Cryptanalysis Of The Variant DES

Aurko Roy, Y6128

October 4, 2010

We propose a differential cryptanalysis attack on this variant DES algo-

rithm that breaks it using 214 encryptions.

Table
1. All the S boxes in this algorithm are identical and are defined as fol-
lows. If b1 , ...b6 represents the six bits of the input to an S box and
c1 , ...c4 represents the four bits of output from the S box, then

c1 = b1 ⊕ b2 b3 b4
c2 = b3 b4 b5 ⊕ b6
c3 = b1 ⊕ b4 b5 b2
c4 = b5 b2 b3 ⊕ b6

2. From argument 1 it is clear that it is sufficient to analyze a single S

box.

3. For every S box there are 26 possible input pairs that give rise to
a fixed XOR value. For all such pairs we compute the XOR value
of the output of these pairs from the S box. These 26 XOR values
are distributed unevenly over the 24 possible output XORs (since the
output of the S box is 4 bits long).

4. We create a 26 × 24 table in which the rows indicate all the 26 pos-

sible input XOR values and the columns indicate the distribution of
the XOR of the output in the 24 possible output XOR values. From
argument 3 it is clear that the sum of the entries in every row must
be 26 and that the average entry in each row is 4.

5. The table in the following page lists such an analysis of the given S
box for this problem.

1
 Table 1: Pairs XOR Distribution Table for a S box
xor: 0 1 2 3 4 5 6 7 8 9 A B C D E F
0: 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1: 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0
2: 32 8 0 0 8 0 0 0 8 0 0 0 0 8 0 0
3: 0 8 0 0 8 32 0 0 8 0 0 0 0 8 0 0
4: 32 8 8 0 0 0 0 0 8 0 0 8 0 0 0 0
5: 0 0 0 0 8 32 0 8 0 0 0 0 0 8 8 0
6: 32 8 0 0 0 0 8 0 8 0 0 0 0 0 0 8
7: 0 0 0 8 8 32 0 0 0 0 8 0 0 8 0 0
8: 32 8 8 0 8 0 0 8 0 0 0 0 0 0 0 0
9: 0 8 8 0 8 32 0 8 0 0 0 0 0 0 0 0
a: 32 8 0 0 8 0 0 0 0 0 8 0 0 0 0 8
b: 0 8 0 0 8 32 0 0 0 0 8 0 0 0 0 8
c: 32 8 8 0 0 0 0 0 0 0 0 0 8 0 0 8
d: 0 0 0 0 8 32 0 8 0 8 8 0 0 0 0 0
e: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
f: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
10: 32 0 8 0 8 0 0 0 8 0 0 0 0 0 8 0
11: 0 8 0 0 0 32 0 8 0 0 0 8 0 8 0 0
12: 32 0 0 8 8 0 0 0 8 0 0 0 0 0 0 8
13: 0 8 0 0 0 32 8 0 0 0 8 0 0 8 0 0
14: 32 0 8 0 0 8 0 0 8 0 0 0 0 0 0 8
15: 8 0 0 0 0 32 0 8 0 0 8 0 0 8 0 0
16: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
17: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
18: 32 0 8 0 8 0 0 0 0 8 0 0 0 0 0 8
19: 0 8 0 0 0 32 0 8 0 0 8 0 8 0 0 0
1a: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
1b: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
1c: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
1d: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
1e: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
1f: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
20: 0 0 0 0 0 0 0 0 0 0 64 0 0 0 0 0
21: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64
22: 0 0 8 0 0 0 0 8 0 0 32 8 0 0 8 0
23: 0 0 8 0 0 0 0 8 0 0 0 8 0 0 8 32
24: 0 8 8 0 0 0 0 0 8 0 32 8 0 0 0 0
25: 0 0 0 0 8 0 0 8 0 0 0 0 0 8 8 32
26: 0 0 8 0 0 8 0 0 0 0 32 8 8 0 0 0
27: 8 0 0 0 0 0 0 8 0 8 0 0 0 0 8 32
28: 0 0 0 0 0 0 0 0 8 0 32 8 0 8 8 0
29: 0 0 0 0 0 0 0 0 8 0 0 8 0 8 8 32
2a: 8 0 0 0 0 8 0 0 0 0 32 8 0 0 8 0
2b: 8 0 0 0 0 8 0 0 0 0 0 8 0 0 8 32
2c: 0 0 0 0 0 8 8 0 8 0 32 8 0 0 0 0
2d: 8 0 0 8 0 0 0 0 0 0 0 0 0 8 8 32
2e: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
2f: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
30: 0 0 8 0 8 0 0 0 8 0 32 0 0 0 8 0
31: 0 8 0 0 0 0 0 8 0 0 0 8 0 8 0 32
32: 0 0 8 0 0 8 0 0 0 8 32 0 0 0 8 0
33: 8 0 0 0 0 0 0 8 0 0 0 8 8 0 0 32
34: 0 0 8 0 0 8 0 0 8 0 32 0 0 0 0 8
35: 8 0 0 0 0 0 0 8 0 0 8 0 0 8 0 32
36: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
37: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
38: 0 0 0 8 0 8 0 0 8 0 32 0 0 0 8 0
39: 8 0 0 0 0 0 8 0 0 0 0 8 0 8 0 32
3a: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
3b: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
3c: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
3d: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
3e: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
3f: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
 Some Observations
1. The output XOR is 0 with probability 12 (32 out of 64 possible oc-
curences) when the input XOR value is 4x , 8x and cx .

