Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.

Linear Cryptanalysis of DES

M. Matsui.1. Linear Cryptanalysis Method for DES Cipher.

EUROCRYPT 93, 1994. 2. The first experimental cryptanalysis of the Data Encryp

tion Standard. CRYPT0 94, 1994.

Linear Approximations• A function with one bit output is a linear function

over if output is XOR of input bits and constants.– Examples:

• If the function f in DES is linear then we can break DES.

• g has a p-linear approximation if with probability p the output is equal to a linear function.– Example: has a 3/4-linear approximation.

• Every function has a ½-approximation.

2Z

Using Linear Approximations of DES• Assume that 1 bit of the output has a linear approx.• Example: Assume that if we pick M at random and

C=DES(M,K), then with probability 0.51

Attack: – Get a random message and its encryption:

• (M, C= DES(M,K)).– Compute and conclude that with probability 0.51.

• Increasing the probability: repeat many times and take majority.

• Can use exhaustive search with complexity

[56] [17] [17] [23]C M K K

[17] [23]K K b

[56] [17]b C M

Using Linear Approximations of DES

How do we find linear approximations in DES?

• consider 3-round DES, without IP and IP-1.

• start with an S-BOX – S5.

The S-Box S5

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9

14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6

4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14

11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

2 1 2 3 452 with probability 0.864

x y y y y

S5

3x2x 4x

6x1x

5x

4y3y2y1y

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9

14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6

4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14

11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

Does not look random:• 1,2 ,7,11 appears only in left side• 4,12,13 appear 3 times in left side• 8,10,14 appear 2 times in each side• 0,3,5,9,15 appears only in right

side• 6 appears 3 times in right side• The XOR of the numbers in left-side

is 1

The f function of DES

17—20

The permutation P

16 7 20 21

29 12 28 17

1 15 23 26

5 18 31 10

2 8 24 14

32 27 3 9

19 13 30 6

22 11 4 25

We need to trace the bits 17-20 that come from to S5

After P they are bits 3,8,14,25

16 7 20 21

29 12 28 17

1 15 23 26

5 18 31 10

2 8 24 14

32 27 3 9

19 13 30 6

22 11 4 25

The f function of DES

Bits 3,8,14,25

17-20

26

Bit 26 in k

26

The Expansion function E

We need bit 26 – the second bit that goes to S5

The f function of DES

Bits 3,8,14,25

17-20

26

Bit 26 in k

26

Bit 17 in R

3 Round DES

Bit 26

Bit 17

Bits 3,8,14,25

Bits 3,8,14,25

Bit 26

Bits 3,8,14,25

Bit 17

Bit 17

0 1 0 1 0 1 0 1 0 1( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]L R L R L R L R R K

Bits 3,8,14,25

The Attack on 3 Round DES

0 1 0 1 0 1 0 1 0 1( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]L R L R L R L R R K

3 1 3 1 3 1 3 1 3 3( [3] [3]) ( [8] [8]) ( [14] [14]) ( [25] [25]) [17] [26]R R R R R R R R L K

• From third round with probability 52/64

• From first round with probability 52/64

• Thus, with probability (52/64) 2+(12/64)2 0.7

• Finds one bit of the key

0 0 0 0 3 3 3 3 0 3

1 3

( [3] [8] [14] [25]) ( [3] [8] [14] [25]) [17] [17] [26] [26]L L L L R R R R R L

K K

Linear cryptanalysis: Learning One Bit

• If a bit of the outputs has a 1/2+p linear approximation in i-round DES, then – Get O(1/p2) message, encryption pairs

• For each pair compute “the bit” of the key• Take the value that appears more times

• Get correct value with high probability• Learn one bit of key• Can do better…

4 Round DES

Bits 3,8,14,25

KK

?

Bit 26

Bit 26

Bits 3,8,14,25 Bit 17

K4

Bit 17 Bits 3,8,14,25

• Only 6 bits in K4 affect bit 17 of

• With the correct 6 bits the 3-round approximation holds with prob. 0.7• With incorrect 6 bits is random• Check 26 options of these bits and find the correct bits• Found 7 bits of key!

3 4( , )f L K

4 4

0 0 0 0 3 3 3 3 0 3

1 3

( [3] [8] [14] [25]) ( [3] [8] [14] [25]) [17] [17] [26] [26]L L L L R R R R R L

K K

𝐿4𝐿4

𝐿4

𝐿4

𝐿3 [17 ]⊕ 𝑓 (𝐿4 ,𝐾 4 ) [ 17 ]=𝑅4[17]

?

Linear cryptanalysis

• If a bit of the outputs has a 1/2+p linear approximation in i-round DES, then we choose O(1/p2) messages in (i+1)-round DES and compute 7 bits of the key.

• Can do the same trick with first round and last i-rounds, get another 7 bits

• Use exhaustive search to find the other 42 bits.

Known Attacks

• 8 rounds: 221 plaintexts (40 seconds)• 12 rounds: 233 plaintexts (50 hours)• 16 rounds: 243 plaintexts (50 days, 12

computers)– Uses two 14-rounds approximation– Using each approximation it finds 13 bits– Finds 30 bits by exhaustive search