© Marius Iulian Mihailescu and Stefania Loredana Nita 2021
M. I. Mihailescu, S. L. NitaPro Cryptography and Cryptanalysis https://doi.org/10.1007/978-1-4842-6367-9_20

20. Linear and Differential Cryptanalysis

Marius Iulian Mihailescu1   and Stefania Loredana Nita1
(1)
Bucharest, Romania
 

In this chapter, we will go through two important types of cryptanalysis, linear and differential cryptanalysis, introducing basic and advanced concepts and techniques regarding how these two types of cryptanalysis can be conducted and implemented.

The research literature about linear and differential cryptanalysis is wide and rich in theoretical approaches and mechanisms, but only a few of the approaches can be applied in practice in a real-life environment. The difference between theoretical and applied cryptanalysis is huge, and many of the ideas published (algorithms, methods, game theory aspects, etc.) have led researches and professionals down wrong paths over the last 12 years. Doing research into cryptanalysis and increasing its potential value for being applied in practice and for different scenarios requires time, experience, and a continuous cross-collaboration between theoreticians and practitioners, without any isolation between these two types of categories.

Their importance is crucial in the field of cryptanalysis, providing the necessary tools and mechanisms to construct cryptanalysis attack schemes for block and stream ciphers.

Differential Cryptanalysis

Differential cryptanalysis was introduced by E. Biham and A. Shamir in the early 1990s. The goal of differential cryptanalysis is to test if certain positions from the key are traced with a probability bigger than others from the cryptogram. The test can be done at any risk of order 1. Actually, the test is an approximation of order 2 of a testing process much more complex.

With differential cryptanalysis we can expose the weak points of the cryptography algorithm. The following example of differential cryptanalysis is illustrated for stream cryptography algorithms .

The pseudocode of the algorithm is as follows:
INPUT:    A base key is chosen as K = (k1, …, kn) with ki ∈ {0, 1}
OUTPUT:   The sensitive and weak points of the cryptography
          algorithm and the resistance decision for
          differential cryptanalysis
  1. 1.

    α←read the rejection rate

     
  2. 2.
    Build n sets of perturbed keys starting from the key K.
    $$ for i=1 to n do {K}^{(i)}=left({delta}_{1i}oplus {k}_1,dots, {delta}_{ni}oplus {k}_n ight): $$
     
$$ {delta}_{1i}=left{egin{array}{c}1,kern0.5em if j e i,\ {}0,kern0.5em if j=i.end{array} ight., $$
for i,j=1,…,n. In this way, the ith key is obtained from the base key by changing the bit from the ith position.
  1. 3.

    Building cryptograms. We will build n + 1 cryptograms starting from the basic key, perturbed keys, and a clear text M. We will note this cryptogram with C(i), i = 1, …, n + 1. As plaintext M we can choose for text 0 – everywhere.

     
  2. 4.
    Building the correlation matrix. In this step we will build the matrix (n + 1) × (n + 1) for the corellation values C:
    $$ {c}_{ij}= corelationleft( cryptogram i, cryptogram j ight), $$
     
where correlation cij represents the value of the statistical test applied to the sequence (cryptogram i ⊕ cryptogram j). The matrix C is represented as a symmetrical matrix having 1 on the main diagonal.
  1. 5.
    The computation of significant value. It will count the values of significant correlation which are situated above the main diagonal. A value is called significant if
    $$ {c}_{i,j} otin left[{u}_{frac{alpha }{2}};{u}_{1-frac{alpha }{2}} ight]. $$
     
Consider T the number of significant values that represent the number of rejects of the corellation test.
  1. 6.
    Decision and result interpretation. If
    $$ frac{T-alpha cdotp frac{nleft(n+1 ight)}{2} }{sqrt{alpha left(1-alpha ight)cdotp frac{nleft(n+1 ight)}{2}}} otin left[{u}_{frac{alpha }{2}};{u}_{1-frac{alpha }{2}} ight], $$
     

Once computed, we can decide the non-resistance to differential cryptanalysis ($$ {u}_{frac{alpha }{2}} $$ and $$ {u}_{1-frac{alpha }{2}} $$ representing the quantiles of the normal distribution of order $$ frac{alpha }{2} $$ and $$ 1-frac{alpha }{2} $$ and fixes the (i, j) elements with n ≥ i > j ≥ 1, for which cij is significant). These elements represent weak points for the algorithms. Otherwise, we will not be able to mention anything about the resistance to this type of attack .

