintext XOR val-
ues, and thus there are about
264m
64
= m
2
pairs creating each plaintext XOR value.
44
Results
4 42 1 1 24 233
6 30 3 2−4 28 236
8 30 5 2−13.5 216 240
10 18 9 2−31.5 235 249
16 18 15 2−55.1 258 261
8 214 238 29
10 224 243 215
12 231 247 221
14 239 251 229
16 247 255 237
45
Summary of the Results
47
Modified Versions of DES
Modified Chosen
Operation Plaintexts
48