Lecture 4 Merged

Building Blocks
CS641
Modern Cryptology A linear transformation on the entire block helps mixing the
information well.
Lecture 4 A non-linear transformation is needed to make it secure.
Therefore, a combination of the two is desirable.
A large number of encryption algorithms use both.
Manindra Agrawal CS641: Lecture 4 1 / 19 Manindra Agrawal CS641: Lecture 4 3 / 19
Mixing Property of Linear Transformations Invertibility of Non-linear Transformations
Theorem
Let u 2 Zb , u 6= 0, and K 2 Zb⇥b . Then, over random choices of K, K · u
Since encrypted text is required to be decrypted, all transformations
is a random vector in Zb .
done during encryption need to be invertible.
This is easy for linear transformations, but non-linear transformations
Given u and c with u 6= 0, let ith entry of u, ui , be non-zero. are typically not invertible.
Let Ki be the ith column of K. So we have to find non-linear transformations that are invertible.
P c = K · u equals the probability that
Probability that There is a generic way of doing it given by Feistel.
Ki = u1i (c 1j6=ib uj Kj ). Plain Text
Fixing all other columns of K except Ki , this is the probability that a L R
random vector Ki equals a fixed vector.

F
+
L0 R0

Feistel Structure Encryption Using Feistel Structure
Let f be any non-linear transformation with f : {0, 1}n 7! {0, 1}n .

Define transformation g , g : {0, 1}n ⇥ {0, 1}n 7! {0, 1}n ⇥ {0, 1}n as: Function g transforms only half of input text (b is present in the
output).
g (a, b) = (b, a f (b)),
(L,R) We use two rounds of applications of g to transform input completely:
where is bitwise XOR.
g (g (a, b)) = g (b, a f (b)) = (a f (b), b f (a f (b))).
g is clearly a non-linear transformation, and it is also invertible:
g 1
(b, a0 ) = (a0 f (b), b).
We can use any number of rounds — generally, greater number of
rounds provide more security.
Therefore, we can use Feistel structure to ensure invertibility given
any transformation f .
History DES Parameters
Designed in 1974 by a group of IBM engineers led by Walter A block cipher with blocksize = 64 bits, or 8 bytes.
Tuchman. Key size = 56 bits.
Adopted by National Bureau of Standards (US) in 1976 as standard This size was sufficient in 1970s to be resistant against brute-force
and named Data Encryption Standard (DES). attacks.
One of the most widely used encryption algorithm until 2001. Uses Feistel structure with 16 rounds.

DES Structure Round Operations
Key ki is called round key for round i, 1  i  16.

Each round key is 48 bits long.
Each is a fixed subset of 56 bits of key
I Subsets are di↵erent for di↵erent rounds, but fixed.
Plaintext block is L0 R0 with |L0 | = |R0 | = 32 bits.
Input to round i + 1 is Li Ri and its output is Li+1 Ri+1 , with
Ri+1 = Li f (Ri , ki ) for 0  i < 16 |Li+1 | = |Ri+1 | = 32 bits.
Li+1 = Ri for 0  i < 16. As per Feistel structure, Li+1 = Ri for 0  i < 16.
Function f also depends on round key ki .
Function f Function f
Function f is a non-linear function.

It takes as input right half of round input (of 32 bits) and round key
(of 48 bits), and produces a 32 bit output.
It can be further divided into a series of four operations, three of
which are linear and one is non-linear.
Ri+1 = Li f (Ri , ki ) for 0  i < 16

Li+1 = Ri for 0  i < 16.
Function f also depends on round key ki .
Expansion E Permutation P
Shu✏es input bits as:

Takes 32 bit input and produces 48 bit output. I Input: b0 b1 b2 · · · b31
Replicates 16 bits of input in the following way: I Output: b15 b7 b19 b20 b28 b11 b27 b16 · · · b21 b10 b3 b24
I Input: b0 b1 · · · b31
I
Primary aim is to shu✏e bits so that in all 4-bits in a block move to
Output: b31 b0 b1 b2 b3 b4 b3 b4 b5 b6 b7 b8 b7 b8 · · · b29 b30 b31 b0
di↵erent blocks, for each of the eight blocks.
S-boxes S-1
S-1 0000 0001 0010 0011 0100 0101 0110 0111
00 14 4 13 1 2 15 11 8
01 0 15 7 4 14 2 13 1
10 4 1 14 8 13 6 2 11
11 15 12 8 2 4 9 1 7
Only nonlinear operation in entire algorithm S-1 1000 1001 1010 1011 1100 1101 1110 1111
There are eight S-boxes, each mapping six bits to four bits. 00 3 10 6 12 5 9 0 7
Each of the eight boxes are distinct transformations. 01 10 6 12 11 9 5 3 8
10 15 12 9 7 3 10 5 0
11 5 11 3 14 10 0 6 13
Columns indexed by middle four bits of input, and rows indexed by

first and last bits of input.
Numbers are between 0 to 15 representing four bit outputs.
Every row has all 16 numbers occurring once.
Design Choices
CS641
Why 56 bit key size? Why not 64 bits?
I Key is stored in 64 bits. In each byte, msb is used to do parity check of Modern Cryptology
seven bits of key.
I To catch any error occurring in other seven bits.
Lecture 5
Why so small S-boxes?
I To store S-box tables in hardware so that algorithm can be executed
fast.
I Same reason for other choices of operations.
Approach DES: One Round
Brute-force attack to find out the key requires 256 ⇡ 1017 operations.
Frequency analysis based methods do not work at all since variations
in frequencies are flattened out by 64 bit blocksize and a sequence of
linear transformations.
We can assume stronger forms of attacks: known-plaintext, chosen
plaintext etc.
We start with easier versions of DES by restricting number of rounds.
L0R0 is plaintext and L1 R1 is ciphertext.
Since L1 = R0 , half of plaintext is visible in ciphertext, so security
already compromised.
Under a known-plaintext attack, it can be completely broken.