2. These input XOR values of 4x , 8x and cx refer to the XOR of the

input pairs just before they are fed into the S box. That is they are
the XOR values of the input pairs after they have been passed through
the Expansion Function E and XORed with the Key.

3. XORing the input bits with the Key does not change the value of the
XOR of the input pairs.

4. The XOR of the input bits after the Expansion Function is equal to
the Expansion Function applied to the XOR of the input bits to the
F function.

5. Our goal is to give such a input XOR to the F function that after the
Expansion Function the input XOR to all the eight S boxes become
((000100)b , ..., (000100)b ), ((001000)b , ..., (001000)b ) and ((001100)b , ..., (001100)b ).

6. By analyzing the Expansion function it is observed that this happens

when the input XOR to the F function is (22 22 22 22x ), (44 44 44 44x )
and (66 66 66 66x ).

7. It is now possible to create a 2 round characteristic for this variant

DES of probability 12

Round 1: < (22222222)x |(00000000)x > gives with probability = 1

1
Round 2: < (00000000)x |(22222222)x > gives with probability = 2
< (22222222)x |(00000000)x >

8. Similar 2 round characteristics may be constructed for (44 44 44 44x )

and (66 66 66 66x ).

9. This characteristic may easily be extended to arbitrary number of

rounds to form a 14 round characteristic for this 16 round variant
DES.

10. It is easy to see that the probability of this 14 round characteristic is

1
27
.
 Algorithm
1. The 14 round characteristic described in the previous section is aug-
mented to the given 16 round modified DES using the 2R method as
described in the original paper on Differential Cryptanalysis by Shamir
and Biham.

2. For each of the eight S boxes we recover the corresponding six bits
of the last round Sub Key using the counting method. The counting
method keeps a counter of the key values for each of the possible pairs
and the key which makes its appearance the maximum number of
times is expected to be the correct last round Sub Key with a high
probability. It is described in more detail in the origianl paper.

3. After we have recovered the 48 bits of the last round Sub Key, it is
trivial to recover the remaining 8 bits of the DES Key. This can simply
be done by an exhaustive search of the remaining key space, i.e. 8 bits.

Number of Encryptions Required

1. Let l be the number of blocks we encrypt for the cryptanalysis.

2. If p is the probability for the characteristic used then the expected

number of times the correct value of the key occurs in our count is

(1−p)l
pl + 16

3. Whereas the expected number of occurences for any incorrect value of

l
the key remains unchanged at 16
1
4. It is clear that in this case the probability of the characteristic p = 27
.

5. The number of times the correct value of the key is expected to occur
over and above any incorrect value of the key is

15pl l
16 ≈ pl = 27

6. If we wish to keep the threshold for this difference to about 27 , i.e. the
correct value of the key appears about 128 times more often than any
other incorrect value of the key, then we need to set l = 214

7. Therefore this variant DES algorithm may be broken using Differential

Cryptanalysis by encrypting 214 plaintext blocks.