Algebraic--Differential Cryptanalysis of DES Algebraic cryptanalysis of DES using Minisat Algebraic di erential cryptanalysis of DES Algebraic Di erential Cryptanalysis of …

IntroductionAlgebraic cryptanalysis of DES using MinisatAlgebraic�di�erential cryptanalysis of DES

Algebraic�Di�erential Cryptanalysis of DES

Jean�Charles Faugère Ludovic PerretPierre�Jean Spaenlehauer

UPMC � LIP6

CNRS

INRIA Paris - Rocquencourt

SALSA team

Journées C2

1/33 PJ Spaenlehauer


Plan

1 Introduction

2 Algebraic cryptanalysis of DES using MinisatData Encryption StandardModelingExperimental results

3 Algebraic�di�erential cryptanalysis of DESAlgebraic�di�erential cryptanalysisResults on six, seven and eight rounds



Plan

1 Introduction





Algebraic Cryptanalysis



Algebraic Cryptanalysis

Algebraic representation of a cryptographic primitive.

Tools for e�cient polynomial system solving.1 Gröbner Bases algorithms (Buchberger, Faugère F4 and F5).2 SAT Solvers.

Remark

There is a very strong link between the modeling and the tools usedfor the resolution.

Challenge

Can algebraic cryptanalysis be e�cient against block ciphers ?



Our work

SAT Solvers attacks against DES using di�erent modelings ofthe DES S-boxes.

Incorporation of elements from di�erential cryptanalysis

new attacks against 6,7 and 8 rounds of DES using dedicatedcharacteristics.

Tradeo� between time and data complexity.



Polynomial System Solving

SAT Solvers ?

Very e�cient and �exible dedicated softwares.

SAT-competition. Active research �eld.

Easy to use. Low memory comsumption.



Courtois N.T. , Bard G.V. and Je�erson C.E�cient Methods for Conversion and Solution of Sparse

Systems of Low-Degree Multivariate Polynomials over GF (2)

via SAT-Solvers.

http://eprint.iacr.org/2007/024.pdf

Replace each monomial by a new variable.

Cut linear equations into smaller equations (by adding newvariables).

+ optimizations.

MiniSat2

Een, N. and Sorensson, N.MiniSat: A SAT solver with con�ict-clause minimization



Sparse quadratic systems



Data Encryption StandardModelingExperimental results

Plan

1 Introduction






Data Encryption Standard

Iterative Block Cipher

Bloc size : 64 bits

E�ective size of the key : 56 bits

Encryption standard between 1976 and 2002

Why did we choose to study the DES ?




Main attacks against DES

Wiener, M.J.E�cient DES key search. Technical Report

Biham, E. and Shamir, A.Di�erential cryptanalysis of the full 16-round

DES. Crypto'1992

Knudsen, L.R.Partial and higher order di�erentials and applications to the

DES. BRICS report

Matsui, M.Linear cryptanalysis method for DES

cipher. EUROCRYPT'1993




DES Structure

Feistel network

S-boxes : non-linear part of the system




DES Structure

Feistel network

S-boxes : non-linear part of the system




Algebraic cryptanalysis of DES using Minisat

Starting point

N.T. Courtois, G.V. BardAlgebraic Cryptanalysis of the Data Encryption Standard

IMA Int. Conf. 2007

General principle

1 known plaintext.

Model the cryptosystem by a set of clauses.

Use Minisat to extract the key.

Remark

We can combine this approach with an exhaustive search over somebits of the key.




S-boxes modeling (I)

We have considered several modelings of the DES S-boxes.

The choice of the modeling is very important.

Our modeling

We search (exhaustively) for the set of polynomials which verify :

P(x1, . . . , x6, y1, . . . , y4) =∏

(xi + αi )∏

(yi + βi ), αi , βi ∈ {0, 1}

such that

S(x1, . . . , x6) = (y1, . . . , y4)⇒ P(x1, . . . , x6, y1, . . . , y4) = 0

Complexity : 310




S-box modeling (II)

S-box Nb of clauses

S1 1624S2 1844S3 1767S4 1881S5 1812S6 1705S7 1673S8 2047

For 6 rounds : 792 variables and 90086 clauses.+ partial exhaustive search on 28 bits of the key.




Experimental results



Algebraic�di�erential cryptanalysisResults on six, seven and eight rounds

Plan

1 Introduction






Our approach

Limit

Algebraic cryptanalysis usually consider only one known plaintext.

We combine algebraic cryptanalysis and statistical techniques toexploit e�ciently the knowledge of several plaintexts.

Tradeo� time/plaintexts.

In particular, we consider di�erential cryptanalysis.




Di�erential cryptanalysis (I)

The principle was known by the DES designers.

Based on a statistical bias of the S-boxes.

Key recovery attack.

We try to predict how the di�erence of a pair of plaintexts willdi�use through the cipher.




Di�erential cryptanalysis of the 3 round-reduced DES

A0L 00 00 00 00x

+ F1

00 00 00 00x A0L

00 00 00 00x00 00 00 00x

+ F2

A0L B

A0LB

+ F3

A3LA3R

∆in = B = A3L∆out = A0L

⊕ A3R




Di�erential cryptanalysis (II)

more than 3 rounds

Statistical method.

di�erential characteristics.

