Upload
trinhkhuong
View
228
Download
0
Embed Size (px)
Citation preview
1
CS349 Cryptography
Department of Computer ScienceWellesley College
Substitution-permutation ciphers
Linear cryptanalysis
Linear cryptanalysis 12-2
Block ciphers
o Modern product ciphers incorporate a sequenceof permutation and substitution operations.
2
Linear cryptanalysis 12-3
Substitution-permutation networkso The game is to do this
over and over again,substitution for confusionand permutation fordefusion.
o A typical iterated cipherrequires a round functionand key schedule.
Linear cryptanalysis 12-4
Key schedules and round functionso Round keys, K1, …, KNr, are
constructed from arandom binary key, K,using some fixed, publicalgorithm.
o A round function, g, takesinputs Kr and a currentstate wr-1 and producesthe next state, wr.*
*The plaintext is the initial state, w0.
†
w0 ¨ xw1 ¨ g(w0,K1)w2 ¨ g(w1,K 2)
. . .wNr-1 ¨ g(wNr-2,K Nr-1)
wNr ¨ g(wNr-1,K Nr)y ¨ wNr
3
Linear cryptanalysis 12-5
Substitution and permutationo Plaintext and ciphertext
are broken into binarysequences of length lm, theblock length.
o A permutationpS: {0, 1}l Æ {0, 1}l,called an S-box,substitutes each set of lbits for another.
o A permutationpP : {1, …, lm} Æ {1, …, lm}mixes everything up.
Linear cryptanalysis 12-6
In the example shown, . . .o . . . the S-boxes are given by the
substitutions:
o . . . while the permutation is:
4
Linear cryptanalysis 12-7
We still need a key scheduleo Given a 32-bit key K = (k1, …, k31), define Kr, for 1 ≤ r ≤ 5, to
consist of 16 consecutive bits of K, beginning with k4r-3.o For K given by
0011 1010 1001 0100 1101 0110 0011 1111the round keys are: K1 = 0011 1010 1001 0100 K2 = 1010 1001 0100 1101 K3 = 1001 0100 1101 0110 K4 = 0100 1101 0110 0011 K5 = 1101 0110 0011 1111
Linear cryptanalysis 12-8
For x = 0010 0110 1011 0111
5
Linear cryptanalysis 12-9
Linear cryptanalysiso The object of linear
cryptanalysis is to find aprobabilistic linearrelationship betweensubsets of plaintext andciphertext bits*.
o The attacker computesXOR of relevant bits inrelationship using variouskeys in order to find a keythat yields a nonrandomdistribution.
*Thus, this is known-plaintext attack.
Linear cryptanalysis 12-10
Before the details, we need . . .o Suppose, X1, X2, . . . are independent random variables
taking values from the set {0, 1} such thatand
o The independence of Xi and Xj implies that
o We compute and .
†
Pr[Xi = 0] = pi
†
Pr[Xi =1] =1- pi
†
Pr[Xi = 0,X j = 0] = pi p j
Pr[Xi = 0,X j =1] = pi(1- p j )Pr[Xi =1,X j = 0] = (1- pi)p j
Pr[Xi =1,X j =1] = (1- pi)(1- p j )
†
Pr[Xi ⊕ X j = 0]
†
Pr[Xi ⊕ X j =1]
6
Linear cryptanalysis 12-11
A random variable’s biaso The bias of a random
variable Xi is
o Observe that
†
ei = pi -12
†
-12
£ ei £12
Pr[Xi = 0] =12
+ ei
Pr[Xi =1] =12
-ei
Linear cryptanalysis 12-12
The piling-up lemma*Lemma. Let denote the bias of the randomvariable . Then
Corollary. Let denote the bias of the randomvariable . Suppose thatfor some j, then .
*Proof by induction on k.
†
ei1 ,i2 ,...,ik = 2k-1 ei jj=1
k
’†
ei1 ,i2 ,...,ik
†
Xi1 ⊕ Xi2 ⊕ ... ⊕ Xik
†
ei1 ,i2 ,...,ik
†
Xi1 ⊕ Xi2 ⊕ ... ⊕ Xik
†
ei j= 0
†
ei1 ,i2 ,...,ik = 0
7
Linear cryptanalysis 12-13
Linear approximations of S-boxeso Consider an S-box
pS: {0, 1}m Æ {0, 1}n.o Assume input chosen
uniformly at random from{0, 1}m .
o Similarly, each output co-ordinate yj defines arandom variable Yj takingvalues 0 and 1.
