ETRI CIS OHP Form

1
Differential Cryptanalysis
2
DC(Differential Cryptanalysis)

• Introduction
• Biham and Shamir CR90, CR92
• Efficient than Key Exhaustive Search
• Chosen Plaintext Attack
• O(Breaking DES16) 247
• Utilize the probabilistic distribution between
  input XOR and output XOR values Iteratively
• Stimulate to announce hidden criteria of DES
  Cop92
• Apply to other DES-like Ciphers
• E.Biham, A. Shamir,Differential Cryptanalysis
  of the Data Encryption Standard,
  Springer-Verlag, 1993

3
Eli Biham

• Eli biham (http//www.cs.technion.ac.il/biham/)
  is an Israeli cryptographer and cryptanalyst,
  currently a professor at the Technion Israeli
  Institute of Technology Computer Science
  department. biham received his Ph.D. for
  inventing (publicly) differential cryptanalysis,
  while working under Adi Shamir. It had, it turned
  out, been invented at least twice before. A team
  at IBM discovered it during their work on DES,
  and was requested/required to keep their
  discovery secret by the NSA, who evidently knew
  about it as well.
• In addition to his many contributions to
  cryptanalysis, biham has taken part in the design
  of several new cryptographic primitives
• Serpent (with Ross Anderson and Lars Knudsen), a
  block cipher which was one of the final five
  contenders to become the Advanced Encryption
  Standard
• Tiger (with Ross Anderson), a hash function fast
  on 64-bit machines, and
• Py (with Jennifer Seberry), a fast stream cipher
  which has some cryptanalytic claims against it.

4
DC of DES

• Discard linear components(IP, FP)
• Properties of XOR (X X ? X )
• E,P,IP (P(X))P(X) ? P(X)P(X)
• XOR (X ? Y)(X ? Y) ? (X ? Y)X ? Y
• Mixing key (X ? K)(X ? K) ? (X ? K)X
• Differences(xor) are linear in linear operation
  and in particular the result is key independent.

5
XOR Distribution Table(I)
X
X
?
X
XDT
Y
?
Y
Y

• X 0,1,63, Y 0,1,15
• For a given S-box, pre-compute the number of
  count of X and
• Y in a table
• of entry in DES S-boxes 75 80

6
XOR Distribution Table(II)

• XDT of S-boxes in DES
• At the first row (X0), Y0 for all 64 pairs
• The remaining rows average 4, sum 64, range 0
  16 (only even entries. Why?)
• If the value is 0, there are no corresponding
  X and Y
• If the value is 16, it occurs with probabilty
  16/64
• Denoted as X --gt Y with p1
• Use 0--gt 0 with 1 or 16 (highest value) for DC
• How to design a S-box with good XDT?

7
XOR Distribution Table of S4 box
8
Differential Characteristic

• 2-round characteristic in S1 box (0Cx --gt Ex
  with 14/64)

(00 80 82 00 60 00 00 00x)
a60000000x
A00808200x P(E0000000x)
p14/64
?
F
b0x
B0x
p1
?
F
(60 00 00 00 00 00 00 00x)

• 0110? 0C001100 ?E1110

9
3-round characteristic
10
Searching Way for round keys

• (1) Choose suitable Plaintext (Pt) XOR.
• (2) Get 2 Pts for a chosen Pt and obtain the
  corresponding Ct by encryption
• (3) From Pt XOR and pair of Ct, get the expected
  output XOR for the S-boxes of final round.
• (4) Count the maximum potential key at the final
  round using the estimated key
• (5) Right key is a subkey of having large number
  of pairs of expected output XOR

11
Iterative Characteristic

• Self-concatenating probability
• Best iterative char. of DES

(19 60 00 00 00 00 00 00x)
a0x
A0x
p11
?
F
B0x
b19 60 00 00x E(b)03 32 2C 00 00 00 00 00x
?
F
p2 14 x 8 x 10 / 643 1/234
(00 00 00 00 19 60 00 00x)

• Compare with the previous 3 round characteristics

12
(No Transcript)
13
DC of DES16 (I)

• 1st round ?--gt ?
• Till 13 round using 2-round best iterative
  characteristics 6.5 times yields prob. (1/234)6
  ? 2-47.2
• Final 2 rounds (2R attack) compute 13 round
  values from ciphertext in the reverse direction
  -gtno effect to overall prob.
• Total complexity (p)-1 ? 247

14
DC of DES16 (II)

• Round of chosen plaintext
• 4 24
• 6 28
• 8 218
  214
• 10 235
  224
• 12 243
  231
• 14 251
  239
• 15 252
  247
• 16 258 261
  247
• Assume independent round key
• 1.Differential Cryptanalysis of DES-like
  Cryptosystems,Proc. of Crypto90, LNCS537,
  pp.2-21
• 2.Differential Cryptanalysis of the full
  16-round DES,Proc. of Crypto92,
  LNCS740,pp.487-496