DES: One Round DES: One Round
ai bi yi
Plaintext goes through multiple transformations during encryption. Texts in all lines marked orange are known.
Let us analyze which of these transformed texts can be computed In particular, we know the output of S-boxes as well as output of
when both plaintext and ciphertext are known. Expansion.
Since i is known, we can look up the table for Si to find out which
Output of E(expansion) is E(R0), and inputs can produce i as output.
Let E (R0 ) = ↵1 ↵2 · · · ↵8 with |↵i | = 6. it will be 48 bits output
As already observed, table for each Si has exactly four occurrences of
This gets XORed with key k1 = k1,1 k1,2 · · · k1,8 with |k1,i | = 6 and
i.
i = ↵i k1,i .
Let Xi be the set of inputs to Si that produce i as output.
Six bit string i is input to ith S-box.
i is a output of S-Box, input is Bi which is 6 bits We have: |Xi | = 4.
Let i = Si ( i ) with | i | = 4.
and output is 4 bits.
String i 2 Xi .
Each i and ↵i is known.
Let Ki = {↵i | 2 Xi }.
Since k1,i = ↵i i, we have k1,i 2 Ki , and |Ki | = 4.

Take another pair of plaintext and corresponding ciphertext block.

It is possible under known-plaintext attack.
Therefore, for every i, 1  i  8, six bits of k1 are in the set Ki with
Repeat the same analysis as above to get sets Ki0 , for 1  i  8, with
|Ki | = 4.
|Ki0 | = 4, and containing six bits of the key k1 .
Concatenating strings of Ki , we get 48 = 216 strings, one of which is
Therefore, Ki \ Ki0 also contains six bits of k1 .
k1 .
It is likely that size of K \ Ki0 is already one, uniquely identifying part
This improves on brute-force attack significantly.
of k1 .
We can do even better!
If it is not unique, do the same exercise with another pair of
plaintext-ciphertext block to further reduce the size.
Once all sets have size 1, the entire key k1 is uniquely identified.
DES: Two Rounds DES: Two Rounds
L0 R0 is plaintext and L2 R2 is ciphertext. Texts in all lines marked orange are known.
Under a known-plaintext attack, the intermediate block L1 R1 is In particular, we know the output of S-boxes as well as output of
known since L1 = R0 and R1 = L2 . Expansion for both the rounds.
Parts of plaintext are no longer visible in the output. Using the same strategy as for one round, we can extract key k1 as
This can be easily broken as well. well as k2 easily.

DES: Three Rounds DES: Three Rounds
Texts in all lines marked orange are known.

Text L2 = R1 is not known.
L0 R0 is plaintext and L3 R3 is ciphertext.
There is no round for which outputs of both Expansion and S-boxes
are known.
We cannot use the earlier strategy for this.
DES: Three Rounds
CS641
Modern Cryptology
Lecture 6
Let L0 R0 be a plaintext block and L00 R00 be another.

How does their XOR travel through encryption stages?
Let us identify locations where we know the XOR values.

XOR values in all lines marked green are known. XOR values in all remaining lines are known now.
Only two additional values become known. Particularly, in third round, actual values of output from E and XOR
values of output from S-boxes is known.
Choose R0 = R00 .
This gives a way to break the encryption.
Define
Let E (R2 ) = ↵1 ↵2 · · · ↵8 and E (R20 ) = ↵10 ↵20 · · · ↵80 with 0 0 0
Xi = {( , )| = and Si ( ) Si ( 0 ) = 0
i }.
|↵i | = 6 = |↵i0 |. i i i
I R2 and R20 are right-halves of output of second round on the plaintexts

L0 R0 and L00 R00 = L00 R0 .
Pair ( i , 0 2 Xi .
Let i = ↵i k3,i and 0 = ↵i0 k3,i , | i | = 6 = | i0 |. i)
i
I k3 = k3,1 k3,2 · · · k3,8 . Define
0 0 | i| = 4 = | 0
Let i = Si ( i ) and i = Si ( i ), i |. Ki = {k | ↵i k= and ( , 0
) 2 Xi for some 0 }.
We know ↵i , ↵i0 , i
0
i = ↵i ↵i0 , and i
0
i.
Since ( i , 0 2 Xi , we have k3,i 2 Ki .

i)

We have |Ki | = |Xi | since ↵i and 0 is fixed for ( , 0) 2 Xi .

Such linearity in Si will render it weak against linearity based attacks.
If |Xi | < 64 then we have eliminated some possibilities of k3,i . 0 0
Indeed, |Xi |  16 for any choice of i i and i i and any i.
As done earlier, we can then repeat for multiple pairs of plaintexts to
Therefore, |Ki |  16 as per above analysis.
reduce the possibilities further until k3,i is uniquely identified.
What if |Xi | = 64? Doing the same for all S-boxes, we get at most 168 = 232 possibilities
I Then for every , Si ( ) Si ( 0 0 for k3 .
i i) = Si ( ) Si (0), or
equivalently As before, by repeating the entire process for a few pairs of plaintexts
0 0
that share right half, we can uniquely identify k3 .
Si ( i i) = Si ( ) Si ( ) Si (0).
This is a chosen plaintext attack since plaintext pairs with same right
half are required.
I This makes significant part of Si linear.
DES: Four Rounds DES: Four Rounds
Texts in all lines marked orange are known.

L0 R0 is plaintext and L4 R4 is ciphertext. Assuming pairs of input text blocks, for lines marked green, XOR is
known.
There is still no round with known output of E and known XOR of

output of S-boxes.
We know input XOR of second round S-boxes.
If the output XOR can be predicted, then XOR of R2 can be
predicted, which is same as XOR of L3 .
This, in turn, gives XOR of output S-boxes of last round.
We can then use the same method as for three rounds.
Assuming right halves of input pairs to be same, XOR is known for

some more lines.
Since S-boxes are non-linear, fixing input XOR does not fix output
XOR.
So we look for a likely XOR value.
Examining S1 carefully, we find that if the XOR of two inputs is
001100, then of the 64 possible pairs, 14 result in XOR of the output
pair to be 1110.
If we consider random input pairs that have input XOR to second
round S1 as 001100, then we expect that with probability 14/64, the
XOR of the output will be 1110.
Ensuring that input XOR to remaining S-boxes in second round is all
zeroes, we can predict the XOR of the second round output of
S-boxes with probability 14/64.
We will use hexadecimal notation to represent 32-bit values.
We can now repeat the analysis of three round DES.
It does not work directly though.
DES: Four Rounds
CS641 Let E (R3 ) = ↵1 ↵2 · · · ↵8 and E (R30 ) = ↵10 ↵20 · · · ↵80 with

|↵i | = 6 = |↵i0 |.
Modern Cryptology I R3 and R30 are right-halves of output of third round on the plaintexts
L0 R0 and L00 R00 = L00 R0 .
0 = ↵i0 k4,i , | i | = 6 = | i0 |.
Lecture 7 Let i = ↵i k4,i and i
I k4 = k4,1 k4,2 · · · k4,8 .
Let = Si ( i ) and 0 = Si ( i0 ), | i | = 4 = | i0 |.
i i
We know ↵i , ↵i0 and i
0
i = ↵i ↵i0 .
0 14
We also know a value such that i i = with probability 64 .
Define
0 0 0
Xi = {( , )| = i i and Si ( ) Si ( 0 ) = }.
We have |Ki | = |Xi | since ↵i and 0 is fixed for ( , 0) 2 Xi .

