dc1`

© All Rights Reserved

Просмотров: 2

dc1`

© All Rights Reserved

- LetsEncrypt Project Instructions
- The Code Book How to Make It, Break It, Hack It, Crack It
- PROBLEMS
- final nsm
- A Comparative Analysis of.pdf
- Cryptography
- Block Ciher
- A High-speed Asic Implementation of the Rsa Cryptosystem Thesis
- 216010101015
- IJET-V3I3P16
- orifinal
- ch05
- An Effective Privacy Protection Scheme for Cloud Computing
- c 04171420
- final year project idea
- DATA ENCRYPTION USING BIO MOLECULAR INFORMATION.pdf
- Accurate Information Retrieval Using Semantic Searching From Encrypted Database
- Unit 4 and 5 Notes INS
- An Improved Scheme for E-Signature Techniques
- 12. Attribute Based Data Sharing

Вы находитесь на странице: 1из 48

C

etin Kaya Ko

c

1

Dierential cryptanalysis is a method for

breaking certain classes of cryptosystems

Eli Biham and Adi Shamir

designed DES knew about dierential crypt-

analysis, as was indicated by Don Copper-

smith of TJ Watson Research Center

2

Dierential cryptanalysis is ecient when the

cryptanalyst can choose plaintexts and obtain

ciphertexts (chosen plaintext cryptanalysis)

is also possible, however, often the size of the

known text pairs is very large

pairs whose dierence is constant, and inves-

tigates the dierential behavior of the cryp-

tosystem

dened as P1 P2 (bit-wise XOR operation)

for DES

method is applied to some other cryptosystem

3

Dierential cryptanalysis is applicable to the

iterated ciphers with a weak round function

(so-called Feistel ciphers)

phertexts as a function of the dierence

between the corresponding plaintexts

put (called characteristic) which can be

traced through several rounds

the most probable key

4

Notation

to a specic value P , i.e., P = P P

to a specic value T , i.e., T = T T

T , a, A, etc. For example, a = a a

5

DES (DEA):

Data Encryption Standard (Algorithm)

son Research Center at the request of the US

NIST for the protection of sensitive unclassi-

ed data

to be reviewed every 5 years. It was rearmed

in 1987. In 1992, after some controversy, it

was recertied for another 5 years.

plaintext to produce a 64-bit ciphertext with a

key size of 56 bits

tion followed by a permutation on the text,

based on the key. This is called a round func-

tion. DES has 16 rounds.

6

Outline of DES

Key (K) 56 BITS

PC-1

28 28

IP

32 32 RL1 RL1

32 32

+ F 28

48 PC-2

48 K1 28

RL1 RL1

+ F PC-2

K2

RL2 RL2

+ F PC-2

K3

RL1 RL1

+ F PC-2

K16

FP

7

The round function of DES

R (32 BITS)

S1E S2E S3E S4E S5 S6 S7E S8E S1K S2K S3K S4K S5 S6 S7K S8K

E E K K

S1 S2 S3 S4 S5 S6 S7 S8

32 BITS

8

The Expansion E

32 1 2 3 4 5

4 5 6 7 8 9

8 9 10 11 12 13

12 13 14 15 16 17

16 17 18 19 20 21

20 21 22 23 24 25

24 25 26 27 28 29

28 29 30 31 32 1

9

Dierential Cryptanalysis of DES

dom generator in order to foil key clustering

attacks

as uniform as possible

or the key causes the ciphertext to change in

approximately 32 of its 64 bits in a seemingly

unpredictable and random manner

10

Biham and Shamir observed that with a xed

key, the dierential behavior of DES does

not exhibit pseudorandomness

at P then T (which is equal to T T ) is not

uniformly distributed

tributed random numbers would itself be uni-

formly distributed

11

S-box Non-Dierential Uniformity

tributed random number, its output will be a

uniformly distributed random number

S1

E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8

4 1 E 8 D 6 2 B F C 9 7 3 A 5 0

F C 8 2 4 9 1 7 5 B 3 E A 0 6 D

to a uniform probability distribution, the input

to any S-box in any round will be uniformly

distributed over all 64 possible values

also uniformly distributed over its 16 possible

values (0 to F) since each occurs 4 times in

the S-box, once in each row

12

S-box Dierential Non-Uniformity

in which there are 642 = 4, 096 possible input

pairs (x, x)

each vary over their 64 possible values, the 4-

bit quantities y = S(x), y = S(x), and y =

y y = S(x) S(x) each vary over their 16

possible values

can be computed for each of the eight S-boxes

by counting the number of times each value y

occurs as (x, x) varies over its 4,096 possible

values

13

S1 Dierential Distribution Table

Input Output y

x 01 23 456 78 9 AB CD EF

00 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

01 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4

02 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2

03 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0

...

