fbpx
Wikipedia

Differential cryptanalysis

April 13, 2024

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key (cryptography key).

History edit

The discovery of differential cryptanalysis is generally attributed to Eli Biham and Adi Shamir in the late 1980s, who published a number of attacks against various block ciphers and hash functions, including a theoretical weakness in the Data Encryption Standard (DES). It was noted by Biham and Shamir that DES was surprisingly resistant to differential cryptanalysis, but small modifications to the algorithm would make it much more susceptible.[1]: 8–9 

In 1994, a member of the original IBM DES team, Don Coppersmith, published a paper stating that differential cryptanalysis was known to IBM as early as 1974, and that defending against differential cryptanalysis had been a design goal.[2] According to author Steven Levy, IBM had discovered differential cryptanalysis on its own, and the NSA was apparently well aware of the technique.[3] IBM kept some secrets, as Coppersmith explains: "After discussions with NSA, it was decided that disclosure of the design considerations would reveal the technique of differential cryptanalysis, a powerful technique that could be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography."[2] Within IBM, differential cryptanalysis was known as the "T-attack"[2] or "Tickle attack".[4]

While DES was designed with resistance to differential cryptanalysis in mind, other contemporary ciphers proved to be vulnerable. An early target for the attack was the FEAL block cipher. The original proposed version with four rounds (FEAL-4) can be broken using only eight chosen plaintexts, and even a 31-round version of FEAL is susceptible to the attack. In contrast, the scheme can successfully cryptanalyze DES with an effort on the order of 247 chosen plaintexts.

Attack mechanics edit

Differential cryptanalysis is usually a chosen plaintext attack, meaning that the attacker must be able to obtain ciphertexts for some set of plaintexts of their choosing. There are, however, extensions that would allow a known plaintext or even a ciphertext-only attack. The basic method uses pairs of plaintexts related by a constant difference. Difference can be defined in several ways, but the eXclusive OR (XOR) operation is usual. The attacker then computes the differences of the corresponding ciphertexts, hoping to detect statistical patterns in their distribution. The resulting pair of differences is called a differential. Their statistical properties depend upon the nature of the S-boxes used for encryption, so the attacker analyses differentials   where

 
(and ⊕ denotes exclusive or) for each such S-box S. In the basic attack, one particular ciphertext difference is expected to be especially frequent. In this way, the cipher can be distinguished from random. More sophisticated variations allow the key to be recovered faster than an exhaustive search.

In the most basic form of key recovery through differential cryptanalysis, an attacker requests the ciphertexts for a large number of plaintext pairs, then assumes that the differential holds for at least r − 1 rounds, where r is the total number of rounds.[5] The attacker then deduces which round keys (for the final round) are possible, assuming the difference between the blocks before the final round is fixed. When round keys are short, this can be achieved by simply exhaustively decrypting the ciphertext pairs one round with each possible round key. When one round key has been deemed a potential round key considerably more often than any other key, it is assumed to be the correct round key.

For any particular cipher, the input difference must be carefully selected for the attack to be successful. An analysis of the algorithm's internals is undertaken; the standard method is to trace a path of highly probable differences through the various stages of encryption, termed a differential characteristic.

Since differential cryptanalysis became public knowledge, it has become a basic concern of cipher designers. New designs are expected to be accompanied by evidence that the algorithm is resistant to this attack and many including the Advanced Encryption Standard, have been proven secure against the attack.[6]

Attack in detail edit

The attack relies primarily on the fact that a given input/output difference pattern only occurs for certain values of inputs. Usually the attack is applied in essence to the non-linear components as if they were a solid component (usually they are in fact look-up tables or S-boxes). Observing the desired output difference (between two chosen or known plaintext inputs) suggests possible key values.

For example, if a differential of 1 => 1 (implying a difference in the least significant bit (LSB) of the input leads to an output difference in the LSB) occurs with probability of 4/256 (possible with the non-linear function in the AES cipher for instance) then for only 4 values (or 2 pairs) of inputs is that differential possible. Suppose we have a non-linear function where the key is XOR'ed before evaluation and the values that allow the differential are {2,3} and {4,5}. If the attacker sends in the values of {6, 7} and observes the correct output difference it means the key is either 6 ⊕ K = 2, or 6 ⊕ K = 4, meaning the key K is either 2 or 4.