Pair ( i , 0
2 Xi whenever our guess for 0 Therefore, |Ki |  16 as per properties of S-boxes.
i) i i = is correct, which
happens with probability 14
64 . We cannot use the method for three rounds here:
Define I If we compute another Ki0 and take its intersection with Ki , k4,i may
get dropped out since it is not guaranteed to be present in both.
0 0 }.
Ki = {k | ↵i k= and ( , ) 2 Xi for some
14
Since ( i , i0 ) 2 Xi with probability 64 , we have k4,i 2 Ki with
probability 14 64 .

On careful analysis, we get:

Instead, we do as follows. I If 6= i 0
i then k4,i becomes wrong value.
|Ki,s |
Let Ki,1 , Ki,2 , . . ., Ki,` be set of possible subkeys, each containing k4,i I Hence, Pr[k4,i 2 Ki,s | 6= i 0
i ] = 64 .
with probability 14 64 .
I Therefore, expected number of sets containing k4,i would be
I The probability is over random choices of plaintext pairs satisfying the
14 X |Ki,s |
given XOR condition. `+ .
14 64 64
Then the expected number of sets containing k4,i would be 1s`
64 `. 6= i
0
i for s
On the other hand, consider a value a 6= k4,i .
|K |
I We assume that Pr[a 2 Ki,s ] = 64i,s . In comparison, expected number of sets containing a 6= k4,i would be
I Then,
1
P` expected number
16
of sets containing a would be
64 s=1 |Ki,s |  64 `. X |Ki,s | X |Ki,s |
= + .
If sets Ki,s have sizes close to 16, then an incorrect value a seems to 64 64
1s` 1s`
occur equally frequently as k4,i ! = 0 6= 0
i i for s i i for s
DES: Four Rounds DES: r Rounds

Gap between the two numbers is minimum when all Ki,s have
maximum possible size, i.e., 16.
Then the number for k4,i is:
14 12.5 26.5
`+ `= `.
64 64 64
And the number of a 6= k4,i is:

For r round DES, we extend the approach used for four rounds:
16 I Predict the XOR of output of round r 2 with as high probability as
= `.
64 possible
I This allows for prediction of output XOR for S-boxes of last round.
I Coupled with knowledge of both outputs of last round E , we can
Choosing ` 20 would give sufficient gap between the two expected extract last round key as in four round DES.
values. In order to find XOR of output of round r 2, we define notion of
Then k4,i can be identified as the most frequently occurring value in characteristic.
the sets Ki,1 , Ki,2 , . . ., Ki,` .
Characteristic Characteristic
An s-round characteristic is a sequence Probability of a Characteristic

(x0 , y0 , p1 , x1 , y1 , p2 , x2 , y2 , . . . , ps , xs , ys ) where The probability of an s-round characteristic Q
|xi | = 32 = |yi |. (x0 , y0 , p1 , x1 , y1 , p2 , x2 , y2 , . . . , ps , xs , ys ) equals si=1 pi .
When XOR of the output of round i equals xi yi , then the XOR of the
output of round i + 1 equals xi+1 yi+1 with probability pi+1 . Probability of a characteristic denotes the probability, over the choice
of plaintext block pairs with XOR equal to x0 y0 , that XOR of the
(60000̄, 0̄0̄, 1, 0̄0̄, 60000̄, 14 outputs of ith round, 1  i  s, equals xi yi .
64 , 60000̄, 00828000) is a 2-round
characteristic as seen above. Probability of 2-round characteristic
I 0̄ stands for 16-bit string 0000. (60000̄, 0̄0̄, 1, 0̄0̄, 60000̄, 14
64 , 60000̄, 00828000) equals
14
64 .
Breaking r -round DES Example Characteristics

3-round characteristic:
(00828000, 60000̄, 14 14
64 , 60000̄, 0̄0̄, 1, 0̄0̄, 60000̄, 64 , 60000̄, 00828000).
To break r -round DES, we need an r 2 round characteristic:
I We recover kr using this characteristic.
I If the probability of characteristic is p, and we use ` paintext block
pairs, kr ,i will be present in about p` + (1 p) 4` Xi ’s. Another 3-round characteristic:
I Any other a 6= kr ,i will be present in about 4` pairs.
I So kr ,i is present is roughly 34 p` additional pairs. (40080̄, 04000̄, 14 , 04000̄, 0̄0̄, 1, 0̄0̄, 04000̄, 14 , 04000̄, 40080̄).
I We need ` ⇡ 20 p in order to ensure that kr ,i is most frequently
occurring value.
This technique is called di↵erential cryptanalysis. A 5-round characteristic:
I Proposed by Biham and Shamir in 1990.
(405C 0̄, 04000̄, 14 , 04000̄, 00540̄, 128
5
, 00540̄, 0̄0̄, 1, 0̄0̄, 00540̄,
5 1
128 , 00540̄, 04000̄, 4 , 04000̄, 405C 0̄)

Iterative Characteristics 15-round DES
2-round characteristic: Invert the 2 round characteristic to:

1
1
(0̄0̄, 19600̄, 234 , 19600̄, 0̄0̄, 1, 0̄0̄, 19600̄). (19600̄, 0̄0̄, 1, 0̄0̄, 19600̄, 234 , 19600̄, 0̄0̄).
This can be concatenated r times to create a 2r -round characteristic. Concatenating for 13-rounds gives a characteristic with probability
1
The probability of 2r -round characteristic will be 1 ⇡ 2147 .
(234)r .
(234)6
Can be used against 16-round DES: The number of plaintext pairs required to break it are ⇡ 252 , which is
I 1
Probability of characteristic will be (234) 1
7 ⇡ 255 .
less than brute-force.
I The number of plaintext pairs required would be ⇡ 259 , worse than Therefore, 16 is the minimum number of rounds that makes DES fully
brute-force. resistant against di↵erential cryptanalysis.
Linear Cryptanalysis Linearity in S5
Let b0 b1 · · · b5 be input bits to S-box S5, and c0 c1 c2 c3 be output bits.