*Thus, each input co-ordinate xi defines a random variable Xi taking on values 0 and 1 and these Xi are independent with zero biases.
Linear cryptanalysis 12-14
In our example, . . .o . . . the permutation
pS: {0, 1}4 Æ {0, 1}4, isgiven by
o The random variable
is unbiased.
†
X1 ⊕ X4 ⊕ Y2
8
Linear cryptanalysis 12-15
Linear approximation table NL(a, b)
*Bias of the binary 8-tuple: e(a, b) = Pr(a,b) -1/2 = NL(a,b)/16 - 1/2.
Linear cryptanalysis 12-16
A linear attack on an SPNo We find a linear
approximation of S-boxesincorporating four activeS-boxes:
o Assuming independencesof Ti, piling up lemmaimplieshas bias -1/32.
†
S21 : T1 = U5
1 ⊕ U71 ⊕ V8
1 ⊕ V61 has bias 1/4
S22 : T2 = U6
2 ⊕ V62 ⊕ V8
2 has bias -1/4S2
3 : T3 = U63 ⊕ V6
3 ⊕ V83 has bias -1/4
S43 : T4 = U14
3 ⊕ V143 ⊕ V16
3 has bias -1/4
†
T1 ⊕ T2 ⊕ T3 ⊕ T4
9
Linear cryptanalysis 12-17
Canceling “intermediate” variableso The XOR of the Ti can be
expressed in terms ofplaintext bits, bits of u4,and key bits.
†
T1 = U51 ⊕ U7
1 ⊕ V81 ⊕ V6
1
= X5 ⊕ K 51 ⊕ X7 ⊕ K 7
1 ⊕ X8 ⊕ K 81 ⊕ V6
1
T2 = U62 ⊕ V6
2 ⊕ V82
= V61 ⊕ K 6
2 ⊕ V62 ⊕ V8
2
T3 = U63 ⊕ V6
3 ⊕ V83
= V62 ⊕ K 6
3 ⊕ V63 ⊕ V8
3
T4 = U143 ⊕ V14
3 ⊕ V163
= V82 ⊕ K14
3 ⊕ V143 ⊕ V16
3
Linear cryptanalysis 12-18
Plaintext, bits of u4 and keybitso
o Next, replace the Vi3 by
expressions involving Ui4.†
T1 ⊕ T2 ⊕ T3 ⊕ T4 =
X5 ⊕ X7 ⊕ X8 ⊕ V63 ⊕ V8
3 ⊕ V143 ⊕ V16
3
⊕ K 51 ⊕ K 7
1 ⊕ K 81 ⊕ K 6
2 ⊕ K 63 ⊕ K14
3
†
V63 = U6
4 ⊕ K 64
V83 = U14
4 ⊕ K144
V143 = U8
4 ⊕ K 84
V163 = U16
4 ⊕ K164
10
Linear cryptanalysis 12-19
Selecting the biased random variableo The result
o If the keybits are fixed, then the random variable
has fixed value 0 or 1 and
has bias equal to ±1/32, where the sign depends on thevalues of the unknown key bits.
†
X5 ⊕ X7 ⊕ X8 ⊕ U64 ⊕ U8
4 ⊕ U144 ⊕ U16
4
⊕ K 51 ⊕ K 7
1 ⊕ K 81 ⊕ K 6
2 ⊕ K 63 ⊕ K14
3 ⊕ K 64 ⊕ K 8
4 ⊕ K144 ⊕ K16
4
†
K 51 ⊕ K 7
1 ⊕ K 81 ⊕ K 6
2 ⊕ K 63 ⊕ K14
3 ⊕ K 64 ⊕ K 8
4 ⊕ K144 ⊕ K16
4
†
X5 ⊕ X7 ⊕ X8 ⊕ U64 ⊕ U8
4 ⊕ U144 ⊕ U16
4
Linear cryptanalysis 12-20
Candidate subkeyso Recall our random variable
o There are 28 = 256possibilities for the keysthat are XORed with the2nd and 4th S-boxes in thefinal row.
o For each plaintext,ciphertext pair a partialdecryption is possible, andthe value of the randomvariable is computed.
†
X5 ⊕ X7 ⊕ X8 ⊕ U64 ⊕ U8
4 ⊕ U144 ⊕ U16
4
11
Linear cryptanalysis 12-21
Successo It is suggested that a
linear attacked based on alinear approximationhaving bias equal to e willbe successful if thenumber of plaintext-ciphertext pairs isapproximately ce-2, for asmall constant c.