0C 0 0 0 8 0 6 6 0 0 6 6 4 6 6 14 2

...

34 0 8 16 6 2 0 0 12 6 0 0 0 0 8 0 6

...

3E 4 8 2 2 2 4 4 14 4 2 0 2 0 8 4 4

3F 44 42 402 44 2 4 8 8 6 2 2

14

The 6-bit dierential input x takes 64 values:

00 (hex) to 3F (hex)

0 (hex) to F (hex)

input x occurs for 64 of the 4,096 (x, x) pairs

column, because when x = x x = 0, the

same input occurs twice. Therefore, the same

output must also occur both times and y =

y y = 0

15

The later rows are more interesting:

possible y values 0, 1, 2, 4, 8 occur with zero

probability (i.e., never occurs)

all of the S-boxes S1, S2, . . . , S8

16

Consider the input XOR 34. The possible out-

put XORs are

Output: 1 2 3 4 7 8 D F

Occurs: 8 16 6 2 12 6 8 6

are duals: (, ) and (, )

table for S1, we discover these inputs as 13 and

27

13 = 01 0011

27 = 10 0111

13 27 = 11 0100

= 34

S1(13) = 0110

S1(27) = 0010

S1(13) S1(27) = 0100

= 4

17

List of possible input values for S1 box with

input XOR 34

25, 26, 2E, 2F, 30, 31, 3A

34 4: 13, 27

34, 39, 3C

18

Determination of the key:

35 which XORs to 34, and the output XOR as

D

34: 01, 35

S1E S1K

+

S1I 34: 06, 10, 16, 1C

22, 24, 28, 32

S1

S1O D:

of the key because

= (S1E S1K ) (S1E S1K )

= S1E S1E

= S1E

19

Also since

we have

S1K = S1I S1E

which gives

06 01 = 07 06 35 = 33

10 01 = 11 10 35 = 25

16 01 = 17 16 35 = 23

1C 01 = 1D 1C 35 = 29

22 01 = 23 22 35 = 17

24 01 = 25 24 35 = 11

28 01 = 29 28 35 = 1D

32 01 = 33 32 35 = 07

20

Furthermore, suppose we know two inputs to

S1 as 21 and 15 which XORs to 34, and the

output XOR as 3

34: 21, 15

S1E S1K

+

S1I 34: 01, 02, 15, 21

S1 35, 36

S1O 3:

01 21 = 20 01 15 = 14

02 21 = 23 02 15 = 17

15 21 = 34 15 15 = 00

21 21 = 00 21 15 = 34

35 21 = 14 35 15 = 29

36 21 = 17 36 15 = 23

as

{00, 14, 17, 20, 23, 34}

21

The correct key value must appear in both of

these sets:

Intersecting these two sets, we obtain

{17, 23}

Thus, the key value is either 17 or 23

the correct value, we need more input/output

XORs

22

Characteristic

ability, which can be traced through several

rounds

Two observations:

S I = SE S K

SI = SE

S

K

SI SI = SE SK SE

S

K

SI = SE SE

SI = SE

23

A 2-Round Characteristic

(00 80 82 00 , 60 00 00 00)

+ p=14/64

B=00 00 00 00 b=00 00 00 00

+ f(R,K) p=1

(00 00 00 00 , 60 00 00 00)

a = 60 00 00 00

into the middle four bits of each S-box in order

24

6 = 0110 goes to S1 and 0 = 0000 goes to

S2, . . . , S8

S-box receiving non-zero dierential input

the dierential inputs of S2, . . . , S8 are all zero

we nd that when x = 0C, the highest proba-

bility dierential output y is E = 1110, which

occurs with probability 14/64

with probability 1

25

The S-box outputs go through the permuta-

tion P before becoming the output f (R, K)

A = P (E0 00 00 00) = 00 80 82 00

00 80 82 00 to give 00 00 00 00

their dierential inputs as zero, producing the

dierential outputs as zero

zero, giving the dierential output as depicted:

(00 00 00 00 , 60 00 00 00)

26

Dierential Cryptanalysis

of 2-Round DES

(FP) permutations are removed from the DES

algorithm

that

P = P P = 00 80 82 00 60 00 00 00

XORing it with

00 80 82 00 60 00 00 00

to generate P

27

Step 2: Give the plaintext pair (P, P ) to your

opponent who enciphers it and gives you the

ciphertext pair (T, T )

(chosen plaintext cryptanalysis)

it is equal to

00 00 00 00 60 00 00 00

If it does not, the characteristic has not oc-

curred and this pair is not used. Go to Step 1

and generate a new plaintext pair.