The C# source code in Listing 20-1 is an implementation of the above pseudocode (see Figure 20-1 for the output).
using System;
namespace DifferentialCryptanalysis
{
    class ExampleOfDifferentialCryptanalysis
    {
        //** variables
        public static int[] Known_P0 = new int[10000];
        public static int[] Known_P1 = new int[10000];
        public static int[] Known_C0 = new int[10000];
        public static int[] Known_C1 = new int[10000];
        public static int Good_P0, Good_P1, Good_C0, Good_C1;
        public static int numbers_pairs;
        public static int[] characters_data0 = new int[16];
        public static int characters_data_max = 0;
        public static int[,] characters = new int[32, 32];
        public static int[] theSBOX = new int[16] { 3, 14, 1,
                10, 4, 9, 5, 6, 8, 11, 15, 2, 13, 12, 0, 7 };
        public static int[] sbox_reviwed = { 14, 2, 11, 0, 4,
                6, 7, 15, 8, 5, 3, 9, 13, 12, 1, 10 };
        public static int round_function(int theInputData, int theKey)
        {
            return theSBOX[theKey ^ theInputData];
        }
        public static int encryption(int theInputData, int k_0, int k_1)
        {
            int x_0 = round_function(theInputData, k_0);
            return x_0 ^ k_1;
        }
        public static void find_differences()
        {
            Console.WriteLine(" Generating a differential
                                table structure for XOR: ");
            Random rnd = new Random();
            int x, y;
            for (x = 0; x < 16; x++)
            {
                for (y = 0; y < 16; y++)
                {
                    characters[x ^ y, theSBOX[x] ^ theSBOX[y]]
                                                    = rnd.Next(-1, 1);
                }
            }
            for (x = 0; x < 16; x++)
            {
                for (y = 0; y < 16; y++)
                {
                    characters[x^y, theSBOX[x] ^
                                                theSBOX[y]]++;
                }
            }
            for (x = 0; x < 16; x++)
            {
                for (y = 0; y < 16; y++)
                    Console.Write("{0}",
                                            characters[x, y] + " ");
                Console.WriteLine(" ");
            }
            Console.WriteLine(" Show the possible differentials: ”);
            for (x = 0; x < 16; x++)
                for (y = 0; y < 16; y++)
                    if (characters[x, y] == 6)
                        Console.WriteLine(" 6/16: {0} to
                                                    {1} ", x, y);
        }
        public static void genCharData(int input_differences,
                                       int output_differences)
        {
            Console.WriteLine(" Values represented as
                        possible intermediate based on
                        differntial has been generated: ({0} to
                        {1}): ", input_differences,
                        output_differences);
            characters_data_max = 0;
            int p;
            for (p = 0; p < 16; p++)
            {
                int theComputation = p ^ input_differences;
                if ((theSBOX[p] ^ theSBOX[theComputation]) ==
                                                    output_differences)
                {
                    Console.WriteLine(" The certain values
                    choosen are:   {0} + {1} to  {2} +
                    {3} ", p, theComputation, theSBOX[p],
                    theSBOX[theComputation]);
                    characters_data0[characters_data_max] = p;
                    characters_data_max++;
                }
            }
        }
        public static void genPairs(int input_differences)
        {
            Random randomNumber = new Random();
            Console.WriteLine(" Generating {0} known pairs
                          with input differential of {1}. ",
                          numbers_pairs, input_differences);
            //** generate randomly subkey
            int Real_K0 = randomNumber.Next() % 16;
            //** generate randomly subkey
            int Real_K1 = randomNumber.Next() % 16;
            Console.WriteLine(" The K0 Real Value is =
                                                    {0} ", Real_K0);
            Console.WriteLine(" The K1 Real Value is =
                                                    {0} ", Real_K1);
            int b;
            //** Generate plaintexts pairs using different
            //** XORs based on the differences
            //** that are provided as input
            for (b = 0; b < numbers_pairs; b++)
            {
                Known_P0[b] = randomNumber.Next() % 16;
                Known_P1[b] = Known_P0[b] ^ input_differences;
                Known_C0[b] = encryption(Known_P0[b], Real_K0,
                                                      Real_K1);
                Known_C1[b] = encryption(Known_P1[b], Real_K0,
                                                      Real_K1);
            }
        }
        public static void findGoodPair(int
                                             output_differences)
        {
            Console.WriteLine(" Searching for good pair: ");
            int c;
            for (c = 0; c < numbers_pairs; c++)
                if ((Known_C0[c] ^ Known_C1[c]) ==
                                                    output_differences)
                {
                    Good_C0 = Known_C0[c];
                    Good_C1 = Known_C1[c];
                    Good_P0 = Known_P0[c];
                    Good_P1 = Known_P1[c];
                    Console.WriteLine(" A good pair has
                                been found: (P0 = {0}, P1 = {1}) to
                                (C0 = {2}, C1 = {3}) ", Good_P0,
                                Good_P1, Good_C0, Good_C1);
                    return;
                }
            Console.WriteLine("There is no pair proper
                                                        found! ");
        }
        public static int testKey(int Test_Key_0,
                                                  int Test_Key_1)
        {
            int c;
            int someCrappyValue = 0;
            for (c = 0; c < numbers_pairs; c++)
            {
                if ((encryption(Known_P0[c], Test_Key_0,
                          Test_Key_1) != Known_C0[c]) ||
                          (encryption(Known_P1[c], Test_Key_0,
                          Test_Key_1) != Known_C1[c]))
                {
                    someCrappyValue = 1;
                    break;
                }
            }
            if (someCrappyValue == 0)
                return 1;
            else
                return 0;
        }
        public static void crack()
        {
            Console.WriteLine(" Using brute force to reduce
                                                    the keyspace: ");
            for (int g = 0; g < characters_data_max; g++)
            {
                int Test_K0 = characters_data0[g] ^ Good_P0;
                int Test_K1 =
                          theSBOX[characters_data0[g]] ^ Good_C0;
                if (testKey(Test_K0, Test_K1) == 1)
                    Console.WriteLine(" The Key is! ({0},
                                      {1}) ", Test_K0, Test_K1);
                else
                    Console.WriteLine(" ({0}, {1}) ",
                                             Test_K0, Test_K1);
            }
        }
        static void Main(String[] args)
        {
            Console.WriteLine("DIFFERENTIAL CRYPTANALYSIS ");
            Random randomPerRunning = new Random();
            //** generating random values per each running
            randomPerRunning.Next();
            //** identify proper differentials
            //** within the SBoxes
            find_differences();
            //** defining a numerical
            //** value for known pairs
            numbers_pairs = 8;
            //** identify data inputs that will help
            //** to lead us to specific characteristic
            genCharData(4, 7);
            //** randomly, generate pairs of
            //** chosen-plaintext
            genPairs(4);
            //** based and using the characteristic,
            //** we will choose a known pair
            findGoodPair(7);
            //** use characteristic_data0 and within
            //** the proper pair we will find it
            crack();
            while (true) { }
            Console.ReadKey();
        }
    }
}
Listing 20-1

