1 university of washington csep 590tu Πpractical aspects ......security of block ciphers 2/7 brian...
TRANSCRIPT
JLM
200
6020
9 12
:16
1
Uni
vers
ity o
f Was
hing
ton
CS
EP
590
TU �
Pra
ctic
al A
spec
ts o
f M
oder
n C
rypt
ogra
phy
Inst
ruct
ors:
Jos
h B
enal
oh, B
rian
LaM
acch
ia, J
ohn
Man
ferd
elli
Tues
days
: 6:3
0-9:
30,
Alle
n C
ente
r 305
Web
page
: http
://w
ww
.cs.
was
hing
ton.
edu/
educ
atio
n/co
urse
s/cs
ep59
0/06
wi/
Rec
omm
ende
d te
xts:
S
tinso
n, C
rypt
ogra
phy,
The
ory
and
Prac
tice.
2nd
Edi
tion,
CR
C P
ress
, 20
02.
Men
ezes
, van
Orts
hot,
Van
ston
e. H
andb
ook
of A
pplie
d C
rypt
ogra
phy.
Ferg
uson
and
Sch
neie
r, Pr
actic
al C
rypt
ogra
phy.
JLM
200
6020
9 12
:16
2
New
Lec
ture
Sch
edul
e
10987654321
All
Thre
e to
pics
: Ele
ctio
ns, I
TAR
/Pol
itics
, Sid
e C
hann
els/
Tim
ing
Atta
cks,
DR
M, B
igN
umIm
plem
enta
tion
3/8
Josh
Ran
dom
Num
bers
/Elli
ptic
Cur
ve C
rypt
o3/
1
Bria
nTr
ust,
PKI,
Key
Man
agem
ent [
Last
HW
A
ssig
nmen
t)2/
21Jo
hnA
ES
and
Cry
ptog
raph
ic H
ashe
s2/
14Jo
hnS
ecur
ity o
f Blo
ck C
iphe
rs2/
7B
rian
Cry
ptog
raph
ic P
roto
cols
II
1/31
Bria
nC
rypt
ogra
phic
Pro
toco
ls I
1/24
Josh
Pub
lic K
ey C
iphe
rs1/
17Jo
hnS
ymm
etric
Key
Cip
hers
and
Has
hes
1/10
Josh
Pra
ctic
al A
spec
ts o
f Cry
ptog
raph
y1/
3Le
ctur
erTo
pic
Dat
e
JLM
200
6020
9 12
:16
3
Ana
lysi
s of
Blo
ck C
iphe
rs John
Man
ferd
elli
jlm@
cs.w
ashi
ngto
n.ed
ujm
anfe
r@m
icro
soft.
com
Por
tions
© 2
004-
2005
, Joh
n M
anfe
rdel
li.
This
mat
eria
l is
prov
ided
with
out w
arra
nty
of a
ny k
ind
incl
udin
g, w
ithou
t lim
itatio
n, w
arra
nty
of n
on-in
fring
emen
t or s
uita
bilit
y fo
r any
pur
pose
. Th
is m
ater
ial i
s no
t gua
rant
eed
to b
e er
ror f
ree
and
is in
tend
ed fo
r ins
truct
iona
l use
onl
y.
JLM
200
6020
9 12
:16
4
Dig
ital B
lock
Cip
hers
Com
plic
ated
key
ed in
verti
ble
func
tions
con
stru
cted
from
ite
rate
d el
emen
tary
roun
ds.
�Con
fusi
on: n
on-li
near
func
tions
(RO
M lo
okup
)�D
iffus
ion:
per
mut
e ro
und
outp
ut b
its�K
ey m
ixin
g: x
or�k
ey s
ched
ule�
at b
egin
ning
of r
ound
Characteristics:
�Fas
t�D
ata
encr
ypte
d in
fixe
d �b
lock
siz
es� (
64,1
28,2
56 b
it bl
ocks
are
co
mm
on).
�Key
and
mes
sage
bits
non
-line
arly
mix
ed in
cip
herte
xt
DE
S (1
974)
des
ign
was
wat
ersh
ed in
pub
lic s
ymm
etric
key
cr
ypto
.
JLM
200
6020
9 12
:16
5
Itera
ted
Feis
tel C
iphe
r
Pla
inte
xt
Cip
herte
xtr Fei
stel
Rou
nds
k 1 k 2
k r
Key
Sch
edul
e
Key
JLM
200
6020
9 12
:16
6
JLM
200
6020
9 12
:16
7
JLM
200
6020
9 12
:16
8
JLM
200
6020
9 12
:16
9
DE
S A
ttack
s: E
xhau
stiv
e S
earc
h
�Sy
mm
etry
DE
S(k
∆1,
x ∆
1)=D
ES
(k, x
) ∆1
�Su
ppos
e w
e kn
ow p
lain
/cip
her t
ext p
air (
p,c)
for(k=0;k<256;k++) {
if(DES(k,p)==c) {
printf(“Keyis %x\n”, k);
break;
}
}
�Ex
pect
ed n
umbe
r of t
rials
(if k
was
cho
sen
at ra
ndom
) be
fore
suc
cess
: 255
JLM
200
6020
9 12
:16
10
DE
S A
ttack
s: E
xhau
stiv
e S
earc
h
�Po
or ra
ndom
num
ber g
ener
ator
: 20
bits
of e
ntro
py�
How
long
doe
s it
take
?�
220
vs25
6
�Se
cond
big
gest
real
pro
blem
�Fi
rst b
igge
st: b
ad k
ey m
anag
emen
t
�Sy
mm
etric
cip
hers
are
sai
d to
be
secu
re in
pra
ctic
e if
no
know
n at
tack
wor
ks m
ore
effic
ient
ly th
an e
xhau
stiv
e se
arch
. N
ote
that
the
barr
ier i
s co
mpu
tatio
nal n
ot
info
rmat
ion
theo
retic
.
JLM
200
6020
9 12
:16
11
DE
S D
escr
ibed
Alg
ebra
ical
ly
si(L
,R)=
(L∆
f(E(R
) ∆k i)
,R),
t(L,
R)=
(R,L
). k i
is 4
8 bi
t sub
-key
for r
ound
i an
df(x
)= P
(S1S
2S3…
S8(
x)).
Her
e, e
ach
S �b
ox o
pera
tes
on 6
bit
quan
titie
s an
d ou
tput
s 4
bit q
uant
ities
. P
per
mut
es th
e re
sulti
ng 3
2 ou
tput
bits
.
Eac
h ro
und
(exc
ept l
ast)
is t
si.
Not
e th
at t
t =
t 2 =
1= s
i si=
si2 .
Full
DE
S is
:D
ESK(
x)=
IP-1
s16
t ..
. s
3 t
s2
t s
1 IP
(x)
So
its in
vers
e is
DES
K-1(x
)= IP
-1s
1 t
... s
14 t
s15
t s
16 IP
(x)
Theo
rem
(Cop
pers
mith
and
Gro
ssm
an):
If s
K(L,
R)=
(L∆
f(E(R
) ∆K
,R),
< t
, sK
>= A
N, N
= 2n
.N
ote:
If a
and
b a
re c
hose
n at
rand
om fr
om S
nth
ere
is a
goo
d ch
ance
that
<a,
b>=
A nor
Sn
JLM
200
6020
9 12
:16
12
DE
S K
ey S
ched
ule
C0D
0= P
C1(
K)C
i+1
= Le
ftShi
ft(S
hift i
, Ci),
Di+
1=
LeftS
hift(
Shi
ft i, D
i),K i
= P
C2(
Ci|
|Di)
Shi
ft i=
<1,2
,2,2
,2,2
,2,1
,2,2
,2,2
,2,2
,1,1
>
Not
e: Ir
regu
lar K
ey s
ched
ule
prot
ects
aga
inst
rela
ted
key
atta
cks.
