Against DES Zhengjun Cao Computer Sciences Department, Universite Libre de Bruxelles, Belgium. 2 Outline Introduction Description of DES Basic idea Description of the birthday attack against DES Complexity Conclusion References 3 Introduction The DES is a cipher selected as an official FIPS for US in 1976. Other theoretical attacks are possible require an unrealistic amount of known or chosen plaintext to carry out. Differential cryptanalysis requires chosen plaintexts Linear cryptanalysis needs known plaintexts Davies attack requires known plaintexts, has a computational complexity of , and has a 51% success rate. 47 2 41 2 50 2 50 2 4 Introduction Birthday attack is given a function , the goal of the attack is to find two inputs , such that
Function yields any of H different outputs with equal probability and H is sufficiently large A pair of different arguments and with after evaluating the function for about different arguments on average ) ( ) ( 2 1 x f x f = 2 x 1 x f ) (x f 1 x H 25 . 1 ) ( ) ( 2 1 x f x f = 2 x 5 Description of DES Important component Inner function Computation path S-box Key schedule Process of calculating consists of 4 steps 1.E expansion 2.XOR with a subkey 3.S box transformation 4.P permutation f f 6 Description of DES DES processes plaintext blocks of , producing ciphertext blocks. The effective size of the secret key is The input key specified as a key 8 bits of which (bits 8, 16,,64) may be used as parity bits. K bits K 56 = bit 64 bits n 64 = bit 64 7 Description of DES Computation path 8 Description of DES Inner function f 9 Description of DES Expansion permutation (E): 32 bits->48bits
Hence Note that both , are not accessible Collision assumption Suppose that there is a pair of ciphertexts (c,c) generated by the same key and satisfying By the collision-assumption, we have
16 K 15 L 15 16 16 , 15 15 16 ), ( R L K R f L R = = 16 K 15 16 16 16 ) , ( L R K L f = ) , ( ) , ' ( 16 16 16 16 K L f K L f = 15 15 16 16 , 16 16 ' , ' ' L L L L R R = = = (1) 14 Basic idea Denote by where E is expansion transformation in function Express as
Each is length 6-bit denotes the concatenation of the two strings 16 EL ) ( 16 L E 16 16 , K EL f , 8 ,..., 1 ], [ ], [ 16 16 = j j K j EL ] 8 [ || ] 7 [ || ] 6 [ || ] 5 [ || ] 4 [ || ] 3 [ || ] 2 [ || ] 1 [ ] 8 [ || ] 7 [ || ] 6 [ || ] 5 [ || ] 4 [ || ] 3 [ || ] 2 [ || ] 1 [ 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 K K K K K K K K K EL EL EL EL EL EL EL EL EL = = | o, | o || 15 L 15 Basic idea Thus for each S-box the input of is By the structure of and Eq(1), we have
] [ j S , 8 ,..., 1 ], [ = j j S f ] [ ] [ 16 16 j K j EL ]) [ ] [ ' ]( [ ]) [ ] [ ]( [ 16 16 16 16 j K j EL j S j K j EL j S = 16 Basic idea Collision for Possible j EL j EL Possible j EL j EL 2 16 16 6 16 16 2 ] [ ' ] [ 2 ] [ ' ] [ = = box j S ] [ 17 Description of the birthday attack against DES 1.Collecting proper ciphertexts 2.Computing the candidates for each
3.Local checking 4.Determining the candidates for 5.Determining the candidates for 6.Distinguishing K from the candidates 7.Outputting 8 ,..., 1 ], [ 16 = j j K 16 K K K 18 Description of the birthday attack against DES 1.Collecting proper ciphertexts Choose ciphertexts(64bit) generated by the same key K. Collect the ciphertexts with the same and denote the set by Denote by ,where is the expansion transformation in function Express as 16 R C K R C , 16 ) ( 16 L E 16 EL E f 16 EL ] 8 [ || ] 7 [ || ] 6 [ || ] 5 [ || ] 4 [ || ] 3 [ || ] 2 [ || ] 1 [ 16 16 16 16 16 16 16 16 16 EL EL EL EL EL EL EL EL EL = 19 Description of the birthday attack against DES 2.Computing the candidates for each
Randomly pick two ciphertexts . Integrate each string of 6-bit with
Determine the candidates for by check 8 ,..., 1 ], [ 16 = j j K ) ] [ ' ]( [ ) ] [ ]( [ 16 16 a j EL j S a j EL j S = ? ] [ 16 j K ] [ ' ], [ 16 16 j EL j EL K R C c c , 16 ' , e a 20 Description of the birthday attack against DES 3.Local checking If there does not exist any candidate for some then goto step 2. } 8 ,..., 1 { ], [ 16 e i i K 21 Description of the birthday attack against DES 4.Determining the candidates for Derive the candidates for from the candidates for 16 K 16 K ] 8 [ ],..., 1 [ 16 16 K K 22 Description of the birthday attack against DES 5.Determining the candidates for Derive the candidates for from by the key schedule of DES K K 16 K 23 Description of the birthday attack against DES 6.Distinguishing K from the candidates Given a plaintext and its corresponding ciphertext, the key (or its equivalent) can be distinguished from its candidates by evaluations. 24 Description of the birthday attack against DES 7.Outputting If the key cannot be derived from the pair goto step 2. Otherwise, output the key.
