1

How to Launch A Birthday Attack

Against DES
Zhengjun Cao
Computer Sciences Department,
Universite Libre de Bruxelles, Belgium.
2
Outline
Introduction
Description of DES
Basic idea
Description of the birthday attack against
DES
Complexity
Conclusion
References
3
Introduction
The DES is a cipher selected as an official
FIPS for US in 1976.
Other theoretical attacks are possible
require an unrealistic amount of known or
chosen plaintext to carry out.
Differential cryptanalysis requires chosen plaintexts
Linear cryptanalysis needs known plaintexts
Davies attack requires known plaintexts, has a
computational complexity of , and has a 51%
success rate.
47
2
41
2
50
2
50
2
4
Introduction
Birthday attack is given a function , the goal of
the attack is to find two inputs , such that

Function yields any of H different outputs
with equal probability and H is sufficiently large
A pair of different arguments and with
after evaluating the function for
about different arguments on average
) ( ) (
2 1
x f x f =
2
x
1
x
f
) (x f
1
x
H 25 . 1
) ( ) (
2 1
x f x f =
2
x
5
Description of DES
Important component
Inner function
Computation path
S-box
Key schedule
Process of calculating consists of 4 steps
1.E expansion
2.XOR with a subkey
3.S box transformation
4.P permutation
f
f
6
Description of DES
DES processes plaintext blocks of ,
producing ciphertext blocks. The
effective size of the secret key is
The input key specified as a key 8
bits of which (bits 8, 16,,64) may be
used as parity bits.
K
bits K 56 =
bit 64
bits n 64 =
bit 64
7
Description of DES
Computation path
8
Description of DES
Inner function
f
9
Description of DES
Expansion permutation (E): 32 bits->48bits

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
10
Description of DES
28 28
110100100
100100110
Key schedule of DES
Left rotation
11
Description of DES
S-box for DES
12
Description of DES
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
IP
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
IP
-1

Initial & final Permutations IP and IP
-1

13
Basic idea
By the last round in DES, we have

Hence
Note that both , are not accessible
Collision assumption
Suppose that there is a pair of ciphertexts
(c,c) generated by the same key and
satisfying
By the collision-assumption, we have

16
K
15
L
15 16 16 , 15 15 16
), ( R L K R f L R = =
16
K
15 16 16 16
) , ( L R K L f =
) , ( ) , ' (
16 16 16 16
K L f K L f =
15 15 16 16 , 16 16
' , ' ' L L L L R R = = =
(1)
14
Basic idea
Denote by where E is expansion
transformation in function
Express as


Each is length 6-bit
denotes the concatenation of the two
strings
16
EL ) (
16
L E
16 16
, K EL
f
, 8 ,..., 1 ], [ ], [
16 16
= j j K j EL
] 8 [ || ] 7 [ || ] 6 [ || ] 5 [ || ] 4 [ || ] 3 [ || ] 2 [ || ] 1 [
] 8 [ || ] 7 [ || ] 6 [ || ] 5 [ || ] 4 [ || ] 3 [ || ] 2 [ || ] 1 [
16 16 16 16 16 16 16 16 16
16 16 16 16 16 16 16 16 16
K K K K K K K K K
EL EL EL EL EL EL EL EL EL
=
=
| o,
| o ||
15
L
15
Basic idea
Thus for each S-box the input
of is
By the structure of and Eq(1), we have

] [ j S
, 8 ,..., 1 ], [ = j j S
f
] [ ] [
16 16
j K j EL
]) [ ] [ ' ]( [ ]) [ ] [ ]( [
16 16 16 16
j K j EL j S j K j EL j S =
16
Basic idea
Collision for
Possible j EL j EL
Possible j EL j EL
2
16 16
6
16 16
2 ] [ ' ] [
2 ] [ ' ] [
=
=
box j S ] [
17
Description of the birthday attack
against DES
1.Collecting proper ciphertexts
2.Computing the candidates for each

3.Local checking
4.Determining the candidates for
5.Determining the candidates for
6.Distinguishing K from the candidates
7.Outputting
8 ,..., 1 ], [
16
= j j K
16
K
K
K
18
Description of the birthday attack
against DES
1.Collecting proper ciphertexts
Choose ciphertexts(64bit) generated by
the same key K. Collect the ciphertexts
with the same and denote the set by
Denote by ,where is the
expansion transformation in function
Express as
16
R
C
K R
C
,
16
) (
16
L E
16
EL
E
f
16
EL
] 8 [ || ] 7 [ || ] 6 [ || ] 5 [ || ] 4 [ || ] 3 [ || ] 2 [ || ] 1 [
16 16 16 16 16 16 16 16 16
EL EL EL EL EL EL EL EL EL =
19
Description of the birthday attack
against DES
2.Computing the candidates for each

Randomly pick two ciphertexts .
Integrate each string of 6-bit with

Determine the candidates for by
check
8 ,..., 1 ], [
16
= j j K
) ] [ ' ]( [ ) ] [ ]( [
16 16
a j EL j S a j EL j S =
?
] [
16
j K
] [ ' ], [
16 16
j EL j EL
K R
C c c
,
16
' , e
a
20
Description of the birthday attack
against DES
3.Local checking
If there does not exist any candidate for
some then goto step 2.
} 8 ,..., 1 { ], [
16
e i i K
21
Description of the birthday attack
against DES
4.Determining the candidates for
Derive the candidates for from the
candidates for
16
K
16
K
] 8 [ ],..., 1 [
16 16
K K
22
Description of the birthday attack
against DES
5.Determining the candidates for
Derive the candidates for from by
the key schedule of DES
K
K
16
K
23
Description of the birthday attack
against DES
6.Distinguishing K from the candidates
Given a plaintext and its corresponding
ciphertext, the key (or its equivalent) can
be distinguished from its candidates by
evaluations.
24
Description of the birthday attack
against DES
7.Outputting
If the key cannot be derived from the pair
goto step 2. Otherwise, output the key.