If T is equal to

00 00 00 00 60 00 00 00

then the characteristic has occurred, and we

know the values of A and B . Go to Step 4.

28

Step 4: Since S2, . . . , S8 have their dierential

inputs equal to zero, no information can be

gained about S2K , . . . , S8K

S1, we have 0C E with probability 14/64,

only 14 of 64 possible S1K values allow

a = 60 00 00 00

to produce

A = 00 80 82 00

These 14 allowable values can be determined

by XORing each possible S1K with the corre-

sponding six bits of S1E and S1E , computing

S1s dierential output S1O and checking if it

is equal to E

29

Step 5: Compute the intersection of these

tables

table, it will be in the intersection

have enough plaintext, ciphertext dierential

pairs to uniquely determine S1K . Go to Step

1 and generate additional data

tial pairs needed is approximately equal to the

inverse of the probability of the characteristic

used; in this case 64/14 5 pairs are needed

to Step 6

30

Step 6: At this point we have recovered the

6 bits of the key comprising S1K

of key which are XORed with S2 through S8s

inputs in the rst round

key which comprise SK , or equivalently S1K

through S8K

search over the 64 possible values

31

Probabilistic Cryptanalysis

teristic occurs for every pair of encipherments

is 14/64 1 = 14/64

every table and we should look for the most

frequent S1K value

bles and the remaining 63 values occurs with

approximately equal (and smaller) probability

32

4-Round Dierential Attack

cryptanalyze the 4-round DES

(20 00 00 00 , 00 00 00 00)

+ p=1

(00 00 00 00 , 20 00 00 00)

one uses an n-round characteristic to break an

(n + 3)-round DES

33

Dierential Cryptanalysis

of 4-Round DES

(20 00 00 00 , 00 00 00 00)

+

B b=20 00 00 00 p2

+ f(R,K)

C c=B

f(R,K) p3

+

D f(R,K)

d p4

+

(d , D + B)

34

Observations:

the last round since d and d are the left halves

of the ciphertext T and T

round, we need to learn the dierential outputs

y from some S-boxes

know the ciphertext pair causing this charac-

teristic

35

Note that b = 20 00 00 00 causes the dier-

ential inputs to S2 through S8 in the second

round to be all zeros in their middle four bits

the seven zeros are inputs to S2, S3, . . . , S8

and S2 are both zero; they do not disturb the

zero inputs to S2, S3, . . . , S8

tation; the places of the zeros can be found

by tracing back the permutation used at the

output of f (R, K)

using our analysis technique; the remaining 14

bits can be obtained using exhaustive search

36

Dierential Cryptanalysis

of 8-Round DES

round characteristic

16 10 16 16 10 16 5

9.5 10

64 642 64 642

pairs to be needed per occurrence of the char-

acteristic

put XORs, we cannot guarantee that the char-

acteristic has occurred

every dierential pair of plaintexts (P, P )

37

(40 5C 00 00 , 04 00 00 00)

+

=P(0A 08 00 00)

A=04 00 00 00 b=00 54 00 00

+ f(R,K) p=10x16/642

=P(00 10 00 00)

C=0 c=0

f(R,K) p=1

+

D=04 00 00 00 d=00 54 00 00

+ f(R,K) p=10x16/642

=P(00 10 00 00)

+ f(R,K)

=P(0A 00 00 00)

F f=40 5C 00 00

+ f(R,K)

=P(x0 xx 00 00)

G g=F + e

+ f(R,K)

H h

+ f(R,K)

L8 = h R8 = H + P(x0 xx 00 00) + 04 00 00 00

38

We are right only one time in 10,000; we need

several times this number of dierential pairs

are needed

ferential P = P P is equal to

40 5C 00 00 04 00 00 00

curred and compute the dierential outputs of

S2, S5, S6, S7, and S8 in the 8th round using

P 1(H ) which is equal to

P 1(R8

04 00 00 00) (x0 xx 00 00)