In essence, to protect a cipher from the attack, for an n-bit non-linear function one would ideally seek as close to 2−(n − 1) as possible to achieve differential uniformity. When this happens, the differential attack requires as much work to determine the key as simply brute forcing the key.[7]

The AES non-linear function has a maximum differential probability of 4/256 (most entries however are either 0 or 2). Meaning that in theory one could determine the key with half as much work as brute force, however, the high branch of AES prevents any high probability trails from existing over multiple rounds. In fact, the AES cipher would be just as immune to differential and linear attacks with a much weaker non-linear function. The incredibly high branch (active S-box count) of 25 over 4R means that over 8 rounds, no attack involves fewer than 50 non-linear transforms, meaning that the probability of success does not exceed Pr[attack] ≤ Pr[best attack on S-box]50. For example, with the current S-box AES emits no fixed differential with a probability higher than (4/256)50 or 2−300 which is far lower than the required threshold of 2−128 for a 128-bit block cipher. This would have allowed room for a more efficient S-box, even if it is 16-uniform the probability of attack would have still been 2−200.

There exist no bijections for even sized inputs/outputs with 2-uniformity. They exist in odd fields (such as GF(27)) using either cubing or inversion (there are other exponents that can be used as well). For instance, S(x) = x3 in any odd binary field is immune to differential and linear cryptanalysis. This is in part why the MISTY designs use 7- and 9-bit functions in the 16-bit non-linear function. What these functions gain in immunity to differential and linear attacks, they lose to algebraic attacks. [why?] That is, they are possible to describe and solve via a SAT solver. This is in part why AES (for instance) has an affine mapping after the inversion.

Specialized types edit

See also edit

References edit

  1. ^ Biham E, Shamir A (1993). Differential cryptanalysis of the data encryption standard. New York: Springer Verlag. ISBN 978-0-387-97930-4.
  2. ^ a b c Coppersmith D (May 1994). "The Data Encryption Standard (DES) and its strength against attacks" (PDF). IBM Journal of Research and Development. 38 (3): 243–250. doi:10.1147/rd.383.0243. (subscription required)
  3. ^ Levy S (2001). Crypto: How the Code Rebels Beat the Government — Saving Privacy in the Digital Age. Penguin Books. pp. 55–56. ISBN 0-14-024432-8.
  4. ^ Blaze M (15 August 1996). "Re: Reverse engineering and the Clipper chip". sci.crypt.
  5. ^ "Differential Cryptanalysis - an overview | ScienceDirect Topics". www.sciencedirect.com. Retrieved 2023-04-13.
  6. ^ Nechvatal J, Barker E, Bassham L, Burr W, Dworkin M, Foti J, Roback E (May–June 2001). "Report on the Development of the Advanced Encryption Standard (AES)". Journal of Research of the National Institute of Standards and Technology. 106 (3): 511–577. doi:10.6028/jres.106.023. PMC 4863838. PMID 27500035. 3.2.1.3.
  7. ^ Indesteege, Sebastiaan; Preneel, Bart (2009). "Practical Collisions for EnRUPT". In Dunkelman, Orr (ed.). Fast Software Encryption. Lecture Notes in Computer Science. Vol. 5665. Berlin, Heidelberg: Springer. pp. 246–259. doi:10.1007/978-3-642-03317-9_15. ISBN 978-3-642-03317-9.

Further reading edit

  • Biham E, Shamir A (January 1991). "Differential cryptanalysis of DES-like cryptosystems". Journal of Cryptology. 4 (1): 3–72. doi:10.1007/BF00630563. S2CID 33202054.
  • Biham E, Shamir A (August 1992). . Annual International Cryptology Conference. Lecture Notes in Computer Science. Vol. 740. Berlin, Heidelberg: Springer. pp. 487–496. doi:10.1007/3-540-48071-4_34. ISBN 978-3-540-57340-1. S2CID 6188138. Archived from the original on 2005-04-05.
  • Knudsen LR, Robshaw M (2011). "Differential Cryptanalysis: The Idea". The Block Cipher Companion. Information Security and Cryptography. Springer. pp. 109–126. doi:10.1007/978-3-642-17342-4. ISBN 978-3-642-17341-7.