Remark In the above attack, we aim at finding a collision ,which is achieved by evaluating possible values for This is the reason for calling it a birthday attack. ) ' , ( c c K ) ' , ( 15 15 L L . 8 ,..., 1 ], [ 16 = j j K 25 Complexity On the complexity of evaluations To derive the candidates for We should evaluate all 6-bit values, which are integrated with separately. But all evaluations can be run in parallel and be separately restricted in eight boxes. In this case, the time for one evaluation is less than that for an evaluation using one round in DES. 8 ,..., 1 ], [ 16 = j j K ] [ ' ], [ 16 16 j EL j EL 6 2 8 26 Complexity On the amount of rounds The birthday attack against DES does not relate to the amount of rounds. It is entirely based on the inner function and the key schedule in DES This is a peculiar property of the birthday attack.
f 27 Complexity On the amount of ciphertexts By and the definition of ,we define To find a collision for it, i.e., about arguments should be evaluated. where is the cardinal number of , because each ciphertext is of only 64-bit. ) , ( 16 16 16 15 K L f R L = 15 16 , : 16 L L C K R
K R C , 16 D 16 2 > D K R C , 16 16 2 ) ' ( ' ) ( 16 , 15 15 16 , 16 16 16 16 L P L L L P K R K R = = = 28 Complexity On the amount of candidates for K in each iteration Define the block-distance between as Best case block-distance is the MAX, 8 Worst case block-distance is the Min, 1 On average, a leads to candidates for K. We conjecture the amount of candidates for in each iteration is 16 K ]} [ ' ] [ : { # 16 16 EL EL d = = K 6 7 18 2 K R C c c , 16 ' , e 29 Complexity On the amount of iterations In the worst case is ,the average amount of iterations is . Hence, the birthday should evaluate candidates for . 30 2 2 ) 1 ( D D K 48 2 30 Complexity On the amount of plaintexts In the proposed attack, we need a plaintext and the corresponding ciphertext to distinguish the key (or its equivalents) from its candidates. Note that the resulting amount of the key or its equivalents will be sharply decreased as the increase of plaintexts. 31 Conclusion We believe the simple derivation of candidates for from and the relationship can be a serious problem in DES. it is due to historical considerations instead of a contrived process. K 16 K i i R L = +1 32 References [1] http://en.wikipedia.org/wiki/Data_Encryption_Standard [2] http://en.wikipedia.org/wiki/Birthday_attack [3] http://dhost.info/pasjagor/des/start.php?id=0 [4] E.Biham, A.Biryukov. An Improvement of Davies' Attack on DES, Journal of Cryptology. 1997, 10(3), 195-206 [5] E.Biham, O.Dunkelman, N.Keller. Enhancing Dierential-Linear Cryptanalysis. Advances in Cryptology-ASIACRYPT'2002. LNCS 2501, Springer-Verlag, 1990, 254-266 [6] E.Biham, A.Shamir. Dierential Cryptanalysis of DES-like Cryptosystems, Advances in Cryptology- CRYPTO'1990. LNCS 537, Springer-Verlag, 1990. 2-21 [7] A.Biryukov, C.Canniere, M.Quisquater. On Multiple Linear Approximations, Advances in Cryptology-CRYPTO'2004. LNCS 3152, Springer-Verlag, 2004. 1-22 [8] S.Burton, J.Kaliski, R.Matthew. Linear Cryptanalysis Using Multiple Approximations, Advances in Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 26-39 [9] D.Coppersmith. The data encryption standard (DES) and its strength against attacks. IBM Journal of Research and Development. 1994, 38 (3), 243-250 [10] K.Campbell, M.Wiener. DES is not a Group. Advances in Cryptology-CRYPTO'1992. LNCS 740, Springer-Verlag, 1992, 512-520 [11] W.Die, M.Hellman. Exhaustive Cryptanalysis of the NBS Data Encryption Standard, IEEE Com- puter 10(6), June 1977, 74C84 [12] J.Gilmore. Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design. O'Reilly, 1998[13] P.Junod. On the Complexity of Matsui's Attack. Selected Areas in Cryptography'2001, LNCS 2259, Springer-Verlag, 2001, 199C211. [14] L.Knudsen, J.Mathiassen. A Chosen-Plaintext Linear Attack on DES, Fast Software Encryption- FSE'2000. LNCS 1978, Springer-Verlag, 2000, 262-272 [15] M.Matsui. Linear Cryptanalysis Method for DES Cipher, Advances in Cryptology- EUROCRYPT'1993. LNCS 765, Springer-Verlag, 1993, 386-397 [16] M.Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard, Advances in Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 1-11