A lot of plaintexts needed.




Motivations

Compromise between algebraic cryptanalysis and di�erentialcryptanalysis.

We can use the strong correlation between the subkeys.

The notion of di�erence is easy to represent with clauses.

We only need one pair following the characteristic to retrievethe key.




General algorithm

Repeat until the key is found :

Choose a di�erential characteristic.

Choose two plaintexts with di�erence �xed by thecharacteristic.

Construct the system of clauses for DES, and add the clausescorresponding to the characteristic.

Solve with MiniSat. If the result is UNSATISFIABLE, restart(it means that the pair didn't follow the characteristic). If theresult is SATISFIABLE, then MiniSat returns the key.




Six rounds

Approach

Classical di�erential characteristics.

Combination of di�erent characteristics to reduce the datacomplexity.

How to combine

We can run MiniSat 6 times with 7 plaintexts.

Six 3-rounds characteristics ∆1, . . . ,∆6.

7 plaintexts m0, . . . ,m6 such that mi = m0 ⊕ δi .




Six rounds

Approach

Classical di�erential characteristics.

Combination of di�erent characteristics to reduce the datacomplexity.

How to combine

We can run MiniSat 6 times with 7 plaintexts.

Six 3-rounds characteristics ∆1, . . . ,∆6.

7 plaintexts m0, . . . ,m6 such that mi = m0 ⊕ δi .





Cryptanalysis Plaintexts Time

Di�erential (Biham, Shamir) 240 0,3 seconds

Di�erential (Knudsen) 46 a few seconds

Algebraic with SAT Solver(Courtois, Bard)

1 225 seconds

Algebraic-di�erential 323000 seconds

Algebraic-di�erential 22<10 hours

(combination of characteristics)




Seven rounds

For seven rounds and more, the classical di�erential characteristicsdon't seem to be adapted.

We have used a dedicated di�erential characteristic.

Truncated characteristic with probability 1/1000.




S-Box δin δout Proba

S1 4x 6x 10/648x 3x 12/64

S2 4x 10x 10/644x 12x 10/648x 9x 10/648x 10x 16/6412x 5x 14/64

S3 4x 9x 12/648x 3x 10/6412x 5x 12/6412x 6x 12/64

S4 4x 6x 12/644x 9x 12/64

Boîte-S δin δout Proba

S5 4x 6x 10/648x 6x 10/648x 10x 10/6412x 3x 10/6412x 6x 10/6412x 10x 10/64

S6 8x 6x 16/6412x 3x 12/6412x 5x 10/64

S7 8x 10x 12/6412x 12x 14/64

S8 4x 12x 10/6412x 5x 10/6412x 6x 10/64




∆0L= 00 20 20 00 ∆0R

= 00 00 06 00

+ Fk1

∆1L= 00 00 06 00 ∆1R

= 00 00 00 00

00 00 06 0000 20 20 00 with probability 12

64

+ Fk2

∆2L= 00 00 00 00 ∆2R

= 00 00 06 00


+ Fk3

∆3L= 00 00 06 00 ∆3R

= 00 20 20 00


64

+ Fk4

∆4L= 00 20 20 00 ∆4R

= 04 04 07 80

00 20 20 0004 04 01 80 with probability 100/642

+ Fk5

∆5L= 04 04 07 80 ∆5R

= %%0%00%00%%%%0000%%%0%000%0%%00%

04 04 07 80 with probability 1





7 rounds cryptanalysis

2000 chosen plaintexts

3 hours

Not so much results on 7 rounds in the literature.




Eight rounds

We have found a 5-round truncated di�erential characteristic withprobability 1/5800.+ partial exhaustive search over 8 bits of the key.

8 rounds cryptanalysis

11600 chosen plaintexts and 225 seconds.




Summary

Rounds Cryptanalysis Nb of plaintexts Time

6 di� (Biham,Shamir) 240 (chosen) 0,3 sdi� (Knudsen) 46 (chosen) <10 s

alg (Courtois,Bard) 1 (known) 225 sdi� + alg 32 (chosen) 3000 sdi� + alg 22 (chosen) <10 h

7 di� + alg 2000 (chosen) 10000 s8 di� (Biham,Shamir) 50000 (chosen) 100 s

lin (Matsui) 220 (known) 40 sdi� + alg 11500 (chosen) 225 s

di�+lin (Hellman,Langford) 512 (chosen) few seconds


Conclusion

Use of statistical methods in algebraic cryptanalysis.

→ New attacks on 6, 7 and 8 rounds of DES using dedicatedcharacteristics.

Tradeo� plaintexts/time.

Related work (Cryptanalysis of Present)

M. Albrecht and C. CidAlgebraic Techniques in Di�erential Cryptanalysis

FSE2009

Future work

Extension of this attack for more rounds ?

Algebraic-di�erential cryptanalysis of DES withGröbner Bases ?

Other cryptosystems ?

Other statistical tools (di�erential-linear cryptanalysis, . . . ) ?

Conclusion






FSE2009

Future work





Conclusion






FSE2009

Future work





Documents

Algebraic--Differential Cryptanalysis of DES Algebraic cryptanalysis of DES using Minisat Algebraic di erential cryptanalysis of DES Algebraic Di erential Cryptanalysis of …