[Bih
am, N
ew T
ypes
of C
rypt
anal
ytic
Atta
cks
usin
g R
elat
ed K
eys,
TR
-753
, Tec
hnio
n]
JLM
200
6020
9 12
:16
13
Wea
k K
eys
�D
ES
has
:�
Four
wea
k ke
ys k
for w
hich
Ek(
Ek(
m))
= m
.�
Twel
ve s
emi-w
eak
keys
whi
ch c
ome
in p
airs
k1
and
k 2an
d ar
e su
ch th
at E
k1(E
k2(m
)) =
m.
�W
eak
keys
are
due
to �k
ey s
ched
ule�
alg
orith
m
JLM
200
6020
9 12
:16
14
How
Wea
k K
eys
Aris
e
�A
28 b
it qu
antit
y ha
s po
tent
ial s
ymm
etrie
s of
per
iod
1,2,
4,7,
and
14
�Su
ppos
e ea
ch o
f C0
and
D0
has
a sy
mm
etry
of p
erio
d 1;
for e
xam
ple
C0
=0x0
0000
00, D
0= 0
x111
1111
. W
e ca
n ea
sily
figu
re o
ut a
mas
ter k
ey (K
) tha
t pro
duce
s su
ch a
C0
and
D0.
�
Then
DE
SK(D
ES
K(x
))=x
.
JLM
200
6020
9 12
:16
15
Birt
hday
Atta
cks
�Pr
obab
ility
of c
ollis
ion
dete
rmin
ed b
y �B
irthd
ay P
arad
ox�
calc
ulat
ion:
�
(1-1
/n) (
1-2/
n) �
(1-(
k-1)
/n)=
(n!/k
!)/nk
�Pr
obab
ility
of c
ollis
ion
is >
.5 w
hen
k2>
n.�
1+x
cex
, Pi=
1i=k
(1-i/
n) c
e-k(
k-1)
/(2n)
JLM
200
6020
9 12
:16
16
Mee
t in
the
Mid
dle
Doe
s do
uble
enc
rypt
ion
doub
le e
ffect
ive
key
size
? S
uppo
se:
E�(a
,b)(p
)=E b
(Ea(
p))
Atta
ck if
DE
S is
a g
roup
. [E k
(p)=
E b(E
a(p)
)].
But
it is
n�t:
Cam
pbel
l and
Wei
ner,
DE
S is
not
a G
roup
, Cry
pto
�92.
Tim
e M
emor
y tra
deof
f [K
now
n pl
aint
ext (
p 1, c
1), (
p 2,c
2)]
Sto
re E
a(p)
=x, C
alcu
late
E-1
b(c)
=y.
JLM
200
6020
9 12
:16
17
The
Line
ar A
ttack
(Ful
l Mon
ty)
�Su
ppos
e L
is a
cip
her,
the
ciph
erte
xtan
d pl
aint
ext b
oth
com
e fro
m G
F(2)
n , c=
Kp, w
here
K is
an
n x
n in
verti
ble
mat
rix, K
=(k ij
) ove
r GF(
2).
How
can
we
�bre
ak�L
?
�An
swer
: G
et (a
bout
) n c
orre
spon
ding
pla
inte
xt-c
iphe
rtext
pairs
(pi,
c i).
Sol
ve re
sulti
ng li
near
equ
atio
ns to
inve
rt K
.
JLM
200
6020
9 12
:16
18
The
Line
ar A
ttack
(Par
tial M
onty
)
�Su
ppos
e L
is a
cip
her,
the
ciph
erte
xtan
d pl
aint
ext b
oth
com
e fro
m G
F(2)
n , w
ith k
ey b
its k
ii= 1
,2,�
,n. H
ow c
an w
e �b
reak
�L?
�An
swer
: Obt
ain
m (l
inea
rly in
depe
nden
t) lin
ear r
elat
ions
�
F i(c
) + G
i(p)=
ai1
k 1+
�+
a ink
n, i=
1,2
,�,m
�G
uess
n-m
-1bi
ts o
f the
key
, sol
ve fo
r the
oth
er m
bits
�Ti
me:
2n-
m-1
+ O
(m) v
s2n
�M
uch
fast
er th
an e
xhau
stiv
e se
arch
O(2
n )
JLM
200
6020
9 12
:16
19
Alm
ost T
rue
Line
ar C
onst
rain
ts
�U
sual
ly fi
ndin
g lin
ear r
elat
ions
is h
ard
or im
poss
ible
�Lo
ok fo
r lin
ear r
elat
ions
that
hol
d w
ith p
roba
bilit
y p>
1/2
�C
olle
ct a
num
ber o
f sam
ples
�Vo
te fo
r the
max
imal
ly c
onsi
sten
tsub
set o
f equ
atio
ns�
Supp
ose
you
have
n (l
inea
r) e
quat
ions
hol
d w
ith
prob
abili
ty p
, wha
t is
the
prob
abilit
y of
m o
f the
m b
eing
co
rrec
t. �
nCm
pm(1
-p)n-
m
�La
rge
cons
iste
nt s
ubse
ts v
ery
likel
y to
be
corre
ct e
ven
if p
is o
nly
slig
htly
big
ger t
han
.5
JLM
200
6020
9 12
:16
20
Alm
ost L
inea
r Atta
cks
•Sp
arse
Rep
rese
ntat
ion
•D
ecom
posi
tion
•Tr
ansf
orm
atio
n•“A
lmos
t Lin
ear”
cons
train
ts•
Diff
eren
tial C
rypt
anal
ysis
•Li
near
Cry
ptan
alys
is
JLM
200
6020
9 12
:16
21
Alg
ebra
ic R
epre
sent
atio
ns
�A
lgeb
raic
nor
mal
form
(AN
F):
�D
egre
e: d
eg(f)
,the
high
est d
egre
e te
rm in
AN
F.�
Exam
ple
f(X)=
x1+
x 2, d
eg(f)
=1g(
X)=
x 1x 2
, deg
(g)=
2�
Func
tions
of d
egre
e 1
are
calle
d �a
ffine
�. C
ompo
sitio
n of
A
ffine
func
tions
is a
ffine
.
�La
gran
ge In
terp
olat
ion
Theo
rem
. Eve
ry fu
nctio
n in
n
varia
bles
can
be
expr
esse
d as
a p
olyn
omia
l (he
nce
AN
F).
nn
ji
ijn
ji
ii
ni i
xx
xa
xx
a
xa
aX
f
......
)(
)(
)(
21
...12
1
10
⊕⊕
⊕
⊕=
⊕⊕
≤≠
≤
= =
JLM
200
6020
9 12
:16
22
Boo
lean
Fun
ctio
ns
�Fo
r a s
et o
f Boo
lean
func
tions
D, d
(f,g)
=#{X
|f(X
) ∫g(
X)}.
�D
ista
nce:
For
Boo
lean
func
tion
f(X) a
nd g
(X),
d(f,
D)=
m
in[g
(X)e
D]d(
f,g)
�A
ffine
func
tion:
h(x
)= a
1x1∆
a 2x 2
∆�∆
a nx n
+c�
nl(f)
den
otes
the
min
imum
dis
tanc
e be
twee
n f(X
) and
the
set o
f affi
ne fu
nctio
ns D
affin
e. nl
(f)=
d(f,
Daf
fine)
, Daf
fine=
R
M(1
,n).
�B
alan
ce: f
(X) i
s ba
lanc
ed if
f the
re is
an
equa
l num
ber o
f 0�s
an
d 1�
s in
the
outp
ut o
f f(X
).