Then,
b1 c0 c1 c2 c3 = 0
Proposed by Matsui in 1994.
12
Exploits partial linearity present in S-boxes. with probability 64 .
Breaks 16-round DES with a known plaintext attack using around 247 For round i, Li 1 Ri 1 is input and Li Ri is output.
plaintext blocks. Let Ri [j] denote the jth bit of Ri , 0  j  15, and
Only known method of breaking 16-round DES faster than Ri [j1 , j2 , . . . , js ] = st=1 Ri [jt ].
brute-force. The above equation can be written for round i as:
Ri 1 [15] Ki [22] Li 1 [7, 18, 24, 29] Ri [7, 18, 24, 29] = 0
12
with probability 64 .

12
Using previous equation for round 1, we get that with probability 64 : Since we know R0 , L0 , R3 , and R2 = L3 , we can do following:
I Guess six bits of K3 that go into S5.
R0 [15] K1 [22] L0 [7, 18, 24, 29] = R1 [7, 18, 24, 29] I For ` choices of plaintext block, and using the guess of K3 , compute
= L2 [7, 18, 24, 29] how many times is LHS zero.
= R3 [7, 18, 24, 29] f (R2 , K3 )[7, 18, 24, 29] If guess for K3 is wrong, the equation will be satisfied roughly half the
time.
where f (R, K ) is the non-linear function of DES. If guess is correct, either LHS would be zero about 12
times or LHS
64 `
Therefore, would be 1 about 12 64 ` times.
This gives us six bits of K3 and one bit of K1 .
R0 [15] L0 [7, 18, 24, 29] R3 [7, 18, 24, 29] f (R2 , K3 )[7, 18, 24, 29] = K1 [22]
Doing the same for third round gives one bit of K3 and six bits of K1 ,
with probability 12 resulting in a total of 14 bits of key overall.
64 .
DES: Sixteen Rounds
This can be extended to an equation for 16 round DES:

CS641
L0 [7, 18, 24] R0 [12, 16] L16 [15] R16 [7, 18, 24, 29] f (R15 , K16 )[15]
Modern Cryptology
= K1 [19, 23] K3 [22] K4 [44] K5 [22] K7 [22]
K8 [44] K9 [22] K11 [22] K12 [44] K13 [22] K15 [22]
Lecture 8
1.2
The equation holds with probability ⇡ 222
.
Using ⇡ 247 plaintext blocks, 14 bits of key can be recovered.
Remaining 42 bits can be found by brute-force, resulting in overall
complexity of ⇡ 247 .

Fields Non-standard Fields
Informal Definition Consider F2 = {0, 1} with addition and multiplication modulo 2.

A set of numbers on which full arithmetic can be done.
Subtraction is same as addition, and division is trivial.
Is it a field?
Set of rational numbers (Q), real numbers (R), complex numbers (C)
We need to formally define notion of numbers and arithmetic
are fields as they admit all four arithmetic operations: +, , ⇤, and /.
operations to properly identify fields.
Set of integers (Z) is not a field as division is not always possible.
Groups Commutative Groups
Definition
A set of elements G with binary operation · defined on elements such that: Definition
A group (G , ·) with following additional property: a · b = b · a for any
1 a · b 2 G for any a, b 2 G [closure] a, b 2 G [commutativity]
2 (a · b) · c = a · (b · c) for any a, b, c 2 G [associativity]
3 There exists e 2 G such that a · e = e · a = a for any a 2 G [identity] Example groups of last slide are all commutative.
4 There exists b 2 G such that a · b = e for any a 2 G [inverse] Not all groups are commutative though:
I (GLn (Q), ·) is a non-commutative group of all n ⇥ n invertible matrices
with rational entries under multiplication.
Groups capture properties of + and ⇤ operations in a field. I (Sn , ) is a non-commutative group of all permutations of [1, n] under
I (Q, +), (R, +), (C, +), (Z, +) are groups composition.
I (Q\{0}, ⇤), (R\{0}, ⇤), and (C\{0}, ⇤) are groups but (Z\{0}, ⇤) is
not.

Rings Fields
Definition
A set of elements R with two binary operations + and ⇤ defined on Definition
elements such that: A set of elements F with two binary operations + and ⇤ defined on
1 (R, +) is a commutative group. elements such that:
2 (R\{0}, ⇤) satisfies closure, associativity, and identity properties. 1 (F , +) is a commutative group.
3 a ⇤ (b + c) = a ⇤ b + a ⇤ c for any a, b, c 2 R [distributivity] 2 (F \{0}, ⇤) is a commutative group.
3 a ⇤ (b + c) = a ⇤ b + a ⇤ c for any a, b, c 2 F [distributivity]
Rings capture arithmetic without division:
I (Q, +, ⇤), (R, +, ⇤), (C, +, ⇤), (Z, +, ⇤) are rings. Fields are commutative rings that admit division:
(R, +, ⇤) is commutative ring if multiplication operation is also I (Q, +, ⇤), (R, +, ⇤), and (C, +, ⇤) are fields but (Z, +, ⇤) is not.
commutative: The set of non-zero elements of F is represented as F ⇤ .
I (Mn (Q), +, ·) is a non-commutative ring where Mn (Q) is set of n ⇥ n
matrices with rational entries.
Prime Fields Function Fields
Let F [x] be the set of all polynomials in x with coefficients from field
F.
Then, (F [x], +, ⇤) is a commutative ring where arithmetic is over
Let Fp = {0, 1, . . . , p 1} for a prime p.
polynomials.
Then, (Fp , +, ⇤) is a field where arithmetic is modulo p:
I (Fp , +) is a commutative group with (additive) inverse of a 2 Fp being Let F (x) be the set of rational functions in x, that is:
p a for a 6= 0. ⇢
f (x)
I (Fp⇤ , ⇤) is a commutative group with (multiplicative) inverse of a 2 Fp⇤ F (x) = | f (x), g (x) 2 F [x], g (x) 6= 0 .
being b 2 Fp where ab + rp = 1. g (x)
Then, (F (x), +, ⇤) is a field:

I Multiplicative inverse of f /g , f 6= 0, is g /f .
I All other properties can be readily verified.

Prime Extension Fields Finite Fields
Let f (x) 2 Fp [x] be an irreducible polynomial over Fp .