CR901
CR922
15
Additional result of DES by DC

• P Permutation cant strengthen DES
• Change the order of S-box can weaken much or
  strengthen only up to 248
• Replacement XORs by addition can weaken much in
  some cases
• Modifying S-boxes
• random 218 - 220
• modifying one entry (i.e.,S(0) -gtS(4)) 233
• uniform distribution table 226

16
Linear Cryptanalysis
17
LC(Linear Cryptanalysis)

• Introduction
• Matsui EC931, CR942
• Known Plaintext Attack
• O(Breaking DES16) 243
• 12 HP W/S, 50-day operation
• Utilize the probabilistic distribution between
  input linear sum and output linear sum values
  Iteratively
• Duality to DC XOR branch vs.three-forked branch
• Apply to other DES-like cryptosytems
• 1. M.Matsui,Linear Cryptanalysis Method for DES
  Cipher, Proc. Of Eurocrypt93,LNCS765,
  pp.386-397
• 2. M.Matsui,The First Experimental Cryptanalysis
  of the Data Encryption Standard, Proc. Of
  Crypto94,LNCS839, pp.1-11.

18
M. Matsui

• Mitsuru Matsui is a Japanese cryptographer and
  senior researcher for Mitsubishi Electric
  Company. While researching error-correcting codes
  in 1990, Matsui was inspired by Biham and
  Shamir's differential cryptanalysis, and
  discovered the technique of linear cryptanalysis,
  published in 1993. Differential and linear
  cryptanalysis are the two major general
  techniques known for the cryptanalysis of block
  ciphers. The following year, Matsui was the first
  to publicly report an experimental cryptanalysis
  of DES, using the computing power of twelve
  workstations over a period of fifty days. He is
  also the author of the MISTY-1 and MISTY-2 block
  ciphers, and contributed to the design of
  Camellia and KASUMI.

19
Eurocrypt1992-Hungary
20
XOR branch vs. 3-forked branch
LC
DC
?X i-1
?X i
?Y i
?Y i-1
K i
K i
?Y i
?Y i
?X i
?Xi
?
?
Fi
Fi
?X i-1? ?Yi
?Xi
?Y i
?Yi-1??Xi
XOR branch after f-ft. i.e., DC goes downstream
through f-ft. ?Xi ?Xi-2 ? ?Yi-1 (3 ? i ?
n) with ?i1n pi ?Xi Xis Differential
value
3-forked branch before f-ft. i.e., LC goes
upstream through f-ft. ? Yi ? Yi-2 ? ? Xi-1 (3
? i ? n) with 2n-1?i1n pi -1/2 ? Xi-1
Xi-1s Masking value
21
Basic principle of LC

• (Goal) Find linear approximation
• Pi1,i2,,ia ? Cj1,j2,,jbKk1,k2,,kc
• with significant prob. p (? ½)
• where Ai,j,,kAi ? Aj ? ? Ak
• (Algorithm)MLE(Maximum Likelihood Estimation)
• (Step 1) For given P and C, compute
  XPi1,i2,,ia ? Cj1,j2,,jb, let N of Pt
  given,
• (Step 2) if X0 gt N/2 Kk1,k2,,Kc0 else 1.
• if X0 lt N/2 Kk1,k2,,kc1 else
  0.

22
Linear Distribution Table(I)

• For a S-box Sa,(a1,2,,8) of DES
• NSa(?,?) x 0 ? x lt 64, parity(x??)
  parity(S(x)??)
• 1? ? ? 63 , 1 ? ? ?15, ? dot product
  (bitwise AND)
• Ex) NS5(16,15) 12
• The 5-th input bit at S5-box is equal to the
  linear sum of 4 output bits with probability
  12/64.
• X15 ? F(X,K)7,18,24,29K22 with 0.19
• X15 ? F(X,K)7,18,24,29K22 ? 1 with
  1-0.190.81
• (Note) least significant at the right
  and index 0 at the least significant bit (Little
  endian)

23
Linear Distribution Table(II)
X
?
?
?

• NSa(?,?) has even values.
• If ? 1,32(20x), 33(21x), NSa(?, ?)32
• NSa(?, ?) varies from 0 to 64

Si-box
NSa(?,?)
?
?
?
S(X)
24
3-round DES by LC
P
PL
PH
22
X27,18,24,29 ?PH7,18,24,29 ? PL15 K122
---------- (1)
K1
15
7,18,24,29
?
X1
F1
p112/64
K2
?
F2
X2
22
X27,18,24,29 ?CH7,18,24,29 ? CL15 K322
---------- (2)
K3
7,18,24,29
15
?
X3
F3
p312/64
CL
CH
C
(1) ? (2) gt X27,18,24,29 ?CH7,18,24,29
?CL15 ? X27,18,24,29 ?PH7,18,24,29 ?PL15
K122 ? K322 holding prob. (p1 p3 )
(1 - p1) (1-p3) Discard IP and FP like DC
25
Piling-up lemma in LC