JLM
200
6020
9 12
:16
23
S B
oxes
as
Pol
ynom
ials
ove
r GF(
2)1,1:
56+4+35+2+26+25+246+245+236+2356+16+15+156+14+146+145+13+135+134+
1346+1345+13456+125+1256+1245+123+12356+1234+12346
1,2:
C+6+5+4+45+456+36+35+34+346+26+25+24+246+2456+23+236+235+234+2346
+1+15+156+134+13456+12+126+1256+124+1246+1245+12456+123+1236+1235
+12356+1234+12346
1,3:
C+6+56+46+45+3+35+356+346+3456+2+26+24+246+245+236+16+15+145+13+1
356+134+13456+12+126+125+12456+123+1236+1235+12356+1234+12346
1,4:
C+6+5+456+3+34+346+345+2+23+234+1+15+14+146+135+134+1346+1345+125
6+124+1246+1245+123+12356+1234+12346
Legend: C+6+56+46 means 1∆
x 6∆
x 5x 6∆
x 4x 6
JLM
200
6020
9 12
:16
24
Dec
ompo
sabl
e S
yste
ms
E k1|
|k2(
x)=
E� k1
(x) |
| E�� k
2(x)
42m
1632t
218264
233264
m2t
2mt
JLM
200
6020
9 12
:16
25
Line
ar A
ttack
s on
spa
rse
coef
ficie
nts
c 1=
f[1,0
](k1,�
,km) p
10 p20 �
p n0
+ f[
1,1]
(k1,�
,km) p
11 p20 �
p n0
+ �
+ f[
1,2m
] (k
1,�,k
m) p
1p2�
p n
�
�
�.
c n=
f[n,1
](k1,�
,km) p
1p2�
p n+
f[1,
1](k
1,�,k
m) p
11 p20 �
p n0 �
+ f[
1,2m
] (k
1,�,k
m) p
1p2�
p n
Sup
pose
mos
t of t
he f[
i,j] a
re 0
. C
an s
olve
for t
hese
with
diff
eren
t p 1
,p2,�
,pn,
even
it th
e F[
i,j] a
re c
ompl
ex a
nd n
on-li
near
in th
e k 1
,�,k
m
JLM
200
6020
9 12
:16
26
Mat
hem
atic
s of
Boo
lean
Fun
ctio
ns
•C
orre
latio
n–
c(f,g
) = P
[f(x)
=g(x
)]-P[
f(x) ∫
g(x)
]. So
P[
f(x)=
g(x)
]= .5
(1+c
(f,g)
)•
Had
amar
d–
S f(w
)= 2
-nS x
(-1)f(x
)+w·x =
c(f(x
), w
x)
•Be
nt fu
nctio
nsFu
rthes
t fro
m li
near
(all
Had
amar
dco
effic
ient
s ar
e eq
ual)
JLM
200
6020
9 12
:16
27
Diff
eren
tial C
rypt
anal
ysis
of B
iham
and
Sham
ir(1
990)
�W
as k
now
n to
IBM
team
who
se d
esig
n ru
les
prov
ided
so
me
resi
stan
ce�
Brea
ks K
hafre
with
150
0 co
rres
pond
ing
plai
n/ci
pher
text
s in
an
hour
�Br
eaks
8 ro
und
Luci
fer i
n 22
1st
eps
with
24
text
s�
Brea
ks F
EA
L.
�Br
eaks
8 ro
und
DE
S.
�U
sefu
l in
brea
king
cry
ptog
raph
ic h
ashe
s�
DE
S R
esul
ts: 2
47C
hose
n pl
aint
ext a
ttack
.
JLM
200
6020
9 12
:16
28
Diff
eren
tial C
rypt
anal
ysis
: Ove
rvie
w
Let (
P L, P
R),
(PL* ,
P R* )
and
(CL* ,
CR
* ), (C
L* , C
R* )
be p
airs
of
inpu
ts a
nd o
utpu
ts w
ith p
resc
ribed
xor
s (P
L� , P R
� ) =
(PL,
P R) ∆
(PL* ,
P R* )
(CL� ,
CR
� ) =
(CL,
CR) ∆
(CL* ,
CR
* ) Fo
llow
the
xor o
f tw
o pl
aint
exts
thro
ugh
roun
ds o
f DE
S.
Out
put x
or d
epen
ds n
on u
nifo
rmly
on
key
bits
. Ta
ke lo
ts o
f cho
sen
plai
ntex
t/cip
herte
xt p
airs
.Le
t non
uni
form
dis
tribu
tion
�vot
e� o
n se
t con
tain
ing
keys
.
JLM
200
6020
9 12
:16
29
Key
Obs
erva
tion
Con
side
r a ro
und
of D
ES
: sK: (
L,R
)!(L
∆F(
E(R
)∆K
),R) w
here
if
X=X 1
||X2||
�||X
8w
ith e
ach
Xia
six
bit
quan
tity.
F(
X)=
P(S
1(X 1
)|| �
||S
8(X 8
))
Let (
L, R
) and
(L*,
R*)
be
inpu
ts to
a ro
und
of D
ES
and
(L
�, R
�)= (L
, R) ∆
(L*,
R*)
.
At e
ach
S-b
ox p
ositi
on, a
n in
put x
oris
inde
pend
ent o
f key
and
the
dist
ribut
ion
of th
e ou
tput
xor
sis
ver
y no
n-lin
ear a
nd n
ot a
ll ou
tput
xor
sar
e po
ssib
le.
Key
s ch
oose
am
ong
outp
ut x
ors.
Asi
de fr
om S
-box
, all
oper
atio
ns a
re li
near
.
JLM
200
6020
9 12
:16
30
Diff
eren
tial P
rofil
e of
sin
gle
S-b
ox
�If
x� Ø
y� a
nd D
j(x�,y
�)= {u
: Sj(u
∆x�
) ∆S j
(u)=
y�},
then
k
ex ∆
Dj(x
�,y�).
�|D
j(x�,
y�)|
has
non
unifo
rm d
istri
butio
n.
�Th
e pr
opag
atio
n ra
tio, R
p(x�
, y�)
= |D
j(x�,
y�)|
/2m, w
here
m
is th
e di
men
sion
of t
he s
pace
of a
�. .�
Sham
ir an
d B
iham
den
ote
this
as
x� Ø
y� ,
p.
( p=
|Dj(x
�, y�
)| /2
m).