I f (x) cannot be factored as f1 (x)f2 (x) with f1 , f2 2 Fp [x], both of (F , +, ⇤) is a finite field if |F | is finite.
degree > 0.
Let degree of f be d.
Fields Fp d for d 1 and prime p are examples of finite fields.
Define Fp d to be set of all polynomials of degree < d in Fp [x].
Then, (Fp d , +, ⇤) is a field with arithmetic modulo p and f (x):
I All coefficients are reduced modulo p and all powers of x of degree d Theorem
are reduced modulo f (x). 1 A finite field has size p d where p is a prime and d 1.
I Multiplicative inverse of g 2 Fp⇤d is h 2 Fpd such that gh + rf = 1 2 There is only one field of size pd , namely, Fp d .
modulo p.
I Remaining properties are straightforward.
Finite Fields: Usefulness Key Properties of Finite Groups

Order
Let (G , ·) be a finite commutative group, and a 2 G . Order of a is the
In cryptography, we often do arithmetic over input plaintext to smallest non-zero number k such that ak = e.
produce ciphertext.
Arithmetic operations over natural fields (Q, R, C) change the size: Lemma
addition may add one bit and multiplication may double the bit size.
Order is well-defined for every element of a finite commutative group.
This is undesirable as we would prefer to have ciphertext of the
similar size as plaintext.
Therefore, we work over Fp d for suitably chosen prime p and d 1. Let a 2 G .
All numbers in Fp d have the same size—in particular, numbers in F2d Consider the set A = {ai | i > 0} ✓ G .
require d bits. Since G is finite, A is finite too.
Let ak be the largest power of a in A.
Then ak+1 = ai for some i  k.
This gives ak+1 i = e showing that order of a is well-defined.

Key Properties of Finite Groups Key Properties of Finite Groups
Theorem
Let (G , ·) be a finite commutative group. Then for every a 2 G : a|G | = e.
Lemma
If order of a equals k, then for every ` such that a` = e: k | `. Let m = |G | and b1 , . . ., bm be all elements of G .
Consider the sequence of elements ab1 , ab2 , . . ., abm .
Let m = gcd(k, `) = uk + v ` for some u, v 2 Z. Each is in G and distinct:
I
Then am = auk+v ` = (ak )u · (a` )v = e. If abi = abj then bi = bj .
Qm Qm Qm
By definition of order, k  m. Therefore, i=1 bi = i=1 abi = am i=1 bi .
This shows m
a = e.
Since m | k, m = k showing k | `.
Corollary
For a finite group of size m, order of every element divides m.
Key Properties of Finite Groups Key Properties of Finite Fields
Theorem
Cyclic Groups For a finite field F , (F ⇤ , ⇤) is a cyclic group.
Let (G , ·) be a commutative group. G is cyclic if there exists a 2 G such
that G = {ai | i 2 Z}. Element a is called generator of the group. If G is Qt ri
Let m = |F ⇤ | and m = i=1 pi where pi are prime numbers and
finite, then order a equals |G |. ri 1.
Let Si = {a | a 2 F ⇤ and order of a divides piri }.
(Z, +) is a cyclic group with generator 1. Si is also a group.
(Fp , +) is a cyclic group with generator 1, and order of 1 is p. Si is a cyclic group:
(Q, +) is not a cyclic group. I Let ai 2 Si be an element with maximum order pisi , for some si  ri .
I Order of every element of Si will divide pisi .
(Fp d , +) is not a cyclic group for d > 1. si
I Therefore, every element of Si satisfies the equation y pi = 1.
I By field property, |Si |  pisi .
I Since ai has pisi distinct powers, all in Si , ai is generator of Si .

Key Properties of Finite Fields Key Properties of Finite Fields
Theorem
Let F be any finite field. Then polynomial q(y ) 2 F [y ] of degree d has at
By Structure Theorem of Finite Commutative Groups, any element of most d roots in F .
F ⇤ can be uniquely written as a product of one element of Si for each
i. Proof is by induction on d.
Q
Therefore, m = ti=1 pisi . For d = 1, q(y ) = ay + b and so has at most one root (= b/a) if
This forces si = ri for every i. a 6= 0.
Q
Let a = ti=1 ai . Assume for d 1, and consider q(y ) of degree d.
a is a generator of F ⇤ : Let a 2 F be a root of q(y ), that is, q(a) = 0.
I
0
Let am = 1. Then, q(y ) = q(y ) q(a) = (y a) · q 0 (y ) where q 0 (y ) has degree
0 Qt 0
I Then 1 = am = i=1 aim . d 1.
0
I Above Structure Theorem forces aim = 1 for every i. Let b 2 F be another root of q(y ), b 6= a.
ri
I Therefore, pi | m0 implying m | m0 . Then 0 = q(b) = (b a) · q 0 (b).
This implies q 0 (b) = 0.
By induction hypothesis, there are at most d 1 roots of q 0 (y ) in F .
So there are at most d roots of q(y ) in F .
History
CS641 By the end of 1990s, key size of DES became amenable to brute-force
attack:
Modern Cryptology I In 1999, a distributed brute-force search recovered DES key within one
day
Lecture 9 In 1997, National Institute of Standards and Technology (US),
announced a worldwide call for a new standard algorithm.
Fifteen proposals were submitted and eventually Rijndael, developed
by two Belgian cryptographers, Vincent Rijmen and Joan Deamen,
was adopted as Advanced Encryption Standard (AES) in 2001.

AES: Details Viewing a Block
A block is 128 bits, or 16 bytes long.

4⇥4
Blocksize: 128 bits It is viewed as an element of F256 .
Keysize: 128, 192, or 256 bits In other words, a block is treated as a 4 ⇥ 4 matrix with elements
Number of rounds: 10, 12, or 14 from F256 :
Each round has four operations in a sequence: ByteSub, ShiftRow, 2 3
a00 a01 a02 a03
MixColumn, AddRoundKey. 6a10 a11 a12 a13 7
B=6 4a20 a21
7.
Round keys are generated from the key using a fixed schedule. a22 a23 5
a30 a31 a32 a33
AES Operations: ByteSub AES Operations: ShiftRow
ByteSub
( ShiftRow
1 2 3 2 3
aij if aij 6= 0 a00 a01 a02 a03 a00 a01 a02 a03
bij =
0 otherwise 6a10 a11 a12 a13 7 6a11 a12 a13 a10 7
6 7)6 7.
4a20 a21 a22 a23 5 4a22 a23 a20 a21 5
cij = T · bij + c
a30 a31 a32 a33 a33 a30 a31 a32
T is a fixed 8 ⇥ 8 invertible matrix over F2 and c is a fixed column vector
over F2 .
A left-rotation of i columns is applied on ith row
In ⇤ ,
F256 1/aij = aij254 since aij255 = 1. Each column in new matrix consists of one element from every
The only non-linear operation. column of old matrix
Easily seen to be invertible.

