In this chapter, we will go through two important types of cryptanalysis, linear and differential cryptanalysis, introducing basic and advanced concepts and techniques regarding how these two types of cryptanalysis can be conducted and implemented.
The research literature about linear and differential cryptanalysis is wide and rich in theoretical approaches and mechanisms, but only a few of the approaches can be applied in practice in a real-life environment. The difference between theoretical and applied cryptanalysis is huge, and many of the ideas published (algorithms, methods, game theory aspects, etc.) have led researches and professionals down wrong paths over the last 12 years. Doing research into cryptanalysis and increasing its potential value for being applied in practice and for different scenarios requires time, experience, and a continuous cross-collaboration between theoreticians and practitioners, without any isolation between these two types of categories.
Their importance is crucial in the field of cryptanalysis, providing the necessary tools and mechanisms to construct cryptanalysis attack schemes for block and stream ciphers.
Differential Cryptanalysis
Differential cryptanalysis was introduced by E. Biham and A. Shamir in the early 1990s. The goal of differential cryptanalysis is to test if certain positions from the key are traced with a probability bigger than others from the cryptogram. The test can be done at any risk of order 1. Actually, the test is an approximation of order 2 of a testing process much more complex.
With differential cryptanalysis we can expose the weak points of the cryptography algorithm. The following example of differential cryptanalysis is illustrated for stream cryptography algorithms .
- 1.
α←read the rejection rate
- 2.Build n sets of perturbed keys starting from the key K.
- 3.
Building cryptograms. We will build n + 1 cryptograms starting from the basic key, perturbed keys, and a clear text M. We will note this cryptogram with C(i), i = 1, …, n + 1. As plaintext M we can choose for text 0 – everywhere.
- 4.Building the correlation matrix. In this step we will build the matrix (n + 1) × (n + 1) for the corellation values C:
- 5.The computation of significant value. It will count the values of significant correlation which are situated above the main diagonal. A value is called significant if
- 6.Decision and result interpretation. If
Once computed, we can decide the non-resistance to differential cryptanalysis ( and representing the quantiles of the normal distribution of order and and fixes the (i, j) elements with n ≥ i > j ≥ 1, for which cij is significant). These elements represent weak points for the algorithms. Otherwise, we will not be able to mention anything about the resistance to this type of attack .
Implementation of Differential Cryptanalysis Example
Linear Cryptanalysis
Linear cryptanalysis was designed and introduced in 1993 as a theoretical framework for DES (Data Encryption System). Currently, linear cryptanalysis is used within block ciphers and represents a very good starting point for designing and conducting an implementation of the complex attacks.
where ⨁ represents the XOR operation (which is a binary operation), Ai represents the bit from ith position of input the structure A = [A1, A2, …], Bj represents the bit from jth position of the output structure B = [B1, B2, …], and Keyk represents the kth bit of the key Key = [Key1, Key2, …].
Conducting Linear Cryptanalysis
Identifying a linear approximation for non-linear components that characterize the encryption algorithm (as an example, S-Boxes).
Performing a combination between linear approximations of substitution boxes, which includes operations that are executed within the encryption algorithm. It is very important for professionals to focus on the linear approximation because it represents a special function that contains and deals with the clear text and cipher text bits together with the ones from the private key.
Designing the linear approximation as a guideline for the keys that are used for the first time. This will be very helpful because it saves important computational resources for all the possible values of the keys. Using multiple linear approximations is very useful for eliminating the key numbers which are necessary for trying.
In the following section, we will provide a few details in order to help figure out which components should be taken into consideration when conducting a linear cryptanalysis attack. Without understanding at the theory level the following concepts, it will be very difficult to perform any implementation of the attack.
S-Boxes
Through S-Boxes the non-linearity is introduced together with its operation, exclusive-or and bit-shift, which are found in a linear representation as well.