JLM
200
6020
9 12
:16
31
S1
Diff
eren
tial D
istri
butio
nS box 1
In 0 1 2 3 4 5 6 7 8 9 a b c d e f
0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4
2 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2
3 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0
4 0 0 0 6 0 10 10 6 0 4 6 4 2 8 6 2
5 4 8 6 2 2 4 4 2 0 4 4 0 12 2 4 6
6 0 4 2 4 8 2 6 2 8 4 4 2 4 2 0 12
7 2 4 10 4 0 4 8 4 2 4 8 2 2 2 4 4
8 0 0 0 12 0 8 8 4 0 6 2 8 8 2 2 4
9 10 2 4 0 2 4 6 0 2 2 8 0 10 0 2 12
a 0 8 6 2 2 8 6 0 6 4 6 0 4 0 2 10
b 2 4 0 10 2 2 4 0 2 6 2 6 6 4 2 12
c 0 0 0 8 0 6 6 0 0 6 6 4 6 6 14 2
d 6 6 4 8 4 8 2 6 0 6 4 6 0 2 0 2
e 0 4 8 8 6 6 4 0 6 6 4 0 0 4 0 8
f 2 0 2 4 4 6 4 2 4 8 2 2 2 6 8 8
10 0 0 0 0 0 0 2 14 0 6 6 12 4 6 8 6
11 6 8 2 4 6 4 8 6 4 0 6 6 0 4 0 0
12 0 8 4 2 6 6 4 6 6 4 2 6 6 0 4 0
JLM
200
6020
9 12
:16
32
S1
Diff
eren
tial D
istri
butio
n
S box 1
In 0 1 2 3 4 5 6 7 8 9 a b c d e f
13 2 4 4 6 2 0 4 6 2 0 6 8 4 6 4 6
14 0 8 8 0 10 0 4 2 8 2 2 4 4 8 4 0
15 0 4 6 4 2 2 4 10 6 2 0 10 0 4 6 4
16 0 8 10 8 0 2 2 6 10 2 0 2 0 6 2 6
17 4 4 6 0 10 6 0 2 4 4 4 6 6 6 2 0
18 0 6 6 0 8 4 2 2 2 4 6 8 6 6 2 2
19 2 6 2 4 0 8 4 6 10 4 0 4 2 8 4 0
1a 0 6 4 0 4 6 6 6 6 2 2 0 4 4 6 8
1b 4 4 2 4 10 6 6 4 6 2 2 4 2 2 4 2
1c 0 10 10 6 6 0 0 12 6 4 0 0 2 4 4 0
1d 4 2 4 0 8 0 0 2 10 0 2 6 6 6 14 0
1e 0 2 6 0 14 2 0 0 6 4 10 8 2 2 6 2
1f 2 4 10 6 2 2 2 8 6 8 0 0 0 4 6 4
20 0 0 0 10 0 12 8 2 0 6 4 4 4 2 0 12
21 0 4 2 4 4 8 10 0 4 4 10 0 4 0 2 8
22 10 4 6 2 2 8 2 2 2 2 6 0 4 0 4 10
23 0 4 4 8 0 2 6 0 6 6 2 10 2 4 0 10
24 12 0 0 2 2 2 2 0 14 14 2 0 2 6 2 4
JLM
200
6020
9 12
:16
33
S1
Diff
eren
tial D
istri
butio
n
S box 1
In 0 1 2 3 4 5 6 7 8 9 a b c d e f
25 6 4 4 12 4 4 4 10 2 2 2 0 4 2 2 2
26 0 0 4 10 10 10 2 4 0 4 6 4 4 4 2 0
27 10 4 2 0 2 4 2 0 4 8 0 4 8 8 4 4
28 12 2 2 8 2 6 12 0 0 2 6 0 4 0 6 2
29 4 2 2 10 0 2 4 0 0 14 10 2 4 6 0 4
2a 4 2 4 6 0 2 8 2 2 14 2 6 2 6 2 2
2b 12 2 2 2 4 6 6 2 0 2 6 2 6 0 8 4
2c 4 2 2 4 0 2 10 4 2 2 4 8 8 4 2 6
2d 6 2 6 2 8 4 4 4 2 4 6 0 8 2 0 6
2e 6 6 2 2 0 2 4 6 4 0 6 2 12 2 6 4
2f 2 2 2 2 2 6 8 8 2 4 4 6 8 2 4 2
30 0 4 6 0 12 6 2 2 8 2 4 4 6 2 2 4
31 4 8 2 10 2 2 2 2 6 0 0 2 2 4 10 8
32 4 2 6 4 4 2 2 4 6 6 4 8 2 2 8 0
33 4 4 6 2 10 8 4 2 4 0 2 2 4 6 2 4
34 0 8 16 6 2 0 0 12 6 0 0 0 0 8 0 6
35 2 2 4 0 8 0 0 0 14 4 6 8 0 2 14 0
36 2 6 2 2 8 0 2 2 4 2 6 8 6 4 10 0
JLM
200
6020
9 12
:16
34
S1
Diff
eren
tial D
istri
butio
n
S box 1
In 0 1 2 3 4 5 6 7 8 9 a b c d e f
37 2 2 12 4 2 4 4 10 4 4 2 6 0 2 2 4
38 0 6 2 2 2 0 2 2 4 6 4 4 4 6 10 10
39 6 2 2 4 12 6 4 8 4 0 2 4 2 4 4 0
3a 6 4 6 4 6 8 0 6 2 2 6 2 2 6 4 0
3b 2 6 4 0 0 2 4 6 4 6 8 6 4 4 6 2
3c 0 10 4 0 12 0 4 2 6 0 4 12 4 4 2 0
3d 0 8 6 2 2 6 0 8 4 4 0 4 0 12 4 4
3e 4 8 2 2 2 4 4 14 4 2 0 2 0 8 4 4
3f 4 8 4 2 4 0 2 4 4 2 4 8 8 6 2 2
JLM
200
6020
9 12
:16
35
Exa
mpl
e: D
iffer
entia
l Cry
ptan
alys
is o
f S1
thro
ugh
a si
ngle
roun
d
S1E
*=
0x01
, S1 E
= 0x
35 !
0x0d
=SO�.
S1E
*=
0x21
, S1 E
= 0x
15 !
0x03
=SO�.
0x34
!0x
0d m
eans
inpu
t diff
eren
ce 0
x34
prod
uced
out
put d
iffer
ence
0x0
d(1
) For
0x3
4!0x
d, S
1 I�=
{0x0
6, 0
x10,
0x1
6, 0
x1c,
0x2
2, 0
x24,
0x2
8, 0
x32}
.(2
) For
0x3
4!0x
3, S
1 I�=
{0x0
1, 0
x02,
0x1
5, 0
x21,
0x3
5, 0
x36}
.
Sin
ce S
1 E+
S1I=
S1K,
(1)
Red
uces
the
poss
ible
key
set
to {0
x07,
0x3
3, 0
x11,
0x2
5, 0
x17,
0x
23, 0
x1d,
0x2
9}
(2)
Red
uces
the
poss
ible
key
set
to {0
x20,
0x1
4, 0
x23,
0x1
7, 0
x34,
0x
00}.
Th
e in
ters
ectio
n (a
nd a
ctua
l pos
sibi
litie
s) a
re {
0x17
, 0x2
3}
JLM
200
6020
9 12
:16
36
One
Rou
nd D
iffer
entia
l use
d to
ana
lyze
4
roun
d D
ES
Met
hod
Use
1 ro
und
char
acte
ristic
to ri
ght.
Und
o ef
fect
of p
erm
utat
ion
mat
rix
and
solv
e ea
ch S
box
sep
arat
ely.
Th
is a
llow
s us
to s
olve
for 4
8 ke
y bi
ts.
This
1 ro
und
char
acte
ristic
will
be
used
to e
stim
ate
inpu
t xor
in
subs
eque
nt ro
unds
.
∆
20 0
0 00
00
00 0
0 00
00
20 0
0 00
00
00 0
0 00
00
FA�
= 0
a�=
0p
= 1
JLM
200
6020
9 12
:16
37
Diff
eren
tial C
rypt
anal
ysis
of 4
roun
ds
�D
�=a�
∆ B
� ∆L 4
��
d� =
R4�
�Be
caus
e b�
=L0�,
the
outp
ut x
or
of S
2, S 3
, � ,
S 8in
roun
d 2
is
0. T
his
give
s 28
bits
of B
� and
he
nce
28 b
its o
f D� i
s kn
own.
�Si
nce
B� i
s kn
own,
we
can
calc
ulat
e D
�= B
� ∆L 4
� usi
ng 4
en
cryp
ted
pairs
for e
ach
of th
e 7
rele
vant
S b
oxes
. All
key
cand
idat
es a
re in
this
set
w
hich
giv
es 7
x6=4
2 bi
ts o
f key
w
ith h
igh
prob
abilit
y.