AES Operations: MixColumn AES Operations: AddRoundKey
MixColumn AddRoundKey
2 3 2 3 2 3 2 3 2 3 2 3
a00 a01 a02 a03 2 3 1 1 a00 a01 a02 a03 a00 a01 a02 a03 a00 a01 a02 a03 k00 k01 k02 k03
6a10 a11 a12 a13 7 61 2 3 17 6a10 a11 a12 a13 7 6a10
6 7)6 7·6 7. 6 a11 a12 a13 7 6a10
7)6 a11 a12 a13 7 6k10
7+6 k11 k12 k13 7
7.
4a20 a21 a22 a23 5 41 1 2 35 4a20 a21 a22 a23 5 4a20 a21 a22 a23 5 4a20 a21 a22 a23 5 4k20 k21 k22 k23 5
a30 a31 a32 a33 3 1 1 2 a30 a31 a32 a33 a30 a31 a32 a33 a30 a31 a32 a33 k30 k31 k32 k33
A fix matrix is multiplied to block matrix. Round key matrix is added to block matrix.
Viewing each column as a degree three polynomial in F256 [x], the Addition is bitwise XOR in F256 .
operation is same as multiplying column polynomial by fixed
Each round key matrix is derived from key using a fixed algorithm.
polynomial 3x 3 + x 2 + x + 2 modulo x 4 + 1.
AES: Rounds Observations on AES
Number of rounds are 10, 12, or 14 depending on key size chosen. MixColumn is only operation that “mixes” elements of a block.
There is one additional AddRoundKey operation performed before the Together with ShiftRow, in two rounds all elements get mixed up.
first round. Each operation is easily seen to be invertible, making decryption
Last round does not have MixColumn operation. possible.
In our analysis, we will focus on 10 round AES with 128 bit key, the ByteSub is only non-linear operation – its linear part chosen so that
most commonly used variant. at least one operation is not within F256 .

AES Decryption AES: One Round
The rounds and ordering of round operations get reversed.

AddRoundKey remains the same, except that the use of round keys is
reversed.
ShiftRow and ByteSub can be exchanged. The sequence of operations are:
AddRoundKey and MixColumn can be exchanged: AddRoundKey ! ByteSub ! ShiftRow ! AddRoundKey
No MixColumn as this is the last round also.

M · (B + K ) = M · B + M · K .
There is no mixing — so encryption is byte-by-byte.
Thus it can be broken with a 256 byte chosen-plaintext attack.
Since MixColumn is not used in last round, MixColumn and
AddRoundKey of second last encryption round can be exchanged and
viewed as operations in first decryption round.
This allows sequence of operations in encryption and decryption to be
identical.
AES: Two Rounds AES: Three Rounds
With MixColumn in two rounds, entire block is mixed up, so a simple

brute-force attack is not feasible.
The sequence of operations are: With keys being XORed, we can use di↵erential cryptanalysis to try
AddRoundKey ! ByteSub ! ShiftRow ! MixColumn ! AddRound- to remove its e↵ect, as in DES.
Key ! ByteSub ! ShiftRow ! AddRoundKey Let x and x + d0 be two values of a plaintext byte with fixed
There is some mixing now, but still it is only on four byte groups. di↵erence d0 .
Therefore, it can be broken with a 232 ⇡ 4GB chosen-plaintext attack. The di↵erence remains the same after AddRoundKey operation.
1 1 d0
It becomes x + x+d0 = x(x+d0 ) after non-linear part of ByteSub.
The probability, over choices of x, that the di↵erence now equals to a
1
specific value is at most 128 provided d0 6= 0.

AES: Three Rounds AES: Three Rounds
Di↵erence after ByteSub of second round will be a fixed value with

probability less than 2128 since four bytes have non-zero di↵erence.
Fixing di↵erence of all other bytes in a block to zero will maximize MixColumn of second round will spread non-zero di↵erence to all
the probability of di↵erence being a fixed value after the ByteSub. sixteen bytes.
After MixColumn, this di↵erence will propagate to four bytes. This will make probability of knowing di↵erence after third round
Hence, after first round, we get four bytes with a non-zero di↵erence. ByteSub extremely small.
Other simple variations of di↵erential cryptanalysis also fail on three
round AES.
Attempting a linear cryptanalysis approach results in similar failure.
AES: Three Rounds
CS641
AES was designed to be resistant against di↵erential and linear Modern Cryptology
cryptanalysis.
A modified form of di↵erential cryptanalysis, called square attack,
Lecture 10
does break three round AES.
In this attack, we consider a set of 256 plaintext blocks being
encrypted simultaneously and trace patterns of byte values.

Square Attack: Setup Square Attack: Setup
Given a set of 256 plaintext blocks, we can write pattern category for
each of the 16 bytes in it.
We represent this also as a matrix.
For example, 256 plaintext blocks that di↵er only in the first byte
Classify a given set of 256 byte values into four categories:
I
represent pattern: 2 3
P: all 256 values are distinct
I
P C C C
C: all 256 values are identical 6C C C C 7
I Z: XOR of all 256 values equals zero 6 7
I
4C C C C 5 .
X: all patterns
C C C C
Clearly, P and C are also Z, and all three are also X.
We aim classification into most restrictive pattern. And 256 plaintext blocks that are all 0’s, all 1’s, . . ., all 255’s
represent pattern: 2 3
P P P P
6P P P P7
6 7.
4P P P P5
P P P P
Square Attack: Analysis Square Attack: Analysis of ByteSub
Let us analyze the e↵ect of each of AES operations on di↵erent

patterns. ByteSub operation has following e↵ect on various patterns:
I P goes to P.
All operations except MixColumn operate on bytes, and MixColumn I C goes to C.
operates on columns. I Z goes to X.
Therefore, except MixColumn, other operations e↵ect byte pattern. I X goes to X.
MixColumn e↵ects column pattern.

