9/2/2016

TheAmazingKingLinearCryptanalysisTutorial

TheAmazingKingLinearCryptanalysisTutorial
Thisisgoingtobeafuntutorialwe'regoingtolearnaboutatechniquecalledlinearcryptanalysis.There
havebeentonsofpapersaboutthiscategoryofcryptanalyticattackssinceMatsuidiscoveredit.However,I
challengeanyonetofindonethatdoesn'trequireaPhDtounderstand.Ihaveslowlybeenlearningthe
languageofthemathematiciansandacademiccryptofolksandIhopetopresentthisideainawaythatitis
accessibleandunderstandable.I'mgoingtoassumeabasicfamiliaritywithhowtypicalciphersareput
togetherandwhatsometermsmean.ReadingthroughmypageonBlockCiphersshouldgetyouupto
speed.Ifyou'rehavingtroubleunderstandingsomethinghere,pleasewritemeanemailandI'lldomybest.
I'mstillabeginneratthisstuff,butIfeelI'vegotafirmgraspofhowthisattackworks.
SourceCodeThisprogram,writteninC,implementsthetoycipher,calculatestheapproximations,uses
linearcryptanalysistobreakthekey,andfinallycomparesthecomputationalworktobruteforce.

What'stheProblem?

Alrighty,firstwe'regoingtodiscusswhyoneneedsanattacklikethis.Totherightisadiagramofourtoy
cipherthatwe'lleventuallybreak.Asyoucansee,itconsistsoftworounds.Ineachround,theinputis
XOR'dwithachunkofthekeyandthenranthroughaSubstitutionBox.Keepinmindthatwehave16pairs
ofknownplaintext/ciphertext.Bythis,Imeanthat16inputstothiscipherareknowntousalongwiththeir
encryptedoutput.Alloftheseknownpairswereencryptedwiththesamekey.WealsoknowhowtheSBox
operatescompletelytheonlythingunknownisthekey.We'regoingtousethisinformation,somestatistical
informationabouttheSBox,andsometestencryptionstorecoverthekeywithfarlessworkthanbrute
forcingeverypossiblekey.
Imagineifonlythelefthalfofthekeywasusedandtherewasonlyoneroundinthiscipher.Wecouldtrivially
breakitasfollows:RuntheciphertextbackwardthroughtheSBoxandthenXORitwiththeplaintext.This
givesusthekeywithnoeffortandonlyoneknownpair.Nowwhathappensifwetryasimilartechniqueon
thefulltworoundversion?Letswalkthroughit:firstweruntheciphertextthroughthe2ndSBoxbackwards,
http://www.theamazingking.com/cryptolinear.php

1/7

9/2/2016

TheAmazingKingLinearCryptanalysisTutorial

thenweXORwiththeinputtoround#2...Waitaminute,wedon'tknowwhattheinputtoround#2is!In
ordertogetthatinformation,wemustknowtheoutputofround#1andthusthelefthalfofthekey.
Ok,maybewecanrecoverthelefthalfofthekeyandthengofortherighthalf.Sowetakeourknown
plaintextandXORitwithaleftkeyhalfguess.NextwerunitthroughthefirstSBoxandwehaveaguessat
theoutputofround#1.Butwedon'thaveanythingtocomparethisoutputto.Wehavenoideaifitscorrect
andthuscan'tuseitforanything.Trytofindawaytorecoverthekeywithouttestingeverysinglekey(brute
force).Justtryingdifferentsimpleideasandseeingwhytheywon'tworkisreallytheonlywaytoseethat
anothersolutionisnecessary.Playwiththatdiagramuntilitmakescompletesensethatthefull2round
cipherismuchhardertocrackthanthe1roundversion.

ToyCipherDetails

Next,we'lldefinesomeoftheparametersthatthetoycipheruses.Thesewillbekeptlowforavarietyof
reasons.Bymakingthisalgorithmusesmallblocksandkeys,anysoftwarewrittentotestthingsoutwillbe
fastandgiveusinstantresults.Alsoprocessingdataafewbitsatatimemakesthingseasiertounderstand
andfollowinmyopinion.Thiscipher'sparameterscanbegrownlaterforamorerealworldtestifdesired.
Theblocksizeisonly4bitsandthekeysizeisonly8bits(2x4bitsubkeys).Thismeansthateach4bit
blockismixedwiththe4bitlefthalfofthekeyinround1andthenmixedwiththe4bitrighthalfinround2.
Thereareonly256possiblekeysand16possibleinputs/outputs.Asyou'llfindthismeansthatmultiplekeys

