Linear Cyptanalysis Method of the DES cipher Matsui

1
Linear Cyptanalysis Method of the DES
cipherMatsui
2
Todays punchline
Using Linear Cryptanalysis, 8-round DES can
be broken with 221 plaintexts and lt 30 seconds
computing time
3
IP and IP-1 are ignored
X1
X2
X16
I n p u t
O u t p u t
PL
CL
F1
F8
IP
K1
K8
IP -1
PH
CH
?
?
4
The functions Fi(Xi,Ki)
48 bit key not-so-complex function of K
32 bits -- half the output of the previous round
-- simply expanded to 48 bits
5
Ki Xi (expanded)
S0
4
6
S1
S2
?
S3
Fi(Xi,Ki)
S4
S5
S6
S7
6
8 Sboxes
For 0ltalt7, Sa 0,16 ? 0,14 The Sboxes are
supposedly random-like
7
Definition For variable (vector) X, let Xi1,
i2 ... ia Xi1 ? Xi2 ? ... Xia
8
Idea Determine equations of the form
Pi1, i2 ... ia ? Cj1, j2 ... jb Kk1, k2
... kc which are satisfied with probability
bounded away from 1/2, Each such equation
reduces the effective key size by 1
9
Non-randomness in the Sboxesdefinition
NSa(a,b) x0ltxlt63, ?0ltslt5(xs?as)
?0lttlt3(Sa(x)t?bt) The expectation of this
value is 32
10
The strange S-box, NS value
NS5(16,15) 12
This implies that, with probability 0.19, (for
fixed K, random X) that X15 ?
F(X,K)7,18,24,29 K22