Square Attack: Analysis of ShiftRow Square Attack: Analysis of AddRoundKey
ShiftRow operation has following e↵ect on various patterns: AddRoundKey operation has following e↵ect on various patterns:
I P goes to P. I P goes to P.
I C goes to C. I C goes to C.
I Z goes to Z. I Z goes to Z.
I X goes to X. I X goes to X.
Square Attack: Analysis of MixColumn Square Attack: Analysis of MixColumn

2 3 2 3
MixColumn operation has following e↵ect on various patterns: P Z
6P 7 6Z 7
6 7 ) 6 7:
2 3 2 3 4P 5 4Z 5
C C P Z
6C 7 6C 7 3 2
6 7 ) 6 7 ↵i1
4C 5 4C 5 6↵i2 7
C C I Let v1 , . . ., v256 be input vectors with vi = 6 7
4↵i3 5.
2 3 2 3 ↵i4
P P 2 3
6C 7 6P 7 i1
6 7 ) 6 7 6 i2 7
4C 5 4P 5 I Let ui = M · vi = 6 7
4 i35.
C P i4
2 3 2 3 P4
P Z I We have i,j = k=1 M[j, k]↵i,k .
6P 7 6Z 7 I Therefore,
6 7 ) 6 7
4C 5 4Z 5 X256 k
X 256
X
i,j = M[j, k] ↵i,k = 0.
C Z
i=1 k=1 i=1

Square Attack: Three Rounds of AES Square Attack: Three Rounds of AES
Input pattern: 2 3
P C C C Pattern movement (first round):
6P C C C7 2 3 2 3
6 7. P C C C P C C C
4P C C C5 6P C C C7 6P C C C7
P C C C 6 7 ByteSub
) 6 7
4P C C C5 4P C C C5
P C C C P C C C
Pattern movement (before first round): 2 3 2 3
P C C C P C C C
2 3 2 3 6P C C
P C C C P C C C 6 C77 ShiftRow
6C
6 C C P77
4P C C )
6P C
6 C C7 7 AddRoundKey
6P
6 C C C77 C5 4C C P C5
4P C )
C C5 4P C C C5 P C C C C P C C
P C C C P C C C
Pattern movement (first round): Pattern movement (second round):

2 3 2 3 2 3 2 3
P C C C P P P P P P P P P P P P
6C C C P7 6P P P P7 6P P P P 7 ByteSub 6P P P P7
6 7 MixColumn
) 6 7 6 7 ) 6 7
4C C P C5 4P P P P5 4P P P P 5 4P P P P5
C P C C P P P P P P P P P P P P
2 3 2 3 2 3 2 3
P P P P P P P P P P P P P P P P
6P P P P7 6P P P P7 6P P P P 7 ShiftRow 6P P P P7
6 7 AddRoundKey
) 6 7 6 7 ) 6 7
4P P P P5 4P P P P5 4P P P P 5 4P P P P5

Pattern movement (second round):

2 3 2 3 Pattern movement (third round):
P P P P Z Z Z Z
6P P P P7 6Z Z Z Z7 2 3 2 3
6 7 MixColumn
) 6 7 Z Z Z Z X X X X
4P P P P5 4Z Z Z Z5 6Z Z Z
6 Z77 ByteSub+AddRoundKey
6X
6 X X X77
P P P P Z Z Z Z 4Z Z Z )
Z5 4X X X X5
2 3 2 3
Z Z Z Z Z Z Z Z Z Z Z Z X X X X
6Z Z Z Z7 6Z Z Z Z7
6 7 AddRoundKey
) 6 7
4Z Z Z Z5 4Z Z Z Z5 ShiftRow of last round can be undone.
Z Z Z Z Z Z Z Z
Let [ i,j,k ] be the output ciphertext block corresponding to ith

plaintext block. In this way, wrong values of k3,j,k can be eliminated.
Let [k3,j,k ] be key matrix used in third round. It will require a few sets of 256 plaintext block with the specified
For every 0  j, k  3, do the following: pattern.
I Guess value of k3,j,k . This allows last round key to be recovered very efficiently.
I Decrypt i,j,k for one round to compute 256 values.
I
From this, the keys of all rounds can be computed.
Check if they sum to zero.
I If not, the guess for k3,j,k was wrong and can be discarded.

Square Attack: Four Rounds of AES Square Attack: Four Rounds of AES
Input pattern: 2 3
P C C C Pattern movement (first round):
6C C C C7 2 3 2 3
6 7. P C C C P C C C
4C C C C5 6C C C C7 6C C C C7
C C C C 6 7 ByteSub
) 6 7
4C C C C5 4C C C C5
C C C C C C C C
Pattern movement (before first round): 2 3 2 3
P C C C P C C C
2 3 2 3 6C C C
P C C C P C C C 6 C77 ShiftRow
6C
6 C C C77
4C C C )
6C C
6 C C7 7 AddRoundKey
6C
6 C C C77 C5 4C C C C5
4C C )
C C5 4C C C C5 C C C C C C C C
C C C C C C C C
Pattern movement (first round): Pattern movement (second round):

2 3 2 3 2 3 2 3
P C C C P C C C P C C C P C C C
6C C C C7 6P C C C7 6P C C C 7 ByteSub 6P C C C7
6 7 MixColumn
) 6 7 6 7 ) 6 7
4C C C C5 4P C C C5 4P C C C 5 4P C C C5
C C C C P C C C P C C C P C C C
2 3 2 3 2 3 2 3
P C C C P C C C P C C C P C C C
6P C C C7 6P C C C7 6P C C C 7 ShiftRow 6C C C P7
6 7 AddRoundKey
) 6 7 6 7 ) 6 7
4P C C C5 4P C C C5 4P C C C 5 4C C P C5
P C C C P C C C P C C C C P C C

Pattern movement (second round): Pattern movement (third round):

2 3 2 3 2 3 2 3
P C C C P P P P P P P P P P P P
6C C C P7 6P P P P7 6P P P P7 6P P P P7
6 7 MixColumn
) 6 7 6 7 ByteSub
) 6 7
4C C P C5 4P P P P5 4P P P P5 4P P P P5
C P C C P P P P P P P P P P P P
2 3 2 3 2 3 2 3
6P P P P7 6P P P P7 6P P P P7 6P P P P7
6 7 AddRoundKey
) 6 7 6 7 ShiftRow
) 6 7
4P P P P5 4P P P P5 4P P P P5 4P P P P5
Pattern movement (third round):

Pattern movement (fourth round):
2 3 2 3
P P P P Z Z Z Z 2 3 2 3
6P P P P7 6Z Z Z Z7 Z Z Z Z X X X X
6 7 MixColumn
) 6 7 6Z Z Z Z7 6X X X X7
4P P P P5 4Z Z Z Z5 6 7 ByteSub+AddRoundKey
) 6 7
4Z Z Z Z5 4X X X X5
P P P P Z Z Z Z
2 3 2 3 Z Z Z Z X X X X
Z Z Z Z Z Z Z Z
6Z Z Z Z7 6Z Z Z Z7
6 7 AddRoundKey
) 6 7
4Z Z Z Z5 4Z Z Z Z5 ShiftRow of last round can be undone.
Z Z Z Z Z Z Z Z This can be broken in exactly same way as three round AES.