39

Step 4: Test each of the 64 possible 6-bit sub-

keys K8,2 associated with S2 in the 8th round

to see which case the observed (x, x) to pro-

duce the y computed for S2 in Step 3

{K8,2}

subkeys {K8,5}, {K8,6}, {K8,7}, and {K8,8} for

S5, S6, S7, S8, respectively

Step 4 is empty, the characteristic could not

have occurred

1 and try a new dierential plaintext pair

40

Step 6: If each of the 5 tables is nonempty,

the characteristic may have occurred

tions of K8 associated with S2, S5, S6, S7,

and S8 by choosing one 6-bit from each table

of 6-bit subkeys in the tables {K8,5}, {K8,6},

{K8,7}, and {K8,8}, then the number of 30-bit

values is N = n2n5n6n7n8

41

Step 7: For each of the Ks generated in Step

6, increment a counter corresponding to that

value

sociated K value is probably correct

arguments and test results suggest that it is a

suitable constant)

generate additional dierential plaintext pairs

42

Known-Plaintext Attack

which the cryptanalyst can obtain ciphertext

of any selected plaintext

tack by allowing the cryptanalyst to pick from

a larger set of plaintext, ciphertext pairs

pairs, and that we are given

32

2 2m

random plaintext, ciphertext pairs.

These form

(232 2m)2

= 264m

2

possible pairs of plaintexts.

43

Each pair has an XOR. Since the block size is

64, there are 264 possible plaintext XOR val-

ues, and thus there are about

264m

64

= m

2

pairs creating each plaintext XOR value.

about m pairs with each one of the several

plaintext XOR values needed for dierential

cryptanalysis.

44

Results

Round Bits Ln Pr Plains Plains

4 42 1 1 24 233

6 30 3 24 28 236

8 30 5 213.5 216 240

10 18 9 231.5 235 249

16 18 15 255.1 258 261

Round Plaintexts Plaintexts

8 214 238 29

10 224 243 215

12 231 247 221

14 239 251 229

16 247 255 237

45

Summary of the Results

chosen plaintext attack in less 0.3 seconds on a

PC using 240 ciphertexts; the known plaintext

version requires 236 ciphertexts

chosen plaintext attack in less than 2 minutes

on a PC by analyzing about 214 ciphertexts;

the known plaintext attack needs about 238

ciphertexts

ciphertexts from a larger pool of 247 chosen

plaintexts using 237 time

quently changed and the collected data are de-

rived from dierent keys

46

The eort is almost independent of the key

size; breaking DES with a 56-bit key requires

almost the same amount of eort as breaking

DES with 16 dierent 48-bit keys

portance of the number of rounds and the

method by which the S-boxes are constructed

cryptanalyze than the original DES; for ex-

ample, GDES (Generalized DES) scheme of

Schaumuller-Bich is much more easily crypt-

analyzed (using only 6 ciphertexts in less than

0.2 seconds)

have catastrophic results:

47

Modied Versions of DES

Modied Chosen

Operation Plaintexts

P permutation:

Random 247

Identity 219

Order of S-boxes 238

Change XOR by Addition 231

S-boxes:

Random 221

Random Permutation 244 248

One Entry 233

Uniform 226

Eliminate Expansion E 226

Order of E and subkey XOR 244

48

- LetsEncrypt Project InstructionsЗагружено:Mawonsosungue
- The Code Book How to Make It, Break It, Hack It, Crack ItЗагружено:Fabio Capasso
- PROBLEMSЗагружено:El- Tally
- final nsmЗагружено:ErSweety Mittal
- A Comparative Analysis of.pdfЗагружено:Majid Khan
- CryptographyЗагружено:timothyosaigbovo3466
- Block CiherЗагружено:kiranpani
- A High-speed Asic Implementation of the Rsa Cryptosystem ThesisЗагружено:amollandge04
- 216010101015Загружено:Editor InsideJournals
- IJET-V3I3P16Загружено:International Journal of Engineering and Techniques
- orifinalЗагружено:Manjunath Manja
- ch05Загружено:b meherbaba
- An Effective Privacy Protection Scheme for Cloud ComputingЗагружено:Vanessa Thomas
- c 04171420Загружено:IOSRJEN : hard copy, certificates, Call for Papers 2013, publishing of journal
- final year project ideaЗагружено:shubham
- DATA ENCRYPTION USING BIO MOLECULAR INFORMATION.pdfЗагружено:ijcisjournal
- Accurate Information Retrieval Using Semantic Searching From Encrypted DatabaseЗагружено:International Journal of Innovative Science and Research Technology
- Unit 4 and 5 Notes INSЗагружено:Sounok Kashyap
- An Improved Scheme for E-Signature TechniquesЗагружено:Walid Al-Abbadi
- 12. Attribute Based Data SharingЗагружено:SaranKumar
- 05598198Загружено:khssalah
- 06 AdditionalGates&Design 2Загружено:Jbanful
- Informaton Tecnology Act 2000Загружено:akkig1
- SynopsisЗагружено:minal chaudhary
- Aeris-UsersGuideЗагружено:Shashank Sn
- Security IssuesЗагружено:Yogesh Yadav
- Securing Clouds - Quantum WayЗагружено:Marmik Pandya
- cryptoЗагружено:Anamika K Anu
- 08344568(1)Загружено:kavya
- j Me Stn 42351198Загружено:alok_choudhury_2