External links edit

  • A tutorial on differential (and linear) cryptanalysis
  • at the Wayback Machine (archived October 19, 2007)

April 13, 2024
differential, cryptanalysis, general, form, cryptanalysis, applicable, primarily, block, ciphers, also, stream, ciphers, cryptographic, hash, functions, broadest, sense, study, differences, information, input, affect, resultant, difference, output, case, block. Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers but also to stream ciphers and cryptographic hash functions In the broadest sense it is the study of how differences in information input can affect the resultant difference at the output In the case of a block cipher it refers to a set of techniques for tracing differences through the network of transformation discovering where the cipher exhibits non random behavior and exploiting such properties to recover the secret key cryptography key Contents 1 History 2 Attack mechanics 3 Attack in detail 4 Specialized types 5 See also 6 References 7 Further reading 8 External linksHistory editThe discovery of differential cryptanalysis is generally attributed to Eli Biham and Adi Shamir in the late 1980s who published a number of attacks against various block ciphers and hash functions including a theoretical weakness in the Data Encryption Standard DES It was noted by Biham and Shamir that DES was surprisingly resistant to differential cryptanalysis but small modifications to the algorithm would make it much more susceptible 1 8 9 In 1994 a member of the original IBM DES team Don Coppersmith published a paper stating that differential cryptanalysis was known to IBM as early as 1974 and that defending against differential cryptanalysis had been a design goal 2 According to author Steven Levy IBM had discovered differential cryptanalysis on its own and the NSA was apparently well aware of the technique 3 IBM kept some secrets as Coppersmith explains After discussions with NSA it was decided that disclosure of the design considerations would reveal the technique of differential cryptanalysis a powerful technique that could be used against many ciphers This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography 2 Within IBM differential cryptanalysis was known as the T attack 2 or Tickle attack 4 While DES was designed with resistance to differential cryptanalysis in mind other contemporary ciphers proved to be vulnerable An early target for the attack was the FEAL block cipher The original proposed version with four rounds FEAL 4 can be broken using only eight chosen plaintexts and even a 31 round version of FEAL is susceptible to the attack In contrast the scheme can successfully cryptanalyze DES with an effort on the order of 247 chosen plaintexts Attack mechanics editThis section does not cite any sources Please help improve this section by adding citations to reliable sources Unsourced material may be challenged and removed July 2021 Learn how and when to remove this template message Differential cryptanalysis is usually a chosen plaintext attack meaning that the attacker must be able to obtain ciphertexts for some set of plaintexts of their choosing There are however extensions that would allow a known plaintext or even a ciphertext only attack The basic method uses pairs of plaintexts related by a constant difference Difference can be defined in several ways but the eXclusive OR XOR operation is usual The attacker then computes the differences of the corresponding ciphertexts hoping to detect statistical patterns in their distribution The resulting pair of differences is called a differential Their statistical properties depend upon the nature of the S boxes used for encryption so the attacker analyses differentials Dx Dy displaystyle Delta x Delta y nbsp whereDy S x Dx S x displaystyle Delta y S x oplus Delta x oplus S x nbsp and denotes exclusive or for each such S box S In the basic attack one particular ciphertext difference is expected to be especially frequent In this way the cipher can be distinguished from random More sophisticated variations allow the key to be recovered faster than an exhaustive search In the most basic form of key recovery through differential cryptanalysis an attacker requests the ciphertexts for a large number of plaintext pairs then assumes that the differential holds for at least r 1 rounds where r is the total number of rounds 5 The attacker then deduces which round keys for the final round are possible assuming the difference between the blocks before the final round is fixed When round keys are short this can be achieved by simply exhaustively decrypting the ciphertext pairs one round with each possible round key When one round key has been deemed a potential round key considerably more often than any other key it is assumed to be the correct round key For any particular cipher the input difference must be carefully selected for the attack to be successful An analysis of the algorithm s internals is undertaken the standard method is to trace a path of highly probable differences through the various stages of encryption termed a differential characteristic Since differential cryptanalysis became public knowledge it has become a basic concern of cipher designers New designs are expected to be accompanied by evidence that the algorithm is resistant to this attack and many including the Advanced Encryption Standard have been proven secure against the attack 6 Attack in detail editThis section does not cite any sources Please help improve this section by adding citations to reliable