∆
L 0=
20 0
0 00
00
R0=
00
00 0
0 00
L 4R
4FA
�a�
FB
�b�
∆
FD
�
c�
∆
FC
�∆
d�
JLM
200
6020
9 12
:16
38
Ext
ensi
on to
Ful
l Rou
nd: O
ne R
ound
C
hara
cter
istic
A on
e ro
und
char
acte
ristic
is a
trip
le
[(Lin�,R
in�),
(Lou
t�,R
out�)
, p] s
uch
that
fo
r all
pairs
(Lin,R
in),
(Lin*,R
in*)
with
(L
in,R
in) ∆
(Lin*,R
in*)
= (L
in�,R
in�)
subj
ecte
d to
a s
ingl
e ci
pher
roun
d (d
epic
ted
on th
e rig
ht) p
rodu
cing
co
rres
pond
ing
pairs
(Lou
t,Rou
t),
(Lou
t*,R
out*)
, the
ratio
of o
utpu
t pa
irs w
ith (L
out,R
out) ∆
(Lou
t*,R
out*)
=
(Lou
t�,R
out�)
is p
.
Cha
ract
eris
tics
can
be e
xten
ded
thro
ugh
mul
tiple
roun
ds.
∆
L in�
Rin�
L out
� Rou
t�
Fp
JLM
200
6020
9 12
:16
39
Com
putin
g a
sing
le c
hara
cter
istic
�Th
e fir
st a
nd m
ost i
mpo
rtant
di
ffere
ntia
l is
(L�,0
) !(L
�,0),
p=1.
�An
othe
r is
(L�,0
x600
0000
0) !
(L� ∆
0x00
8082
00,0
x600
0000
0),
p=1/
4.�
Con
stru
ctio
n:
�E
(0x6
0000
000)
= E(
0110
000
0 �
000
0)=
0011
00 0
0000
0 �
00
0000
�S
1(00
1100
)� !
0xe
with
p=1
/4,
Sj(0
)� !
0 w
ith p
=1, j
>1 a
nd
P(0x
e000
0000
)=0x
0080
8200
.
∆
L in�
Rin�
L out
� Rou
t�
Fp
a�A
�
JLM
200
6020
9 12
:16
40
Mul
ti-ro
und
Cha
ract
eris
tics
�Se
quen
ce o
f Diff
eren
tials
with
id
entif
ied
inpu
t and
out
put
xors
. Eac
h ro
und
diffe
rent
ial
occu
rs w
ith p
roba
bilit
y p i
.�
Ove
rall
prob
abilit
y: p
= Pp i
�C
hara
cter
istic
to th
e rig
ht is
a
thre
e ro
und
char
acte
ristic
with
pr
obab
ility
(14/
64)2
�U
sed
to a
ppro
xim
ate
diffe
rent
ials
thro
ugh
mul
tiple
ro
unds
. �
Each
pai
r fol
low
ing
the
char
acte
ristic
at e
ach
roun
d is
ca
lled
a �r
ight
pai
r�.
Oth
er
pairs
are
�wro
ng p
airs
.��
Wro
ng p
airs
get
dis
tribu
ted
unifo
rmly
; rig
ht p
airs
follo
w
over
all c
hara
cter
istic
pr
obab
ility.
∆
WP=
00 8
0 82
00
60 0
0 00
00
WC=
00 8
0 82
00
60 0
0 00
00
FA
�= 0
0 80
82
00a�
= 60
00
00 0
0
FB�
= 0
b�=
0∆
FC
�= 0
0 80
82
00c�
= 60
00
00 0
0∆
p =
14/6
4
p =
14/6
4
p =
1
JLM
200
6020
9 12
:16
41
Mul
ti-ro
und
Cha
ract
eris
tics
-For
mal
�An
n-r
ound
cha
ract
eris
tic is
a tr
iple
(WP,L
, WT)
, with
L=(
L1,
�, L
n)
whe
re e
ach
L1
is a
one
roun
d di
ffere
ntia
l tha
t hol
ds w
ith p
roba
bilit
y p i
, w
ith fi
rst r
ound
inpu
t xor
(to L
1) is
WP,
and
last
roun
d ou
tput
xor
(form
L
n) is
WT
and
roun
ds �m
atch
up�
.
�Pr
obab
ility
of c
ombi
ned
n-ro
und
char
acte
ristic
is p
W=P
p i
�Ea
ch p
air f
ollo
win
g th
e ch
arac
teris
tic a
t eac
h ro
und
is c
alle
d a
�righ
t pa
ir�.
Oth
er p
airs
are
�wro
ng p
airs
.��
Wro
ng p
airs
get
dis
tribu
ted
unifo
rmly
; rig
ht p
airs
follo
w o
vera
ll ch
arac
teris
tic p
roba
bilit
y.
JLM
200
6020
9 12
:16
42
Con
stru
ctin
g 3
Rou
nd C
hara
cter
istic
�U
se�
(L�,0
) !(L
�,0),
p=1.
�(0
x008
0820
0, 0
x600
0000
0) !
(0x0
0808
200,
0x6
0000
000)
, p=
1/4.
∆
WP=
00 8
0 82
00
60 0
0 00
00
WC=
00 8
0 82
00
60 0
0 00
00
FA
�= 0
0 80
82
00a�
= 60
00
00 0
0
FB�
= 0
b�=
0∆
FC
�= 0
0 80
82
00c�
= 60
00
00 0
0∆
p =
14/6
4
p =
14/6
4
p =
1
JLM
200
6020
9 12
:16
43
Two
roun
d ite
rativ
e ch
arac
teris
tic
�p=
1/2
34�
Obv
ious
ly u
sefu
l for
m
ulti-
roun
d es
timat
es∆
19 6
0 00
00
00 0
0 00
00
00 0
0 00
00
19 6
0 00
00
FA�
= 0
a�=
0
FB�
= 0
b�=
19 6
0 00
00
∆
JLM
200
6020
9 12
:16
44
Diff
eren
tial C
rypt
anal
ysis
of 3
Rou
nd D
ES
R3=
L 2+f
(E(R
2)+k
2)
= R
1+f(E
(R2)
+k2)
= L 0
+f(E
(R0)
+k1)
) +f(E
(R2)
+k3)
Pick
pai
r (R
0, R
0*) w
ith
R0+
R0*
=R0�=
0.
R3�+
L0�
= f(E
(R2)
+k3)
+
f(E(R
2*)+
k 3)
P-1(R
3�+ L
1�) =
f(E
(R2)
+k3)
+
f(E(R
2*)+
k 3).
Not
e R
2= L
3.
∆
L 0R
0
F FL 1
R1
∆
FL 2
R2
∆
L 3R
3
k 1 k 2 k 3
JLM
200
6020
9 12
:16
45
Dat
a fo
r Diff
eren
tial C
rypt
anal
ysis
of 3
R
ound
DE
S
Plai
ntex
tC
iphe
rtex
t0x748502cd38451097
0x03c70306d8a09f10
0x3874756438451097
0x78560a0960e6d4cb
0x486911026acdff31
0x45fa285be5adc730
0x375bd31f6acdff31
0x134f7915ac253457
0x357418da013fec86
0xd8a31b2f28bbc5cf
0x12549847013fec86
0x0f317ac2b23cb944
Onl
y on
e co
unte
r in
each
6 b
it se
t will
be p
ossi
ble
for a
ll 3
pairs
.
JLM
200
6020
9 12
:16
46
Thre
e R
ound
Cha
ract
eris
tic
�Th
is c
hara
cter
istic
occ
urs
with
pr
obab
ility
p=1
/16
and
form
s an
est
imat
e fo
r the
diff
eren
tial
inpu
t of t
he 4
thro
und
of th
e 6
roun
ds.
�(0
0 20
00
08
00 0
0 00
04)
!(0
0 00
04
00 0
0 20
00
08)
with
p=1
/16
is a
noth
er s
uch
char
acte
ristic
.
∆
40 0
8 00
00,
40
00 0
0 00
40 0
8 00
00,
40
00 0
0 00
F F∆
F∆
JLM
200
6020
9 12
:16
47
Diff
eren
tial C
rypt
anal
ysis
of 6
roun
ds
�Su
ppos
e (L
i-1, R
i-1),
k iar
e th
e in
puts
to ro
und
i. P L
= L 0
, PR=
R0.