Implementation of Differential Cryptanalysis Example

../images/493660_1_En_20_Chapter/493660_1_En_20_Fig1_HTML.jpg
Figure 20-1

Differential cyptanalysis example

Linear Cryptanalysis

Linear cryptanalysis was designed and introduced in 1993 as a theoretical framework for DES (Data Encryption System). Currently, linear cryptanalysis is used within block ciphers and represents a very good starting point for designing and conducting an implementation of the complex attacks.

We can look at linear cryptanalysis as being defined as a linear relationship that is established between the key, the plaintext structure, and the ciphertext structure. The structure of the plaintext is represented as characters or bits. It is necessary to represent it as a chain of operations characterized by exclusive-or, shown as
$$ {A}_{i_1}oplus {A}_{i_2}dots igoplus {A}_{i_u}igoplus {B}_{j_1}igoplus {B}_{j_2}igoplus dots igoplus {B}_{j_v}={Key}_{k_1}igoplus {Key}_{k_2}igoplus dots {Key}_{k_w} $$

where ⨁ represents the XOR operation (which is a binary operation), Ai represents the bit from ith position of input the structure A = [A1, A2, …], Bj represents the bit from jth position of the output structure B = [B1, B2, …], and Keyk represents the kth bit of the key Key = [Key1, Key2, …].

Conducting Linear Cryptanalysis

In most cases, we start from the idea that we know the encryption algorithm except for the private key. Launching a linear cryptanalysis over a block cipher is represented as a model/framework, described as

  • Identifying a linear approximation for non-linear components that characterize the encryption algorithm (as an example, S-Boxes).

  • Performing a combination between linear approximations of substitution boxes, which includes operations that are executed within the encryption algorithm. It is very important for professionals to focus on the linear approximation because it represents a special function that contains and deals with the clear text and cipher text bits together with the ones from the private key.

  • Designing the linear approximation as a guideline for the keys that are used for the first time. This will be very helpful because it saves important computational resources for all the possible values of the keys. Using multiple linear approximations is very useful for eliminating the key numbers which are necessary for trying.

In the following section, we will provide a few details in order to help figure out which components should be taken into consideration when conducting a linear cryptanalysis attack. Without understanding at the theory level the following concepts, it will be very difficult to perform any implementation of the attack.

S-Boxes

Through S-Boxes the non-linearity is introduced together with its operation, exclusive-or and bit-shift, which are found in a linear representation as well.

The goal of an S-Box is to create a map between the incoming binary sequences with a certain output. This being said, we will have the non-linearity provided that will build and render the affine approximation that was obtained when the linear cryptanalysis was applied. Table 20-1 shows an example of an S-Box and how the mapping works. It uses the 1st and 4th bit to find the column and the middle bits, 3rd and 4th. Based on this, the row is determined in such way that the input 1110 will be 0101.
Table 20-1

S-Box Example

 

11

10

01

00

00

"0000"

"0001"

"0010"

"0011"

01

"1000"

"1001"

"1111"

"1011"

10

"1100"

"1101"

"1110"

"1010"

11

"0100"

"0101"

"0010"

"0111"

Table 20-2 shows the mapping operation between the examples of bits as input and bits as output.
Table 20-2

The Mapping Between Input and Output

The Input (J)

The Output (Q)

"0000"

"0011"

"0001"

"0010"

"0010"

"1011"

"0011"

"1111"

"0100"

"1010"

"0101"

"1110"

"0110"

"0111"

"0111"

"0010"

"1000"

"0001"

"1001"

"0000"

"1010"

"1001"

"1011"

"1000"

"1100"

"1101"

"1101"

"1100"

"1110"

"0101"

"1111"

"0100"

S-Box Linear Approximation

We will start from the idea that we want to approximate the structure of the substitution box presented above. Based on that information, we have the precision, which is quite high, of the various linear approximations. We include 256 such linear approximations having the following form:
$$ {d}_1{J}_1igoplus {d}_2{I}_2igoplus {d}_3{J}_3igoplus {a}_4{I}_4={g}_1{Q}_1igoplus {g}_2{Q}_2igoplus {g}_3{Q}_3igoplus {g}_4{Q}_4 $$

where J1 and Qi represent the ith bit characterized to input (J) and ouput (Q) with respect for di and g1 which are 0 or 1. As an example, let’s use the following linear approximation J2 = Q1 ⨁ Q4 and being given by d = 01002 and g = 10012.

Concatenation of Linear Approximations

It’s time to move to the next step and form, design, and project the linear approximation for the whole system. To achieve this, we need two things:

  • First, we need to have already computed the linear approximation for each component that is forming the system.

  • Second, to do the combination, we simply sum by using exclusive-or the entire set of equations in different combinations. In this way we get a single equation which will eliminate the intermediate variables.

