Beruflich Dokumente
Kultur Dokumente
October 4, 2010
Table
1. All the S boxes in this algorithm are identical and are defined as fol-
lows. If b1 , ...b6 represents the six bits of the input to an S box and
c1 , ...c4 represents the four bits of output from the S box, then
c1 = b1 ⊕ b2 b3 b4
c2 = b3 b4 b5 ⊕ b6
c3 = b1 ⊕ b4 b5 b2
c4 = b5 b2 b3 ⊕ b6
3. For every S box there are 26 possible input pairs that give rise to
a fixed XOR value. For all such pairs we compute the XOR value
of the output of these pairs from the S box. These 26 XOR values
are distributed unevenly over the 24 possible output XORs (since the
output of the S box is 4 bits long).
5. The table in the following page lists such an analysis of the given S
box for this problem.
1
Table 1: Pairs XOR Distribution Table for a S box
xor: 0 1 2 3 4 5 6 7 8 9 A B C D E F
0: 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1: 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0
2: 32 8 0 0 8 0 0 0 8 0 0 0 0 8 0 0
3: 0 8 0 0 8 32 0 0 8 0 0 0 0 8 0 0
4: 32 8 8 0 0 0 0 0 8 0 0 8 0 0 0 0
5: 0 0 0 0 8 32 0 8 0 0 0 0 0 8 8 0
6: 32 8 0 0 0 0 8 0 8 0 0 0 0 0 0 8
7: 0 0 0 8 8 32 0 0 0 0 8 0 0 8 0 0
8: 32 8 8 0 8 0 0 8 0 0 0 0 0 0 0 0
9: 0 8 8 0 8 32 0 8 0 0 0 0 0 0 0 0
a: 32 8 0 0 8 0 0 0 0 0 8 0 0 0 0 8
b: 0 8 0 0 8 32 0 0 0 0 8 0 0 0 0 8
c: 32 8 8 0 0 0 0 0 0 0 0 0 8 0 0 8
d: 0 0 0 0 8 32 0 8 0 8 8 0 0 0 0 0
e: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
f: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
10: 32 0 8 0 8 0 0 0 8 0 0 0 0 0 8 0
11: 0 8 0 0 0 32 0 8 0 0 0 8 0 8 0 0
12: 32 0 0 8 8 0 0 0 8 0 0 0 0 0 0 8
13: 0 8 0 0 0 32 8 0 0 0 8 0 0 8 0 0
14: 32 0 8 0 0 8 0 0 8 0 0 0 0 0 0 8
15: 8 0 0 0 0 32 0 8 0 0 8 0 0 8 0 0
16: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
17: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
18: 32 0 8 0 8 0 0 0 0 8 0 0 0 0 0 8
19: 0 8 0 0 0 32 0 8 0 0 8 0 8 0 0 0
1a: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
1b: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
1c: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
1d: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
1e: 24 8 8 0 8 0 0 0 8 0 0 0 0 0 0 8
1f: 0 8 0 0 8 24 0 8 0 0 8 0 0 8 0 0
20: 0 0 0 0 0 0 0 0 0 0 64 0 0 0 0 0
21: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64
22: 0 0 8 0 0 0 0 8 0 0 32 8 0 0 8 0
23: 0 0 8 0 0 0 0 8 0 0 0 8 0 0 8 32
24: 0 8 8 0 0 0 0 0 8 0 32 8 0 0 0 0
25: 0 0 0 0 8 0 0 8 0 0 0 0 0 8 8 32
26: 0 0 8 0 0 8 0 0 0 0 32 8 8 0 0 0
27: 8 0 0 0 0 0 0 8 0 8 0 0 0 0 8 32
28: 0 0 0 0 0 0 0 0 8 0 32 8 0 8 8 0
29: 0 0 0 0 0 0 0 0 8 0 0 8 0 8 8 32
2a: 8 0 0 0 0 8 0 0 0 0 32 8 0 0 8 0
2b: 8 0 0 0 0 8 0 0 0 0 0 8 0 0 8 32
2c: 0 0 0 0 0 8 8 0 8 0 32 8 0 0 0 0
2d: 8 0 0 8 0 0 0 0 0 0 0 0 0 8 8 32
2e: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
2f: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
30: 0 0 8 0 8 0 0 0 8 0 32 0 0 0 8 0
31: 0 8 0 0 0 0 0 8 0 0 0 8 0 8 0 32
32: 0 0 8 0 0 8 0 0 0 8 32 0 0 0 8 0
33: 8 0 0 0 0 0 0 8 0 0 0 8 8 0 0 32
34: 0 0 8 0 0 8 0 0 8 0 32 0 0 0 0 8
35: 8 0 0 0 0 0 0 8 0 0 8 0 0 8 0 32
36: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
37: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
38: 0 0 0 8 0 8 0 0 8 0 32 0 0 0 8 0
39: 8 0 0 0 0 0 8 0 0 0 0 8 0 8 0 32
3a: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
3b: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
3c: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
3d: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
3e: 0 0 8 0 0 8 0 0 8 0 24 8 0 0 8 0
3f: 8 0 0 0 0 0 0 8 0 0 0 8 0 8 8 24
Some Observations
1. The output XOR is 0 with probability 12 (32 out of 64 possible oc-
curences) when the input XOR value is 4x , 8x and cx .
3. XORing the input bits with the Key does not change the value of the
XOR of the input pairs.
4. The XOR of the input bits after the Expansion Function is equal to
the Expansion Function applied to the XOR of the input bits to the
F function.
5. Our goal is to give such a input XOR to the F function that after the
Expansion Function the input XOR to all the eight S boxes become
((000100)b , ..., (000100)b ), ((001000)b , ..., (001000)b ) and ((001100)b , ..., (001100)b ).
2. For each of the eight S boxes we recover the corresponding six bits
of the last round Sub Key using the counting method. The counting
method keeps a counter of the key values for each of the possible pairs
and the key which makes its appearance the maximum number of
times is expected to be the correct last round Sub Key with a high
probability. It is described in more detail in the origianl paper.
3. After we have recovered the 48 bits of the last round Sub Key, it is
trivial to recover the remaining 8 bits of the DES Key. This can simply
be done by an exhaustive search of the remaining key space, i.e. 8 bits.
(1−p)l
pl + 16
5. The number of times the correct value of the key is expected to occur
over and above any incorrect value of the key is
15pl l
16 ≈ pl = 27
6. If we wish to keep the threshold for this difference to about 27 , i.e. the
correct value of the key appears about 128 times more often than any
other incorrect value of the key, then we need to set l = 214