�L 6
= R
4∆
f(k 6
, R6)
= L 3
∆ f(
k 6, R
6) ∆
f(k 4
, R3)
�L 6
�= L
3� ∆
f(k 6
, R6)
∆ f(
k 6, R
6*) ∆
f(k 4
, R3)
∆ f(
k 4, R
3*)
�L 6
� = C
Lan
d R
6 =C
Rar
e kn
own.
�Es
timat
e L 3
� = 4
0000
000,
R3�
= 40
0800
00, u
sing
the
diffe
rent
ial.
�Se
t S=
P-1(C
L ∆
400
0000
0)=
f(k6,
CR) ∆
f(k 6
, CR
*) ∆
f(k 4
, R3)
∆ f(
k 3, R
3*)=
S 1
(E1)
|| S
2(E
2) ||
� ||
S8(
E8)
whe
re E
1|| E
2|| �
|| E
8 ar
e th
e bi
ts o
btai
ned
by a
pply
ing
E to
400
8000
0.
�E 1
|| E 2
|| �
|| E
8 =0
0100
0000
0000
0000
1010
00..0
=08
||00|
|01|
|10|
|00|
|00|
|00|
|00.
�Si
nce
the
inpu
t Xor
s to
S2,
S5,S
6,S
7,S
8 ar
e 0,
f(k 4
, R3)
∆ f(
k 4, R
3*) i
s 0
in
the
corr
espo
ndin
g ou
tput
bit
posi
tions
and
we
are
left
with
the
sim
ple
diffe
rent
ial:
P-1
(CL ∆
400
0000
0)=
f(k6,
CR) ∆
f(k 6
, CR
*) fo
r S2,
S5,
S6,
S7,S
8.
JLM
200
6020
9 12
:16
48
Diff
eren
tial C
rypt
anal
ysis
of 6
roun
ds
�Fi
rst c
hara
cter
istic
yie
lds
30 b
its o
f key
. S
econ
d on
e ad
ds
anot
her 1
2 bi
ts o
f key
.�
Rec
all P
-1(C
L ∆
400
0000
0)=
f(k6,
CR) ∆
f(k 6
, CR
*)
for S
2,S
5,S
6,S
7,S
8�
This
occ
urs
with
p=
1/16
.�
Stra
ight
forw
ard
impl
emen
tatio
n yi
eldi
ng 3
0 ke
ybits
:�
Set u
p 230
coun
ters
�Bu
mp
coun
ter f
or s
ugge
sted
key
for e
ach
pair
of n
cho
sen
text
s�
Cor
rect
key
be
will
�vot
ed� a
t lea
st 1
/16
n tim
e (�r
ight
pai
rs�)
�In
corre
ct k
eys
will
be v
oted
rand
omly
eac
h w
ith p
roba
bilit
y 1/
230
JLM
200
6020
9 12
:16
49
Diff
eren
tial C
rypt
anal
ysis
of 6
roun
ds
�Im
prov
ing
the
�sig
nal t
o no
ise�
ratio
by
�filte
ring�
pai
rs�
For e
ach
of S
2, S
5, S
6, S
7,S
8 w
ith in
put x
or x
� and
out
put x
or y
�, lo
ok a
t x ∆
Dj(x
�,y�).
�If
this
is e
mpt
y, th
is m
ust b
e w
rong
pai
r.�
For a
ny g
iven
S b
ox th
e, th
is h
appe
ns w
ith p
roba
bilit
y .2
.�
The
prob
abilit
y th
at a
ll 5
S b
oxes
hav
e no
n-em
pty
cand
idat
e ke
y se
ts is
(.8)
5 =.3
3. C
all t
his
set o
f pai
rs R
P a
nd th
e co
mpl
emen
t W
P.
�R
P c
onta
ins
1/3
of th
e pa
irs, W
P c
onta
ins
2/3
�In
RP
, the
pro
babi
lity
of a
�cor
rect
vot
e� is
3/1
6
JLM
200
6020
9 12
:16
50
�Sig
nal t
o N
oise
�
�S/
N=
right
_pai
rs/a
vera
ge_c
ount
�a
= av
erag
e_co
unte
d/co
unte
d_pa
irs�
b=ra
tio o
f_co
unte
d_to
_all
�m
is th
e nu
mbe
r of p
airs
�S/
N=
mp
/ (m
a b
/2k )=
(2k
p)/(a
b)
�S/
N a
ffect
s nu
mbe
r of r
ight
pai
rs n
eede
d:�
S/N
1-2
, 20-
40 ri
ght p
airs
requ
ired
�S/
N 1
6, 7
-8 ri
ght p
airs
requ
ired
JLM
200
6020
9 12
:16
51
Diff
eren
tial C
rypt
anal
ysis
of D
ES
�Be
st 1
6 ro
unds
atta
ck u
ses
13 ro
und
appr
oxim
atio
n�
Req
uire
s 247
text
s�
Not
muc
h be
tter t
han
exha
ustiv
e se
arch
�C
onve
rting
Cho
sen
Pla
inte
xt to
Cor
resp
ondi
ng p
lain
text
at
tack
�If
m p
airs
are
requ
ired
for C
hose
n sq
rt(2m
) 232
are
requ
ired
for c
orre
spon
ding
pla
inte
xt
JLM
200
6020
9 12
:16
52
Com
men
ts o
n D
iffer
entia
l Cry
ptan
alys
is o
f fu
ll D
ES 15531#
Cha
r ro
unds
25816
2-55.
118
25257
16
21615
.61/
1048
630
213215
8
28216
1/16
3027
276
2416
142
2323
4
Cho
sen
Plai
nS/
NC
har
prob
Bits
Fo
und
Ana
lyze
d Pa
irsN
eede
d pa
irs# R
ound
s
JLM
200
6020
9 12
:16
53
DE
S S
-Box
Des
ign
Crit
eria
�N
o S
-box
is li
near
or a
ffine
func
tion
of it
s in
put.
�C
hang
ing
one
bit i
n th
e in
put o
f an
S-B
ox c
hang
es a
t lea
st
two
outp
ut b
its.
�S-
boxe
s w
ere
chos
en to
min
imiz
e th
e di
ffere
nce
betw
een
the
num
ber o
f 1�s
and
0�s
whe
n an
y in
put b
it is
hel
d co
nsta
nt.
�S(
X) a
nd S
(X∆
0011
00) d
iffer
in a
t lea
st 2
bits
�S(
X) ∫
S(X∆
11xy
00)
JLM
200
6020
9 12
:16
54
Com
men
ts o
n ef
fect
of c
ompo
nent
s on
D
iffer
entia
l Cry
ptan
alys
is�
E �W
ithou
t exp
ansi
on, t
here
is a
4 ro
und
itera
tive
char
acte
ristic
with
p=
1/2
56
�P �
Maj
or in
fluen
ce.
If P=
I, th
ere
is a
10
roun
d ch
arac
teris
tic w
ith p
= 2-1
4.5 (b
ut o
ther
atta
cks
wou
ld b
e w
orse
).
�S
orde
r�
If S
1, S
7 an
d S
4 w
ere
in o
rder
, the
re w
ould
be
a 2
roun
d ite
rativ
e ch
arac
teris
tic w
ith p
= 1/
73.
How
ever
, Mat
sui f
ound
an
orde
r (2
4673
158)
that
is b
ette
r and
als
o be
tter a
gain
st L
inea
r cry
pto.
Opt
imum
ord
er fo
r LC
resi
stan
ce: 2
7643
158.