Current Status of AES Attacks
AES can be efficiently broken only up to four rounds.

There exists a chosen-ciphertext attack on full 10-round AES that
takes time slightly less than brute-force: ⇡ 2126 steps.
Manindra Agrawal CS641: Lecture 10 27 / 27

Lecture 4 Merged

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 4 Merged

Uploaded by

Copyright:

Available Formats

Building Blocks

Manindra Agrawal CS641: Lecture 4 1 / 19 Manindra Agrawal CS641: Lecture 4 3 / 19

Mixing Property of Linear Transformations Invertibility of Non-linear Transformations

Fixing all other columns of K except Ki , this is the probability that a L R

random vector Ki equals a fixed vector.

Manindra Agrawal CS641: Lecture 4 4 / 19 Manindra Agrawal CS641: Lecture 4 5 / 19

Let f be any non-linear transformation with f : {0, 1}n 7! {0, 1}n .

Manindra Agrawal CS641: Lecture 4 6 / 19 Manindra Agrawal CS641: Lecture 4 7 / 19

History DES Parameters

Manindra Agrawal CS641: Lecture 4 9 / 19 Manindra Agrawal CS641: Lecture 4 10 / 19

Key ki is called round key for round i, 1  i  16.

Manindra Agrawal CS641: Lecture 4 11 / 19 Manindra Agrawal CS641: Lecture 4 12 / 19

Function f is a non-linear function.

Ri+1 = Li f (Ri , ki ) for 0  i < 16

Shu✏es input bits as:

Manindra Agrawal CS641: Lecture 4 15 / 19 Manindra Agrawal CS641: Lecture 4 16 / 19

Columns indexed by middle four bits of input, and rows indexed by

Manindra Agrawal CS641: Lecture 4 19 / 19 Manindra Agrawal CS641: Lecture 5 1 / 14

Approach DES: One Round

Manindra Agrawal CS641: Lecture 5 3 / 14 Manindra Agrawal CS641: Lecture 5 4 / 14

Manindra Agrawal CS641: Lecture 5 5 / 14 Manindra Agrawal CS641: Lecture 5 6 / 14

DES: One Round DES: One Round

Manindra Agrawal CS641: Lecture 5 7 / 14 Manindra Agrawal CS641: Lecture 5 8 / 14

Take another pair of plaintext and corresponding ciphertext block.

Manindra Agrawal CS641: Lecture 5 9 / 14 Manindra Agrawal CS641: Lecture 5 10 / 14

DES: Two Rounds DES: Two Rounds

Manindra Agrawal CS641: Lecture 5 11 / 14 Manindra Agrawal CS641: Lecture 5 12 / 14

Texts in all lines marked orange are known.

Manindra Agrawal CS641: Lecture 5 13 / 14 Manindra Agrawal CS641: Lecture 5 14 / 14

DES: Three Rounds

Let L0 R0 be a plaintext block and L00 R00 be another.

Manindra Agrawal CS641: Lecture 6 1 / 15 Manindra Agrawal CS641: Lecture 6 3 / 15

Manindra Agrawal CS641: Lecture 6 4 / 15 Manindra Agrawal CS641: Lecture 6 5 / 15

DES: Three Rounds DES: Three Rounds

I R2 and R20 are right-halves of output of second round on the plaintexts

Since ( i , 0 2 Xi , we have k3,i 2 Ki .

Manindra Agrawal CS641: Lecture 6 6 / 15 Manindra Agrawal CS641: Lecture 6 7 / 15

We have |Ki | = |Xi | since ↵i and 0 is fixed for ( , 0) 2 Xi .

Manindra Agrawal CS641: Lecture 6 8 / 15 Manindra Agrawal CS641: Lecture 6 9 / 15

DES: Four Rounds DES: Four Rounds

Texts in all lines marked orange are known.

There is still no round with known output of E and known XOR of

Assuming right halves of input pairs to be same, XOR is known for

Manindra Agrawal CS641: Lecture 6 12 / 15 Manindra Agrawal CS641: Lecture 6 13 / 15

DES: Four Rounds DES: Four Rounds

CS641 Let E (R3 ) = ↵1 ↵2 · · · ↵8 and E (R30 ) = ↵10 ↵20 · · · ↵80 with

Manindra Agrawal CS641: Lecture 7 1 / 20 Manindra Agrawal CS641: Lecture 7 3 / 20

DES: Four Rounds DES: Four Rounds

We have |Ki | = |Xi | since ↵i and 0 is fixed for ( , 0) 2 Xi .

Manindra Agrawal CS641: Lecture 7 4 / 20 Manindra Agrawal CS641: Lecture 7 5 / 20

On careful analysis, we get:

Manindra Agrawal CS641: Lecture 7 6 / 20 Manindra Agrawal CS641: Lecture 7 7 / 20

DES: Four Rounds DES: r Rounds

And the number of a 6= k4,i is:

An s-round characteristic is a sequence Probability of a Characteristic

Manindra Agrawal CS641: Lecture 7 10 / 20 Manindra Agrawal CS641: Lecture 7 11 / 20

Breaking r -round DES Example Characteristics

Manindra Agrawal CS641: Lecture 7 12 / 20 Manindra Agrawal CS641: Lecture 7 13 / 20

2-round characteristic: Invert the 2 round characteristic to:

Manindra Agrawal CS641: Lecture 7 14 / 20 Manindra Agrawal CS641: Lecture 7 15 / 20

Linear Cryptanalysis Linearity in S5

Let b0 b1 · · · b5 be input bits to S-box S5, and c0 c1 c2 c3 be output bits.

Manindra Agrawal CS641: Lecture 7 16 / 20 Manindra Agrawal CS641: Lecture 7 17 / 20