Assembling the Two Variables

Let’s consider B1 and B2, two random binary variables. The linear relationship between them is B1 ⨁ B2 = 0. Next, let’s denote the probability B1 = 0 by being noted with l and the probability B2 = 0 by being noted with m. Based on the two random independent variables, we have
$$ Pleft({B}_1=a,{B}_2=b ight)=left{egin{array}{c}egin{array}{c}lcdotp mkern7em for a=0,b=0\ {}lcdotp left(1-m ight)kern4.25em for a=0,b=1end{array}\ {}left(1-l ight)cdotp qkern4.75em for a=1,b=0\ {}left(1-l ight)cdotp left(1-m ight)kern1.5em for a=1,b=1end{array} ight. $$
Moving forward, we can show the following:
$$ Pleft({B}_1igoplus {B}_2=0 ight)= $$
$$ =Pleft({B}_1={B}_2 ight) $$
$$ =Pleft({B}_1=0,{B}_2=0 ight)+Pleft({B}_1=1,{B}_2=1 ight) $$
$$ =lcdotp m+left(1-l ight)left(1-m ight) $$

The next step is represented by computing the bias for B1 ⨁ B2 = 0. It is given as ζ1 · ζ2.

Now it is time to do the implementation in C# (see Listing 20-2) for the linear cryptanalysis (see Figure 20-2) and to show how the above concepts can be used in practice.
../images/493660_1_En_20_Chapter/493660_1_En_20_Fig2_HTML.jpg
Figure 20-2