�S
prop
ertie
s�
S bo
xes
are
near
ly o
ptim
um a
gain
st d
iffer
entia
l cry
pto
JLM
200
6020
9 12
:16
55
Line
ar C
rypt
anal
ysis
�In
vent
ed b
y M
itsur
u M
atsu
i in
1993
.�
16-ro
und
DE
S c
an b
e at
tack
ed u
sing
243
know
n pl
aint
exts
-ge
t 26
bits
, bru
te fo
rce
the
rem
aini
ng 3
0 bi
ts �24
3=
9 x
1012
= 9
trillio
n kn
own
plai
ntex
t blo
cks
�Al
so e
xplo
its b
iase
s in
S-b
oxes
, whi
ch w
ere
not
desi
gned
aga
inst
the
atta
ck�
A D
ES
key
was
reco
vere
d in
50
days
usi
ng 1
2 H
P97
35 w
orks
tatio
ns in
a la
b se
tting
JLM
200
6020
9 12
:16
56
Line
ar C
rypt
anal
ysis
Bas
ic id
ea:
Sup
pose
ai(P
) ∆ b
i(C) =
gi(k
) hol
ds w
ith g
i,lin
ear,
for i
= 1,
2,�
,m.
Eac
h eq
uatio
n im
pose
s a
linea
r con
stra
int a
nd re
duce
s ke
y se
arch
by
a fa
ctor
of 2
. G
uess
(n-m
-1) b
its o
f key
. Th
ere
are
2(n-
m-1
) . U
se th
e co
nstra
ints
to g
et th
e re
mai
ning
key
s.
Can
we
find
linea
r con
stra
ints
in th
e �p
er ro
und�
func
tions
and
kn
it th
em to
geth
er?
No!
Per
Rou
nd fu
nctio
ns d
o no
t hav
e lin
ear c
onst
rain
ts.
JLM
200
6020
9 12
:16
57
Line
ar C
rypt
anal
ysis
Nex
t ide
a C
an w
e fin
d a
(P) ∆
b(C
) = g
(k) w
hich
hol
ds w
ith g
,lin
ear,
with
pr
obab
ility
p?
Sup
pose
a(P
) ∆b(
C) =
g(k
), w
ith p
roba
bilit
y p>
.5.
Col
lect
a lo
t of p
lain
/cip
her p
airs
. E
ach
will
�vot
e� fo
r g(k
)=0
or g
(k)=
1.P
ick
the
win
ner.
p= 1
/2+e
requ
ires
ce-2
text
s (w
e�ll
see
why
late
r). e
is c
alle
d �b
ias�
.
Bre
aks
16 ro
und
DE
S w
ith 2
47w
ork
fact
or (a
ctua
lly a
littl
e m
ore
com
plic
ated
than
sim
ple
votin
g ov
er w
hole
cip
her)
.
JLM
200
6020
9 12
:16
58
Line
ar C
rypt
anal
ysis
Not
atio
n
Mat
sui n
umbe
rs b
its fr
om ri
ght t
o le
ft,
right
mos
t bit
is b
it 0.
FIP
S (a
nd
ever
yone
els
e) g
oes
from
left
to
right
sta
rting
at 1
. I w
ill us
e th
e FI
PS
con
vent
ions
. To
map
Mat
sui
posi
tions
to E
very
one
else
:M
(i)=
64-E
E(i)
. Fo
r 32
bits
mak
e th
e ob
viou
s ch
ange
.M
atsu
i als
o re
fers
to th
e tw
o po
tions
of
the
Pla
n an
d C
iphe
rtext
as
(PH, P
L), (
CH, C
L) w
e�ll
stic
k w
ith (P
L, P R
), (C
L, C
R).
∆
PL
PR
CL
CR
FX
1
FX
2
∆
FX
3∆
k 1 k 2 k 3
Y 1 Y 2 Y 3
JLM
200
6020
9 12
:16
59
Line
ar a
nd n
ear l
inea
r dep
ende
nce
Her
e is
a li
near
rela
tions
hip
over
GF(
2) in
S5
that
hol
ds w
ith
prob
abili
ty 5
2/64
(fro
m N
S 5(0
1000
0,11
11)=
12:
X[2]
∆ Y
[1] ∆
Y[2
] ∆ Y
[3]∆
Y[4
]=K[
2] ∆
1,S
omet
ime
writ
ten:
X[2
] ∆ Y
[1,2
,3,4
]=K
[2] ∆
1
You
can
find
rela
tions
like
this
usi
ng th
e �B
oole
an F
unct
ion�
te
chni
ques
we
desc
ribe
a lit
tle la
ter
Insi
de fu
ll ro
und
(afte
r app
lyin
g P
), th
is b
ecom
esX
[17]
∆F(
X,K
)[3,8
,14,
25]=
K[2
6] ∆
1
S5
K [1.
.6]
Y [1.
.4]
X [1.
.6]
JLM
200
6020
9 12
:16
60
Line
ar C
rypt
anal
ysis
of 3
roun
d D
ES
X[17
] ∆Y
[3,8
,14,
25]=
K[2
6] ∆
1, p
= 52
/64
�R
ound
1X 1
[17]
∆Y
1[3,8
,14,
25]=
K1[2
6] ∆
1P
R[1
7] ∆
PL[3
,8,1
4,25
] ∆R
1[3,8
,14,
25]=
K
1[26]
∆1
�R
ound
3X 3
[17]
∆Y
3[3,8
,14,
25]=
K3[2
6] ∆
1R
1[3,8
,14,
25] ∆
CL[3
,8,1
4,25
] ∆C
R[1
7] =
K
3[26]
∆1
�A
ddin
g th
e tw
o ge
t:P
R[1
7] ∆
PL[3
,8,1
4,25
] ∆ C
L[3,8
,14,
25] ∆
CR[1
7] =
K1[2
6] ∆
K 3[2
6]Th
us h
olds
with
p=
(52/
64)2
+ (1
2/64
)2=.
66
∆
PL
PR
CL
CR
FX
1
FX
2∆
FX
3∆
k 1 k 2 k 3
Y 1 Y 2 Y 3
L 1 L 2L 0R
0
R1 R
2
JLM
200
6020
9 12
:16
61
Mat
sui�s
Per
Rou
nd C
onst
rain
ts 42/6
4X[
17] ∆
Y[8
,14,
25]=
K[2
6]D
16/6
4X
[16,
20] ∆
Y[8
,14,
25]=
K[2
5,29
]E
30/6
4X[
3] ∆
Y[1
7]=K
[4]
C
22/6
4X
[1,2
,4,5
] ∆Y
[17]
=K[2
,3,5
,6]
B
12/6
4X[
17] ∆
Y[3
,8,1
4,25
]=K
[26]
APr
Equ
atio
nLa
bel
Mat
sui:
Line
ar C
rypt
anal
ysis
Met
hod
for D
ES
Cip
her.
Eur
ocry
pt, 9
8.
JLM
200
6020
9 12
:16
62
Line
ar C
rypt
anal
ysis
of 5
roun
dsP
atte
rn: B
A-A
B.
PL[1
7] ∆
R1[1
7] ∆
PR[1
,2,4
,5]=
k 1[2
,3,4
,5]
L 1[3
,8,1
4,25
] ∆R
2[3,8
,14,
25] ∆
R1[1
7] =
K2[2
6]R
2[3,8
,14,
25] ∆
CR[3
,8,1
4,25
] ∆R
3[17]
= K 4
[26]
R3[1
7] ∆
CL[1
7] ∆
CR[1
,2,4
,5] =
K5[2
,3,5
,6]
Addi
ng y
ield
sP
L[17]
∆P
R[1
,2,4
,5,3
,8,1
4,25
] ∆C
L[17]
∆
CR[1
,2,4
,5,3
,8,1
4,25
]=K 1
[2,3
,5,6
] ∆ K
2[26]
∆
K4[2
6] ∆
K5[2
,3,5
,6]
P=
p A2 p
B2 +
(1-p
A)2
p B2 +
pA2 (
1-p B
)2+
(1-p
A)2
(1-p
B)2 +
4pAp B
(1-p
A) (
1-p B
)=0.