• If independent prob. value, Xi s ( 1? i ? n )
  have prob pi to value 0, (1-pi) to value 1,
  p prob(X1? X2? ?Xn ) 0 is
• p 2n-1?i1n(pi - 1/2) 1/2.
• The number of known pt reqd for LC with success
  prob. 97.7 is p - 1/2-2

26
LC of DES16 (I)

• (Preparation) Use the best iterative linear
  iteration
• (Search stage)
• Data Counting count the effective number of pt
  and ct and derive key effective keys (13-bit
  13-bit)
• Exhaustive Search the remaining 30 bits of a key

27
LC of DES16 (II)

• Round of Known Plaintext
• 8 221
• 12 233
• 16 247 243

EC93
CR94
28
Strengthening DES

• Key size expansion
• Double Encryption
• ekE2(K2,E1(K1,P)), dkD1(K1,D2(K2,C))
• Meet-in-the-middle attack
• No effectiveness
• Triple Encryption
• ekE(K1,D(K2,E(K1,P))), dkD(K1,E(K2,D(K1,C)))
• ekE(K1,D(K2,E(K3,P))), dkD(K3,E(K2,D(K1,C)))
• 112 or 168 bits

29
Variations
30
Variation of DC/LC

• Multiple LC Kaliski Robshaw CR94
• Differential-Linear Cryptanalysis Langford
  Hellman CR94
• Truncated and Higher order DC Knudsen FSE95
• Nonlinear Approximation in LC Knudsen EC96
• Partitioning Cryptanalysis Harpes Massey
  FSE97
• Interpolation Attack Jakobsen Knudsen FSE97
• Differential Attack with Impossible
  Characteristics Biham EC99, etc.
• Related-key Attack Kelsey, Schneier, Wagner
  CR96

31
Asiacrypt1996 2004, Korea
32
Side Channel Attack
33
Side Channel

• Traditional Cryptographic Model vs. Side Channel

Power Consumption / Timing / EM Emissions /
Acoustic
Attacker
CE(P,Ke)
PD(C,Kd)
C
E()
D()
P
D
Insecure channel
Kd
Ke
Secure channel
Key
Radiation / Temperature / Power Supply / Clock
Rate, etc.
34
Timing Analysis

• Paul C. Kocher, Timing Attacks on
  Implementations of DiffieHellman, RSA, DSS, and
  Other Systems, Advances in Cryptology - CRYPTO
  '96, Springer-Verlag, 1996 , LNCS , Vol. 1109 ,
  pp. 104-113.
• Cryptosystems can take different amounts of time
  to process different inputs.
• Performance optimizations in software
• Branching/conditional statements
• Caching in RAM
• Variable length instructions (multiply, divide)
• Countermeasures
• Make all operations run in same amount of time
• Set all operations by the slowest one
• Add random delays
• Blind signature technique

35
Fault Analysis

• D. Boneh, R. DeMillo, and R. Lipton, On the
  importance of checking cryptographic protocols
  for faults, Journal of Cryptology,
  Springer-Verlag, Vol. 14, No. 2, pp. 101--119,
  2001
• Aim to cause errors during the processing of a
  cryptographic device
• Simple Fault Analysis
• Differential Fault Analysis
• Countermeasures
• Verify correctness of output before transmitting
  it to the external
• Make devices tamper resistant (strong shielding,
  detect supply voltages and clock speeds)

36
Power Analysis

• Paul C. Kocher and Joshua Jaffe and Benjamin
  JunDifferential Power Analysis, Advances in
  Cryptology -CRYPTO '99, Springer-Verlag, 1999 ,
  LNCS , Vol.1666 , pp.388-397
• The power consumed by a cryptographic device was
  analyzed during the processing of the
  cryptographic operation
• Simple Power Analysis
• Differential Power Analysis
• Countermeasures
• Dont use secret values in conditionals/loops
• Ensure little variation in power consumption
  between instructions
• Reducing power variations (shielding, balancing)
• Randomness (power, execution, timing) counters
  on card
• Algorithm redesign (non-linear key update,
  blinding)
• Hardware redesign (decouple power supply, gate
  level design)

37
EM Emissions

• D. Agrawal and B. Archambeault and J. R. Rao and
  P. RohatgiThe EM Side-Channel(s),
  Cryptographic Hardware and Embedded Systems -
  CHES 2002, Springer-Verlag, 2003 , LNCS , Vol.
  2523 , pp.29-45
• 1950s TEMPEST
• EM side channels include a higher variety of
  information and can be additionally applied from
  a certain distance.
• Countermeasures
• Redesign circuits
• Shielding
• EM noise

38
Acoustic Analysis

• Acoustic Analysis
• Keyboard Acoustic Emanations, Dmitri Asonov and
  Rakesh Agrawal, IBM Almaden Research Center,
  2004.
• Acoustic cryptanalysis - On noisy people and
  noisy machines by Adi Shamir and Eran Tromer