Linear cryptanalysis output simulation program

using System;
namespace LinearCryptanalysis
{
    class ExampleOfLinearCryptanalysis
    {
        #region Variables
        public static int[,] approximation_table =
        new int[16,16];
        public static int[] known_plaintext = new int[500];
        public static int[] known_ciphertext = new int[500];
        public static int number_known = 0;
        public static int[] theSBox =
               new int [16] {9, 11, 12, 4, 10, 1, 2, 6, 13,
                                 7, 3, 8, 15, 14, 0, 5};
        public static int[] revtheSBox = {14, 5, 6, 10, 3, 15,
                                 7, 9, 11, 0, 4, 1, 2, 8, 13, 12};
        #endregion
        //** the function will round
        //** the sbox values accordingly
        //** based on the value inputed and the sub key
        public static int RoundingFunction(int theInputValue,
                                                int theSubKey)
        {
            int index_position = theInputValue ^ theSubKey;
            return theSBox[index_position];
        }
        //** generatiing the keys
        //** and generating the known pairs
        public static void FillingTheKnowledgedOnces()
        {
            Random randomNumber = new Random();
            int theSubKey_1 = randomNumber.Next() % 16;
            int theSubKey_2 = randomNumber.Next() % 16;
            Console.WriteLine("Generating the data: Key1 =
                  {0}, Key2 = {1} ", theSubKey_1, theSubKey_2);
            for (int h = 0; h < number_known; h++)
            {
                known_plaintext[h] = randomNumber.Next() % 16;
                known_ciphertext[h] =
                          RoundingFunction(RoundingFunction(
                          known_plaintext[h], theSubKey_1),
                                theSubKey_2);
            }
            Console.WriteLine("Generating the data: Generating
                              {0} Known Pairs ", number_known);
        }
        //** show the the linear approximation
        //** note that the parameters
        //** a and b starts from 1
        public static void DisplayTheApproximation()
        {
            Console.WriteLine("Generate the linear
                                            approximation: ");
            for (int a = 1; a < 16; a++)
            {
                for (int b = 1; b < 16; b++)
                {
                    if (approximation_table[a, b] == 14)
                        Console.WriteLine("{0} : {1} to
                                {2} ", approximation_table[a, b],
                                a, b);
                }
            }
            Console.WriteLine(" ");
        }
        public static int ApplyingTheMask(int v, int m)
        {
            //** v - is the value
            //** m - is the mask
            int internal_value = v & m;
            int total_amount = 0;
            while (internal_value > 0)
            {
                int temporary = internal_value % 2;
                internal_value /= 2;
                if (temporary == 1)
                    total_amount = total_amount ^ 1;
            }
            return total_amount;
        }
        //** the function will validate and
        //** test the keys accordingly
        public static void ValidationAndTestingKeys(int key_1,
        int key_2)
        {
            for (int h = 0; h < number_known; h++)
            {
                if (RoundingFunction(RoundingFunction
                          (known_plaintext[h], key_1), key_2) !=
                          known_ciphertext[h])
                break;
            }
            Console.WriteLine("* ");
        }
        public static void FindingTheApproximation()
        {
            Random randomNumber = new Random();
            //** The output the mask
            for (int a = 1; a < 16; a++)
            {
                //** The input mask
                for (int b = 1; b < 16; b++)
                {
                    //** the input
                    for (int c = 0; c < 16; c++)
                    {
                        if (ApplyingTheMask(c, b) ==
                            ApplyingTheMask(theSBox[c], a))
                        {
                            approximation_table[b, a]++;
                        }
                    }
                }
            }
        }
        public static void Main(String[] args)
        {
            int[] key_score = new int[16];
            int[] theProperKeys = new int[16];
            int stateProgress = 0;
            int maximum_score = 0;
            int guessing_key_1, guessing_key_2;
            int x, y;
            Random randomNumber = new Random();
            Console.WriteLine("Linear Cryptanalysis
                                        Simulation Program ");
            randomNumber.Next();
            FindingTheApproximation();
            DisplayTheApproximation();
            int approximationAsInput = 11;
            int approximationAsOutput = 11;
            number_known = 16;
            FillingTheKnowledgedOnces();
            Console.WriteLine("Cryptanalysis Linear Attack –
                          PHASE1. Based on linear
                          approximation = {0} -> {1} ",
                          approximationAsInput,