sources Unsourced material may be challenged and removed July 2021 Learn how and when to remove this template message The attack relies primarily on the fact that a given input output difference pattern only occurs for certain values of inputs Usually the attack is applied in essence to the non linear components as if they were a solid component usually they are in fact look up tables or S boxes Observing the desired output difference between two chosen or known plaintext inputs suggests possible key values For example if a differential of 1 gt 1 implying a difference in the least significant bit LSB of the input leads to an output difference in the LSB occurs with probability of 4 256 possible with the non linear function in the AES cipher for instance then for only 4 values or 2 pairs of inputs is that differential possible Suppose we have a non linear function where the key is XOR ed before evaluation and the values that allow the differential are 2 3 and 4 5 If the attacker sends in the values of 6 7 and observes the correct output difference it means the key is either 6 K 2 or 6 K 4 meaning the key K is either 2 or 4 In essence to protect a cipher from the attack for an n bit non linear function one would ideally seek as close to 2 n 1 as possible to achieve differential uniformity When this happens the differential attack requires as much work to determine the key as simply brute forcing the key 7 The AES non linear function has a maximum differential probability of 4 256 most entries however are either 0 or 2 Meaning that in theory one could determine the key with half as much work as brute force however the high branch of AES prevents any high probability trails from existing over multiple rounds In fact the AES cipher would be just as immune to differential and linear attacks with a much weaker non linear function The incredibly high branch active S box count of 25 over 4R means that over 8 rounds no attack involves fewer than 50 non linear transforms meaning that the probability of success does not exceed Pr attack Pr best attack on S box 50 For example with the current S box AES emits no fixed differential with a probability higher than 4 256 50 or 2 300 which is far lower than the required threshold of 2 128 for a 128 bit block cipher This would have allowed room for a more efficient S box even if it is 16 uniform the probability of attack would have still been 2 200 There exist no bijections for even sized inputs outputs with 2 uniformity They exist in odd fields such as GF 27 using either cubing or inversion there are other exponents that can be used as well For instance S x x3 in any odd binary field is immune to differential and linear cryptanalysis This is in part why the MISTY designs use 7 and 9 bit functions in the 16 bit non linear function What these functions gain in immunity to differential and linear attacks they lose to algebraic attacks why That is they are possible to describe and solve via a SAT solver This is in part why AES for instance has an affine mapping after the inversion Specialized types editHigher order differential cryptanalysis Truncated differential cryptanalysis Impossible differential cryptanalysis Boomerang attackSee also editCryptography Integral cryptanalysis Linear cryptanalysis Differential equations of additionReferences edit Biham E Shamir A 1993 Differential cryptanalysis of the data encryption standard New York Springer Verlag ISBN 978 0 387 97930 4 a b c Coppersmith D May 1994 The Data Encryption Standard DES and its strength against attacks PDF IBM Journal of Research and Development 38 3 243 250 doi 10 1147 rd 383 0243 subscription required Levy S 2001 Crypto How the Code Rebels Beat the Government Saving Privacy in the Digital Age Penguin Books pp 55 56 ISBN 0 14 024432 8 Blaze M 15 August 1996 Re Reverse engineering and the Clipper chip sci crypt Differential Cryptanalysis an overview ScienceDirect Topics www sciencedirect com Retrieved 2023 04 13 Nechvatal J Barker E Bassham L Burr W Dworkin M Foti J Roback E May June 2001 Report on the Development of the Advanced Encryption Standard AES Journal of Research of the National Institute of Standards and Technology 106 3 511 577 doi 10 6028 jres 106 023 PMC 4863838 PMID 27500035 3 2 1 3 Indesteege Sebastiaan Preneel Bart 2009 Practical Collisions for EnRUPT In Dunkelman Orr ed Fast Software Encryption Lecture Notes in Computer Science Vol 5665 Berlin Heidelberg Springer pp 246 259 doi 10 1007 978 3 642 03317 9 15 ISBN 978 3 642 03317 9 Further reading editBiham E Shamir A January 1991 Differential cryptanalysis of DES like cryptosystems Journal of Cryptology 4 1 3 72 doi 10 1007 BF00630563 S2CID 33202054 Biham E Shamir A August 1992 Differential cryptanalysis of the full 16 round DES Annual International Cryptology Conference Lecture Notes in Computer Science Vol 740 Berlin Heidelberg Springer pp 487 496 doi 10 1007 3 540 48071 4 34 ISBN 978 3 540 57340 1 S2CID 6188138 Archived from the original on 2005 04 05 Knudsen LR Robshaw M 2011 Differential Cryptanalysis The Idea The Block Cipher Companion Information Security and Cryptography Springer pp 109 126 doi 10 1007 978 3 642 17342 4 ISBN 978 3 642 17341 7 External links editA tutorial on differential and linear cryptanalysis Helger Lipmaa s links on differential cryptanalysis A description of the attack applied to DES at the Wayback Machine archived October 19 2007 Retrieved from https en wikipedia org w index php title Differential cryptanalysis amp oldid 1182536315, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.