Remark In the above attack, we aim at
finding a collision ,which is achieved
by evaluating possible values for
This is the reason for calling it a birthday
attack.
) ' , ( c c
K
) ' , (
15 15
L L
. 8 ,..., 1 ], [
16
= j j K
25
Complexity
On the complexity of evaluations
To derive the candidates for
We should evaluate all 6-bit values, which
are integrated with separately.
But all evaluations can be run in
parallel and be separately restricted in
eight boxes. In this case, the time for one
evaluation is less than that for an
evaluation using one round in DES.
8 ,..., 1 ], [
16
= j j K
] [ ' ], [
16 16
j EL j EL
6
2 8
26
Complexity
On the amount of rounds
The birthday attack against DES does not
relate to the amount of rounds.
It is entirely based on the inner function
and the key schedule in DES
This is a peculiar property of the birthday
attack.

f
27
Complexity
On the amount of ciphertexts
By and the definition
of ,we define
To find a collision for it, i.e.,
about
arguments should be evaluated.
where is the cardinal number
of , because each ciphertext is of only
64-bit.
) , (
16 16 16 15
K L f R L =
15 16 ,
:
16
L L C
K R

K R
C
,
16
D
16
2 > D
K R
C
,
16
16
2
) ' ( ' ) (
16 , 15 15 16 ,
16 16 16 16
L P L L L P
K R K R
= = =
28
Complexity
On the amount of candidates for K in
each iteration
Define the block-distance between
as
Best case block-distance is the MAX, 8
Worst case block-distance is the Min, 1
On average, a leads to candidates for
K. We conjecture the amount of
candidates for in each iteration is
16
K
]} [ ' ] [ : { #
16 16
EL EL d = =
K
6
7
18
2
K R
C c c
,
16
' , e
29
Complexity
On the amount of iterations
In the worst case is ,the average
amount of iterations is .
Hence, the birthday should evaluate
candidates for .
30
2
2
) 1 ( D D
K
48
2
30
Complexity
On the amount of plaintexts
In the proposed attack, we need a
plaintext and the corresponding ciphertext
to distinguish the key (or its equivalents)
from its candidates.
Note that the resulting amount of the key
or its equivalents will be sharply
decreased as the increase of plaintexts.
31
Conclusion
We believe the simple derivation of
candidates for from and the
relationship can be a serious
problem in DES. it is due to historical
considerations instead of a contrived
process.
K
16
K
i i
R L =
+1
32
References
[1] http://en.wikipedia.org/wiki/Data_Encryption_Standard
[2] http://en.wikipedia.org/wiki/Birthday_attack
[3] http://dhost.info/pasjagor/des/start.php?id=0
[4] E.Biham, A.Biryukov. An Improvement of Davies' Attack on DES, Journal of Cryptology. 1997,
10(3), 195-206
[5] E.Biham, O.Dunkelman, N.Keller. Enhancing Dierential-Linear Cryptanalysis. Advances in
Cryptology-ASIACRYPT'2002. LNCS 2501, Springer-Verlag, 1990, 254-266
[6] E.Biham, A.Shamir. Dierential Cryptanalysis of DES-like Cryptosystems, Advances in Cryptology-
CRYPTO'1990. LNCS 537, Springer-Verlag, 1990. 2-21
[7] A.Biryukov, C.Canniere, M.Quisquater. On Multiple Linear Approximations, Advances in
Cryptology-CRYPTO'2004. LNCS 3152, Springer-Verlag, 2004. 1-22
[8] S.Burton, J.Kaliski, R.Matthew. Linear Cryptanalysis Using Multiple Approximations, Advances in
Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 26-39
[9] D.Coppersmith. The data encryption standard (DES) and its strength against attacks. IBM Journal
of Research and Development. 1994, 38 (3), 243-250
[10] K.Campbell, M.Wiener. DES is not a Group. Advances in Cryptology-CRYPTO'1992. LNCS 740,
Springer-Verlag, 1992, 512-520
[11] W.Die, M.Hellman. Exhaustive Cryptanalysis of the NBS Data Encryption Standard, IEEE Com-
puter 10(6), June 1977, 74C84
[12] J.Gilmore. Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design.
O'Reilly, 1998[13] P.Junod. On the Complexity of Matsui's Attack. Selected Areas in Cryptography'2001, LNCS 2259,
Springer-Verlag, 2001, 199C211.
[14] L.Knudsen, J.Mathiassen. A Chosen-Plaintext Linear Attack on DES, Fast Software Encryption-
FSE'2000. LNCS 1978, Springer-Verlag, 2000, 262-272
[15] M.Matsui. Linear Cryptanalysis Method for DES Cipher, Advances in Cryptology-
EUROCRYPT'1993. LNCS 765, Springer-Verlag, 1993, 386-397
[16] M.Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard, Advances in
Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 1-11