http://www.theamazingking.com/cryptolinear.php

2/7

9/2/2016

TheAmazingKingLinearCryptanalysisTutorial

canencryptaplaintextblockintothesameciphertextblock.Thetrickisfindingthecorrectkeythatwilldo
thisforallknownpairs.
Alsotakenotethatthediagramtothelefthasbeenalteredslightly.Wewillnolongerrefertothepartsofthe
keyas"lefthalf"and"righthalf".TheleftpartofthekeyhasbeenrenamedK1andtherightK2.These
piecesoftheoriginalkeyareknownassubkeysandarethetarget.ByrecoveringK1andK2,wewillalso
recovertheoriginalkey.Also,ifitisnoclear,eachsubkeyis4bitslong.Also,thedatainbetweenrounds1
and2hasbeenlabelled"M"whichstandsformidpoint.Wedonotknowthisvalueyet,butitisavery
importantplaceinthecipher.ThinkofMasbeingboththeoutputofround#1andtheinputtoround#2.
NowaquickwordontheSBoxes.Theyarebothidenticalthisisnotrequiredbutitmakesthingssimplerto
codeandthinkabout.ThelistingtotherightshowsthecontentsoftheSBox.Itsimplytakesaninputshown
totheleftsideofthearrowandoutputsthecoorespondingvalueontherightsideofthearrow.

LinearApproximations

YouknowthatwecanmakearandomguessatK0andthusarandomguessatM.Whatiftherewasaway
totestifMiscorrect?Weonlyhaveknownplaintext(P)andknownciphertext(C)wedon'thaveknown
midpoint(M).Well,thereisnowaytoknowforsureifourguessedMiscorrect(withoutbruteforcingof
course),butthereisawaytomakeaneducatedguess.Wedon'tevenhavetohaveanyinformationabout
K1todoit!Beforewedelveintothistopic,itsimportanttounderstandwhybeingabletovalidateMishelpful
totheattacker.Ifweknowwith90%certaintythatMiscorrectafterguessingK0,wecanruntheciphertext
backwardsthroughSBox#2andthenXORitwiththeguessedM.ThiswouldgiveusagoodguessatK1.If
wecanaccomplishthisthenwewouldbeleftwithaguessforK0andaguessforK1thatarebothcorrect
withaprobabilityof90%.Thiseducatedguessatthekeycanthenbepluggedintothecipherandtested
againstalloftheknownpairs.IftheyallencryptcorrectlyusingK0andK1,thentheyarecorrectandyou
win.
LinearityisadifficultandambiguoustopictograspandIdonotpossessthemathematicalprowesstodoit
justice.Instead,Iwillexplainmylayman'sideaofwhatitis.Ifyoufeedarandominputwithaparticular
propertyintoamagicboxandcanguessthecoorespondingpropertyintheoutput,themagicboxisatleast
somewhatlinear.Forexample,imaginethatyourboxtakesaninputandadds1toit.Nowletssaythatthe
propertyyouarelookingforiswhethertheinput/outputiseven.Byfeedingitaninput,youknowthatthis
propertywillbetheoppositeintheoutputeverysingletime.Inotherwords,adding1toanevennumber
withalwaysproduceanoddnumberandviseversa.Thismagicboxwouldbecompletelylinearinregardto
divisibilitybytwo.Thiswayofthinkingaboutitmaynotbecompletelycorrectbutithelpstounderstandthe
conceptespeciallyasitappliestolinearcryptanalysis.
http://www.theamazingking.com/cryptolinear.php

