Linear Cryptanalysis of DES M. Matsui. 1. Linear Cryptanalysis Method for DES Ciph er . EUROCRYPT 93, 1994. 2. The first experimental cryptanalysis of the Data Encryption Standard . CRYPT0 94, 1994.
Linear Cryptanalysis of DES
M. Matsui.1. Linear Cryptanalysis Method for DES Cipher.
EUROCRYPT 93, 1994. 2. The first experimental cryptanalysis of the Data Encryp
tion Standard. CRYPT0 94, 1994.
Linear Approximations• A function with one bit output is a linear function
over if output is XOR of input bits and constants.– Examples:
• If the function f in DES is linear then we can break DES.
• g has a p-linear approximation if with probability p the output is equal to a linear function.– Example: has a 3/4-linear approximation.
• Every function has a ½-approximation.
2Z
Using Linear Approximations of DES• Assume that 1 bit of the output has a linear approx.• Example: Assume that if we pick M at random and
C=DES(M,K), then with probability 0.51
Attack: – Get a random message and its encryption:
• (M, C= DES(M,K)).– Compute and conclude that with probability 0.51.
• Increasing the probability: repeat many times and take majority.
• Can use exhaustive search with complexity
[56] [17] [17] [23]C M K K
[17] [23]K K b
[56] [17]b C M
Using Linear Approximations of DES
How do we find linear approximations in DES?
• consider 3-round DES, without IP and IP-1.
• start with an S-BOX – S5.
The S-Box S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
2 1 2 3 452 with probability 0.864
x y y y y
S5
3x2x 4x
6x1x
5x
4y3y2y1y
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
Does not look random:• 1,2 ,7,11 appears only in left side• 4,12,13 appear 3 times in left side• 8,10,14 appear 2 times in each side• 0,3,5,9,15 appears only in right
side• 6 appears 3 times in right side• The XOR of the numbers in left-side
is 1
The f function of DES
17—20
The permutation P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
We need to trace the bits 17-20 that come from to S5
After P they are bits 3,8,14,25
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
The f function of DES
Bits 3,8,14,25
17-20
26
Bit 26 in k
26
The Expansion function E
We need bit 26 – the second bit that goes to S5
The f function of DES
Bits 3,8,14,25
17-20
26
Bit 26 in k
26
Bit 17 in R
3 Round DES
Bit 26
Bit 17
Bits 3,8,14,25
Bits 3,8,14,25
Bit 26
Bits 3,8,14,25
Bit 17
Bit 17
0 1 0 1 0 1 0 1 0 1( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]L R L R L R L R R K
Bits 3,8,14,25
The Attack on 3 Round DES
0 1 0 1 0 1 0 1 0 1( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]L R L R L R L R R K
3 1 3 1 3 1 3 1 3 3( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]R R R R R R R R L K
• From third round with probability 52/64
• From first round with probability 52/64
• Thus, with probability (52/64) 2+(12/64)2 0.7
• Finds one bit of the key
0 0 0 0 3 3 3 3 0 3
1 3
( [3] [8] [14] [25]) ( [3] [8] [14] [25]) [17] [17] [26] [26]L L L L R R R R R L
K K
Linear cryptanalysis: Learning One Bit
• If a bit of the outputs has a 1/2+p linear approximation in i-round DES, then – Get O(1/p2) message, encryption pairs
• For each pair compute “the bit” of the key• Take the value that appears more times
• Get correct value with high probability• Learn one bit of key• Can do better…
4 Round DES
Bits 3,8,14,25
KK
?
Bit 26
Bit 26
Bits 3,8,14,25 Bit 17
K4
Bit 17 Bits 3,8,14,25
• Only 6 bits in K4 affect bit 17 of
• With the correct 6 bits the 3-round approximation holds with prob. 0.7• With incorrect 6 bits is random• Check 26 options of these bits and find the correct bits• Found 7 bits of key!
3 4( , )f L K
4 4
0 0 0 0 3 3 3 3 0 3
1 3
( [3] [8] [14] [25]) ( [3] [8] [14] [25]) [17] [17] [26] [26]L L L L R R R R R L
K K
𝐿4𝐿4
𝐿4
𝐿4
𝐿3 [17 ]⊕ 𝑓 (𝐿4 ,𝐾 4 ) [ 17 ]=𝑅4[17]
?
Linear cryptanalysis
• If a bit of the outputs has a 1/2+p linear approximation in i-round DES, then we choose O(1/p2) messages in (i+1)-round DES and compute 7 bits of the key.
• Can do the same trick with first round and last i-rounds, get another 7 bits
• Use exhaustive search to find the other 42 bits.
Known Attacks
• 8 rounds: 221 plaintexts (40 seconds)• 12 rounds: 233 plaintexts (50 hours)• 16 rounds: 243 plaintexts (50 days, 12
computers)– Uses two 14-rounds approximation– Using each approximation it finds 13 bits– Finds 30 bits by exhaustive search