                          approximationAsOutput);
            for (x = 0; x < 16; x++)
            {
                key_score[x] = 0;
                for (y = 0; y < number_known; y++)
                {
                    stateProgress++;
                    //** Find Bi by guessing at K1
                    int middle_round =
                          RoundingFunction(known_plaintext[y], x);
                    if ((ApplyingTheMask(middle_round,
                              approximationAsInput) ==
                              ApplyingTheMask(known_ciphertext[y],
                              approximationAsOutput)))
                          key_score[x]++;
                    else
                        key_score[x]--;
                }
            }
            for (x = 0; x < 16; x++)
            {
                int theScore = key_score[x] * key_score[x];
                if (theScore > maximum_score)
                    maximum_score = theScore;
            }
            for (y = 0; y < 16; y++)
                theProperKeys[y] = -1;
            y = 0;
            for (x = 0; x < 16; x++)
                if ((key_score[x] * key_score[x]) ==
                                                    maximum_score)
                {
                    theProperKeys[y] = x;
                    Console.WriteLine("Cryptanalysis Linear
                                Attack - PHASE 2. The
                                possible for Key 1 = {0} ",
                                theProperKeys[x]);
                    y++;
                }
            for (y = 0; y < 16; y++)
            {
                if (theProperKeys[y] != -1)
                {
                    int testing_key_1 =
                                RoundingFunction(known_plaintext[0],
                                theProperKeys[y]) ^
                                revtheSBox[known_ciphertext[0]];
                    int g;
                    int wrong = 0;
                    for (g = 0; g < number_known; g++)
                    {
                        stateProgress += 2;
                        int testOut =
                                RoundingFunction(RoundingFunction(
                                known_plaintext[g], theProperKeys[y]), testing_key_1);
                        if (testOut != known_ciphertext[g])
                            wrong = 1;
                    }
                    if (wrong == 0)
                    {
                        Console.WriteLine("Cryptanalayis
                                      Linear Attack - PHASE 3. ");
                        Console.WriteLine(" I have found
                                      the keys! Key1 = {0}, Key2 =
                                      {1} ", theProperKeys[y],
                                      testing_key_1);
                        guessing_key_1 = theProperKeys[y];
                        guessing_key_2 = testing_key_1;
                        Console.WriteLine("Cryptanalysis
                                      Linear Attack - PHASE 4. ");
                        Console.WriteLine(" The number of
                                      computation until the key has
                                      been found = 0 ",
                                      stateProgress);
                        }
                }
            }
            Console.WriteLine("Cryptanalyis Linear Attack –
                                                   PHASE 5. ");
            Console.WriteLine("The number of computation =
                                      {0} ", stateProgress);
            stateProgress = 0;
            for (y = 0; y < 16; y++)
            {
                for (x = 0; x < 16; x++)
                {
                    int t;
                    int wrong = 0;
                    for (t = 0; t < number_known; t++)
                    {
                        stateProgress += 2;
                        int testOut =
                               RoundingFunction(RoundingFunction(
                                      known_plaintext[t], y), x);
                        if (testOut != known_ciphertext[t])
                            wrong = 1;
                    }
                    if (wrong == 0)
                    {
                        Console.WriteLine("Brute Force –
                                                         PHASE 1. ");
                        Console.WriteLine(" I managed to
                                      find the keys!
                                            Key1 = {0} Key2 =
                                            {1} ", y, x);
                        Console.WriteLine("Brute Force –
                                                         PHASE 2 ");
                        Console.WriteLine(" The number of
                                      computations until the key
                                      was dound = {0} ",
                                      stateProgress);
                    }
                }
            }
            Console.WriteLine("Brute Force - PHASE 3. ");
            Console.WriteLine("Computations total_amount =
                                              {0} ", stateProgress);
            while (true) { }
        }
    }
}
Listing 20-2