3/7

9/2/2016

TheAmazingKingLinearCryptanalysisTutorial

SBoxesareusedtoaddnonlinearitytociphers.Ideally,anSBoxshouldreceiveaninputwithpropertyX
andoutputanumberthathaspropertyYexactly50%ofthetime.Thisdoesnotmeanthereisanything
trickygoingoninthere,itjustmeansthatexactlyhalfofthosepropertyXinputsshouldoutputapropertyY
output.Letsgoaheadandtalkaboutthepropertywe'llbeusing:parity.Parityisabooleanvalue(1or0)
thatwegetifweXORtogethersomeofthebitsofanumber.ThebitsthatweXORtogetheraredefinedby
anothernumbercalledamask.Ifyouwanttofigureouttheparityofanumberwhenmaskeddoabitwise
ANDoperationonthemaskandthevalue.ThenXORallofthebitsinthisresulttogether.Themasktellsus
toignorecertainsbitsofthenumberwhencalculatingtheparity.
We'llusethisstrangemaskedparityconcepttofindlinearityintheSBoxes.We'regoingtotesteverysingle
combinationofinputmaskversusoutputmask.Also,thiswillbedoneforeverypossible4bitinput.So
basicallyweregoingtotakeaninputvalueandmaskitusinganinputmask.Letscallthisresultingbit"input
parity".Nextwetakethatoriginalinput,runitthroughtheSBox,andmaskitwithanoutputmask.Wethen
comparethis"outputparity"withtheinputparity.Iftheymatch,thenweknowthatthiscombinationofinput
andoutputmasksheldtrueforthatinput.Afterdoingthisdanceforeverypossibleinputagainsteverypair
ofinput/outputmasks,we'vemadealinearapproximationtable.Eachentryinthetableisthenumberof
timesalinearapproximationformedbyaspecificinput/outputmaskpairheldtruewhentestedagainstall16
possibleinputs.IftheSBoxweretotallynonlinearinthisway,everyoneoftheseentrieswouldbean8and
linearcryptanalysiswouldbeimpossible.

BestApproximation?
Ok,sonowyouhavethistableofnumbersandtheirassociatedmaskpairs.Whatdoyoudowithit?We
haven'ttouchedanyplaintext/ciphertextpairsyetonlycrunchednumbersrelatedtotheSBox.Letspretend
thatoneofthoseapproximationsinthetableread16thatwouldmeanthatitheld100%ofthetime.Inother
words,nomatterwhatinputyoufeedthatSBox,itsmaskedinputparitywillequalthecooresponding
maskedoutputparityafterbeingrunthroughtheSBox.SomethingtonotehereisthatanXORdoesnot
impactthisfactatall.IfeveryinputisXOR'dbysomevalue(likeasubkey),themostimpactitwillhaveit
flippingtheseodds.IfyouXORtheinputby1beforemasking,itmaymaketheapproximationholdtrue0%
ofthetimeinsteadof100%.
Oneofthegoodlinearapproximationsinthetableforthetoycipher'sSBoxis11>11whichholdstruefor
14/16inputs.Inotherwords,ifyouXORbits1,2,and4ofalmostanyinput,thisvaluewillequalthe
coorespondingoutput'sparity(usingthesamemaskinthiscase).Thisfactwillholdtrueforallbut2inputs.
IftheseinputsarefirstXOR'dbyasubkey,thisprobabilityoftruthmaybecome2/16.

TestingtheMidpoint

http://www.theamazingking.com/cryptolinear.php

4/7

9/2/2016

TheAmazingKingLinearCryptanalysisTutorial

RememberwhenIsaidwecantestifMiscorrectafterguessingK0?DonotthinkofMastheoutputof
round1butrathertheinputofround2.Rememberthatround2consistsofanXORwithK1thatdoesnt
reallyaffecttheprobabilityofalinearapproximationholdingtrue.Andofcourse,thencomestheSBox
whichwehavenowapproximated.Sowe'lltakeourguessedinputsandusetheinputmaskof11togettheir
parity.NexttakethecoorespondingREALoutputsofround2(knownciphertexts)andgettheirparitywhen
maskedwith11.Iftheseguessedinputparitiesareequaltotherealoutputparitiesforaround14/16or2/16
oftheknownpairs,theK0thatwasusedtogeneratethoseMvaluesislikelycorrect.
Noticethatwedon'treallycarehowMwasgeneratedexceptthatweguessedK0togetit.Thecontentsof
round1'sSBoxdon'tmatterandarenotbeingtestedbythelinearapproximation.Itsonlythe
characteristicsofround#2'sSBoxthatarebeingusedtotestiftheMsarelikelycorrect.IftheguessedK0
andthusMsarenotcorrect,thenthelinearapproximationwillnotbetruewiththesameprobabilityasthe
realdeal.Inotherwords,wearetakingourknownoutputsandtestingthemagainstguessedinputs.The
linearapproximationiswhatallowsusmakeaneducatedguessthattheinputgeneratedthisoutput.
BecauseweguessedatK0togetthisinput,iftheapproximationholdstruewiththerightprobabilityitmeans
thattheguessedK0islikelycorrect.NowthatweknowP,K0,M,andCsomebasicfiddlingwillgetusK1.
JusttakeCandfeeditthroughtheSBoxbackwardsandXORitwiththenowknownM.ThiswillgiveusK1
and,whencombinedwithK0,leavesuswiththefullkey.Finally,wetestthisfullguessedkeyagainstevery
knownplaintextandseeifitgeneratesthecoorespondingciphertext.Ifitdoes,thenwehavefoundthekey!