S-Box Example
11 | 10 | 01 | 00 | |
---|---|---|---|---|
00 | "0000" | "0001" | "0010" | "0011" |
01 | "1000" | "1001" | "1111" | "1011" |
10 | "1100" | "1101" | "1110" | "1010" |
11 | "0100" | "0101" | "0010" | "0111" |
The Mapping Between Input and Output
The Input (J) | The Output (Q) |
---|---|
"0000" | "0011" |
"0001" | "0010" |
"0010" | "1011" |
"0011" | "1111" |
"0100" | "1010" |
"0101" | "1110" |
"0110" | "0111" |
"0111" | "0010" |
"1000" | "0001" |
"1001" | "0000" |
"1010" | "1001" |
"1011" | "1000" |
"1100" | "1101" |
"1101" | "1100" |
"1110" | "0101" |
"1111" | "0100" |
S-Box Linear Approximation
where J1 and Qi represent the ith bit characterized to input (J) and ouput (Q) with respect for di and g1 which are 0 or 1. As an example, let’s use the following linear approximation J2 = Q1 ⨁ Q4 and being given by d = 01002 and g = 10012.
Concatenation of Linear Approximations
First, we need to have already computed the linear approximation for each component that is forming the system.
Second, to do the combination, we simply sum by using exclusive-or the entire set of equations in different combinations. In this way we get a single equation which will eliminate the intermediate variables.
Assembling the Two Variables
The next step is represented by computing the bias for B1 ⨁ B2 = 0. It is given as ζ1 · ζ2.
Linear Cryptanalysis Simulation
Conclusion
In this chapter, we discussed differential and linear cryptanalysis attacks and how such attacks can be designed and implemented. We presented the theoretical background and main foundation necessary to know before designing such cryptanalysis attacks.
Identify theoretically the main components on which a cryptanalyst should focus
Understand how vulnerable those components are and how they can be exploited
Implement a linear and differential cryptanalysis attacks
Bibliography
- [1]
Joan Daemen, Lars Knudsen, and Vincent Rijmen, “The Block Cipher Square. Fast Software Encryption (FSE),” In Volume 1267 of Lecture Notes in Computer Science (pp. 149–165), Haifa, Israel: Springer-Verlag. CiteSeerX 10.1.1.55.6109. 1997.
- [2]
H. Heys, “A Tutorial on Linear and Differential Cryptanalysis,” In Cryptologia, vol. XXVI, no. 3 (pp. 189-221), 2002.
- [3]
M. Matsui, “Linear Cryptanalysis Method for DES Cipher,” In Advances in Cryptology - EUROCRYPT ’93 (pp. 386-397), Springer-Verlag, 1994.
- [4]
E. Biham, “On Matsui's linear cryptanalysis.” In A. De Santis (ed), Lecture Notes in Computer Science, vol. 950, (pp. 341–355). Springer-Verlag, Berlin, 1995.
- [5]
A. Biryukov, C. De Cannière, M. Quisquater, “On Multiple Linear Approximations," In M. Franklin (ed), Advances in Cryptology, proceedings of CRYPTO 2004, Lecture Notes in Computer Science 3152 (pp. 1-22). Springer-Verlag, 2004.
- [6]
L. Keliher, H. Meijer, and S.E. Tavares, “New method for upper bounding the maximum average linear hull probability for SPNs.” In B. Pfitzmann (ed), LNCS, vol. 2045 (pp. 420-436). Springer-Verlag, Berlin, 2001.
- [7]
L. R. Knudsen and J.E. Mathiassen,“ A chosen-plaintext linear attack on DES,” In B. Schneier (ed.), Lecture Notes in Computer Science, vol. 1978 (pp. 262–272). Springer-Verlag, Berlin, 2001.
- [8]
M. Matsui and A. Yamagishi, “A new method for known plaintext attack of FEAL cipher.” In R.A. Rueppel (ed), Lecture Notes in Computer Science, vol. 658 (pp. 81-91). Springer-Verlag, Berlin, 1993.
- [9]
M. Matsui, “The first experimental cryptanalysis of the data encryption standard.” In Y.G. Desmedt (ed), Lecture Notes in Computer Science, vol. 839 (pp. 1-11). Springer-Verlag, Berlin, 1994.