Linear Cryptanalysis Simulation

Conclusion

In this chapter, we discussed differential and linear cryptanalysis attacks and how such attacks can be designed and implemented. We presented the theoretical background and main foundation necessary to know before designing such cryptanalysis attacks.

At the end of this chapter, you can now

  • Identify theoretically the main components on which a cryptanalyst should focus

  • Understand how vulnerable those components are and how they can be exploited

  • Implement a linear and differential cryptanalysis attacks

Bibliography

  1. [1]

    Joan Daemen, Lars Knudsen, and Vincent Rijmen, “The Block Cipher Square. Fast Software Encryption (FSE),” In Volume 1267 of Lecture Notes in Computer Science (pp. 149–165), Haifa, Israel: Springer-Verlag. CiteSeerX 10.1.1.55.6109. 1997.

     
  2. [2]

    H. Heys, “A Tutorial on Linear and Differential Cryptanalysis,” In Cryptologia, vol. XXVI, no. 3 (pp. 189-221), 2002.

     
  3. [3]

    M. Matsui, “Linear Cryptanalysis Method for DES Cipher,” In Advances in Cryptology - EUROCRYPT ’93 (pp. 386-397), Springer-Verlag, 1994.

     
  4. [4]

    E. Biham, “On Matsui's linear cryptanalysis.” In A. De Santis (ed), Lecture Notes in Computer Science, vol. 950, (pp. 341–355). Springer-Verlag, Berlin, 1995.

     
  5. [5]

    A. Biryukov, C. De Cannière, M. Quisquater, “On Multiple Linear Approximations," In M. Franklin (ed), Advances in Cryptology, proceedings of CRYPTO 2004, Lecture Notes in Computer Science 3152 (pp. 1-22). Springer-Verlag, 2004.

     
  6. [6]

    L. Keliher, H. Meijer, and S.E. Tavares, “New method for upper bounding the maximum average linear hull probability for SPNs.” In B. Pfitzmann (ed), LNCS, vol. 2045 (pp. 420-436). Springer-Verlag, Berlin, 2001.

     
  7. [7]

    L. R. Knudsen and J.E. Mathiassen,“ A chosen-plaintext linear attack on DES,” In B. Schneier (ed.), Lecture Notes in Computer Science, vol. 1978 (pp. 262–272). Springer-Verlag, Berlin, 2001.

     
  8. [8]

    M. Matsui and A. Yamagishi, “A new method for known plaintext attack of FEAL cipher.” In R.A. Rueppel (ed), Lecture Notes in Computer Science, vol. 658 (pp. 81-91). Springer-Verlag, Berlin, 1993.

     
  9. [9]

    M. Matsui, “The first experimental cryptanalysis of the data encryption standard.” In Y.G. Desmedt (ed), Lecture Notes in Computer Science, vol. 839 (pp. 1-11). Springer-Verlag, Berlin, 1994.

     
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.240.249