ImplementationandSummary

http://www.theamazingking.com/cryptolinear.php

5/7

9/2/2016

TheAmazingKingLinearCryptanalysisTutorial

Ifwewanttotestthisoutwithrealcode(somethingtheinternetisseriouslylackingregardingthisstuff)we
needtotakeitinsteps.Step1:FindagoodlinearapproximationfortheSBox.Wemaskeverypossible4
bitinputwitheverypossibleinputandcomparetheparityagainsttheparityoftheoutputmaskedbyevery
possibleoutputmask.Thisconceptismuchtounderstandwhenyoucheckoutthesourcecode.Thisstep
makesusperform16*16*16tests(inputs,inputmasks,outputmasks).Forhowsmallthekeyspaceis,this
isalotofwork.Rememberthough,weonlyneedtodothisonceaslongastheSBoxdoesn'tchange.Now
wehavethepercentageofinputsthatainput/outputmaskpairholdstruefor.Westartlookingforpairsthat
holdtruecloseto100%.You'llfindsomegoodcandidatesthatholdtruefor14ofthe16possibleinputs.I
usetheinputmaskof11andtheoutputmaskof11.
Nowthatwehaveanapproximationtotestfor,guesseveryvalueofK0andencrypt(throughround1)all16
knownplaintextswithittoget16guessesatM.ThentesteachoftheseMsagainstthelinearapproximation
(usedinround2).TheseriesofMsthateitheroldtruealmostnoneofthetimeoralmostallofthetime
makestheK0thatgeneratedthempossiblycorrect.Bydoingalittlemathontheresults(subtract8and
squaretheresult),youcangiveeachcandidateK0a"score".Thenfindthehighestscoreandmakealistof
theK0candidatesthathaveit.Inthisimplementation,Ifindthatthereareusually2butsometimes0oreven
4.
SonowyouhavealistofcandidateK0suseoneoftheknownpairstocalculateacoorespondingcandidate
K1.Nexttestthiseducatedkeyguessagainstallknownplaintext/ciphertextpairs.Ifitmatchesthenyou've
foundthekey.Myprogramalsokeeptrackofhowmanytotalcalculationsthiswholeprocesstakesaswell
ashowmanyittookbeforeakeywasfound.Itthenbruteforcesthewholethinganddoesthesametypeof
counting.Thisletsyoucomparehowmuchworkwassavedbynotdoingbruteforce.

Results

Sohowwelldoesmethodworkandhowdoesitcomparetobruteforce?Iusethemetricofhowmanytimes
theroundfunctioniscalled.So,bydoingthis,testingeverykeyagainst16knownplaintext/ciphertextpairs
wouldtake256*16*2computations(2rounds).Usuallythelinearattackfinds2candidateK0sthemoreit
finds,themoreitmusttesttoprove/disprove(againstallknownpairs).ThelinearattackmusttesteveryK0
againstallknownpairstogetthoseguessesatM.SotogetthescoresforK0,itmustdo16*16
computations.Thenittestseachlikelycandidate(assume2)againstallknownpairs(usingK0guessto
calculateK1).Thisadds2*2*16computations(2rounds,2candidates,16pairs).Soasfarastotal
computations(timestheroundfunctioniscalled),bruteforcingendsuparound(256*16*2)andthislinear
attackslandsataround(16*16+16*2*2).
http://www.theamazingking.com/cryptolinear.php

6/7

9/2/2016

TheAmazingKingLinearCryptanalysisTutorial

Thatwastotalcomputationsforeachmethodandthelinearattackiswellahead.Anotherstandardfor
measuringsucessishowmanycomputationsittakestoactuallyfindthekey.Typically,bruteforcewillfind
thekeyaftertestingaround4000keys(midpointofthetotal).Thelinearmethodusuallyfindsthekeyafter
around300computations.ThemaximumdependsonthenumberofcandidateK0sfoundfor2candidates,
themaxis320.Socomparerunningtheroundfunctionanaverageof4000timestorunningis300times
anditsobviousthatthelinearattackworks.Now,itdoesn'talwaysworkthough,sometimesitdoesntfindthe
correctkeyatall.Somebasicexperimentaltestingshowsthatitdoesfinditaround80%ofthetime,butthis
isjustobservingrunsandcountingsuccesses.Also,inordertopullthisoff,youmustprecalculatethat16*
16tableofinput/outputmasksforthetargetSBox.

http://www.theamazingking.com/cryptolinear.php

7/7