- Queu-1Загружено:Ravi Tej
- Decision-MakingUsingtheAnalyticHierarchyProcessAHPandPJM Melvin AlexanderЗагружено:Ravi Tej
- Exam 1 SolutionsЗагружено:Ravi Tej
- Mutual ExclusionЗагружено:Ravi Tej
- Guidelines for writing a research paper for publicationЗагружено:Carolina
- ReadMeЗагружено:Милош Марковић
- parallel computingЗагружено:Siva Kumar Gani
- 07955294Загружено:Ravi Tej
- How to Install.txtЗагружено:Anonymous v1ecWzUD
- iss codes.txtЗагружено:Ravi Tej
- Mess Menu 26.10.16Загружено:Ravi Tej
- ActivateЗагружено:Rishi Srivastava
- Cloud Report FinalЗагружено:Nagendra Venkat
- Trusted CloudЗагружено:api-26116672
- 07043480Загружено:Ravi Tej
- bolly movies.txtЗагружено:Ravi Tej
- cs188_sp04_mt1_solЗагружено:Ravi Tej
- InfoЗагружено:Ravi Tej
- InputЗагружено:Ravi Tej
- How to Open Nfo FilesЗагружено:ali
- SQL InjectionsЗагружено:Pratik Raj Singh
- 03.Solutions-To-hc Verma_concepts.pdf_rest and MotionЗагружено:Shubham Jasoriya
- wk03Загружено:Ravi Tej
- arms_raceЗагружено:addise44
- u24Загружено:Ravi Tej
- KNN algoЗагружено:Dishti Aggarwal
- PropLogicA271-f09Загружено:Ravi Tej
- 37-PSЗагружено:Ravi Tej
- irctcЗагружено:Ravi Tej

- Image Encryption- A Communication PerspectiveЗагружено:Josemar Pedroso
- A Secure Erasure Code-Based Cloud Storage System With Secure Data ForwardingЗагружено:ieeexploreprojects
- nkp gray code for image sms.pdfЗагружено:Binoj V Janardhanan
- 10.1.1.90.1365Загружено:Mohini Mohit Batra
- crptograpyЗагружено:middlesex5
- Encryption and CryptographyЗагружено:Paksmiler
- Key-schedule Attacks-concepts All Over the PlaceЗагружено:Benedict Auw
- 2 Classical EncryptionЗагружено:Galal Nadim
- BSC ThesisЗагружено:Aalaa Hussein Hamid
- Ch2 Classical EncryptionЗагружено:YazanAlomari
- IntroModernCryptography-Chapter1Загружено:Muhammad Yasin
- Structural Basis for CAMP-mediated Allosteric ControlЗагружено:Akshay Sanjeev Prabhakant
- Crypt Analysis of the Cellular Message Encryption AlgorithmЗагружено:Indra Lingga Pratama Zen
- EFF: CryptoЗагружено:EFF
- HandycipherЗагружено:Casandra Edwards
- 2 Classical EncryptionЗагружено:rahul88anand
- Cryptographic AttackЗагружено:BARNALI GUPTA
- What is CryptographyЗагружено:fxtrend
- Lecture 1Загружено:sottathala
- dc1Загружено:Ravi Tej
- sensors-18-01306-v2.pdfЗагружено:Ram Bhagat Soni
- Intro ScryptographyЗагружено:Thien Khiem Nguyen
- conventional encryptionЗагружено:Shashank Mohan
- Thesis ImageЗагружено:kolipriyanka
- Sm473 Crypto Lecture NotesЗагружено:Nephron
- Infosec-3-CryptoЗагружено:Muhammad Nuqi Anggara