519
∆
PL
PR F
L 1R
1F
∆
k 1[1
,2,4
,5]
[17]
[2,3
,5,6
]
[17]
[26]
[3,8
,14,
25]
k 2
∆F F
∆[1
7]
[26]
[3,8
,14,
25]
k 4
∆F
k 5[1
,2,4
,5]
[17]
[2,3
,5,6
]
CL
CR
R2
R3
R4
L 2 L 3 L 4
JLM
200
6020
9 12
:16
63
Pilin
g U
p Le
mm
a
Let X
i(1
c ic
n) b
e in
depe
nden
t ran
dom
var
iabl
es w
hose
va
lues
are
0 w
ith p
roba
bilit
y p i
. Th
en th
e pr
obab
ility
that
X1
∆ X
2∆
... ∆
Xn
= 0
is
½+2
n-1
P[1
,n](p
i-1/2
)
Pro
of:
By
indu
ctio
n on
n.
It�s
taut
olog
ical
for n
=1.
Sup
pose
Pr[X
1∆
X2∆
... ∆
Xn-
1= 0
]= q
= ½
+2n-
2P
[1,n
-1](p
i-1/2
). T
hen
Pr[X
1∆
X2∆
... ∆
Xn=
0]=
qp n
+(1-
q)(1
-pn)
=½+2
n-1
P[1
,n](p
i-1/2
) as
clai
med
.
JLM
200
6020
9 12
:16
64
Mat
hem
atic
s of
bia
sed
votin
g
Cen
tral L
imit
Theo
rem
. Le
t X, X
1, �
, X n
be in
depe
nden
t, id
entic
ally
di
strib
uted
rand
om v
aria
bles
and
let S
n=
X 1+
X 2+
� +
Xn.
Let
m=
E(X)
an
d s
2 =E(
(X-m
)2 ). F
inal
ly s
et T
n= (S
n-nm
)/(s◊
n), n
(x)=
1/(◊
2p) e
xp(-
x2 /2)
and
N(a
,b)=
Û[a
,b] n
(x) d
x.
Then
P
r(ac
Tnc
b)=
N(a
,b).
n is
cal
led
the
Nor
mal
Dis
tribu
tion
and
is s
ymm
etric
aro
und
x=0.
N(-¶
,0)=
½
.N
(-.5,
.5)=
.38,
N(-.
75,.7
5)=
.55,
N(-1
,1)=
.68,
N(-2
,2)=
.954
6, N
(-3,3
)= .9
972
JLM
200
6020
9 12
:16
65
App
licat
ion
of C
LT to
LC
p= ½
+e, 1
-p=
½-e
. Le
t L(k
,P,E
k(P))
=0 b
e an
equ
atio
n ov
er G
F(2)
that
ho
lds
with
pro
babi
lity
p. L
et X
ibe
the
outc
ome
(1 if
true
, 0 if
fals
e) o
f an
exp
erim
ent p
icki
ng P
and
test
ing
whe
ther
L h
olds
for t
he re
alk.
E
(Xi)=
p, E
((Xi-p
)2 )=
p(1-
p)2
+ (1
-p)(0
-p)2 =
p(1
-p).
Let T
nbe
as
prov
ided
in
the
CLT
. Fi
n, w
hat i
s th
e pr
obab
ility
that
mor
e th
an h
alf t
he X
iare
1 (i
.e.-
Wha
t is
the
prob
abilit
y th
at n
rand
om e
quat
ions
vot
e fo
r the
righ
t key
)?Th
is is
just
Pr(T
ns �
e◊n/◊
(1/4
�e2 )
). If
n=d
2 e-2
, thi
s is
just
Pr
(Tns
�d/◊
(1/4
�e2 )
) or,
if e
is s
mal
l Pr(
T ns
-2d)
.
Som
e nu
mer
ical
val
ues:
d=
.25,
N(-.
5, ¶
) = .6
9, d
= .5
, N(-1
, ¶) =
.84,
d= 1
, N(-2
, ¶) =
.98,
d=
1.5
, N(-3
, ¶) =
.999
.
JLM
200
6020
9 12
:16
66
15 R
ound
Lin
ear A
ppro
xim
atio
n
Pat
tern
: E-D
CA
-AC
D-D
CA
-A.
Not
e L i
=Ri-1
, Li ∆
Ri+
1=L i
∆L i
+2.
1P L
[8,1
4,25
] ∆
R2[8
,14,
25]
∆ P
R[1
6,20
] =
K
1[23,
25]
3L 3
[8,1
4,25
]∆
R4[8
,14,
25]
∆ R
3[17]
= K
3[26]
4L 4
[17]
∆ R
5[17]
∆ R
4[3]
= K
4[4]
5 L 5
[3,8
,14,
25]∆
R6[3
,8,1
4,25
]∆ R
5[17]
= K
5[26]
7 L 7
[3,8
,14,
25]∆
R8[3
,8,1
4,25
]∆ R
7[17]
= K
7[26]
8L 8
[17]
∆ R
9[17]
∆ R
8[3]
= K
8[4]
9L 9
[8,1
4,25
]∆
R10
[8,1
4,25
]∆
R9[1
7]=
K9[2
6]11
L 11[8
,14,
25]
∆ R
12[8
,14,
25]
∆ R
11[1
7]=
K11
[26]
12L 1
2[17]
∆ R
13[1
7]∆
R12
[3]
= K
12[4
]13
L 13[3
,8,1
4,25
]∆ R
14[3
,8,1
4,25
]∆ R
13[1
7]=
K13
[26]
15
L 15[3
,8,1
4,25
]∆ C
L[3,8
,14,
25]∆
CR[1
7]
=
K15
[26]
JLM
200
6020
9 12
:16
67
15 R
ound
Lin
ear A
ppro
xim
atio
n
Add
ing
and
canc
elin
g:
PL[8
,14,
25] ∆
PR[1
6,20
] ∆ C
L[3,8
,14,
25]∆
CR[1
7] =
K
1[23,
25]∆
K3[2
6] ∆
K 4[4
] ∆K
5[26]
∆K
7[26]
∆K 8
[4]
∆
K9[2
6] ∆
K 11[2
6] ∆
K12
[4] ∆
K13
[26]∆
K 15[2
6]
whi
ch h
olds
(by
Pili
ng-u
p Le
mm
a) w
ith th
e in
dica
ted
prob
abili
ty.
JLM
200
6020
9 12
:16
68
Mat
sui�s
Use
of C
onst
rain
ts
E-D
CA
-AC
D-
DC
A-A
½+1
.19x
2-22
PL[8
,14,
25] ∆
P R[1
6,20
] ∆C
L[3,8
,14,
25]
∆C
R[1
7]=K
1[9,1
3] ∆
K3[2
6] ∆
K4[2
6] ∆
K
5[26]
∆ K
7[26]
∆ K
8[26]
∆ K
9[26]
∆ K
11[2
6]
∆ K
12[2
6] ∆
K13
[26]
∆ K
15[2
6]
15
E-D
CA
-AC
D-
DC
A-A
B½
-1.4
9x2-
24P
L[8,1
4,25
] ∆P R
[16,
20] ∆
CL[1
7]
∆C
R[1
,2,4
,5,3
,8,1
4,25
]=K 1
[9,1
3] ∆
K3[2
6]
∆ K
4[26]
∆ K
5[26]
∆ K
7[26]
∆ K
8[26]
∆
K9[2
6] ∆
K11
[26]
∆ K
12[2
6] ∆
K13
[26]
∆
K15
[26]
∆ K
16[2
,3,5
,6]
16
BA
-AB
½+1
.22x
2-6
PL[1
7] ∆
PR[1
,2,4
,5,3
,8,1
4,25
] ∆C
L[17]
∆
CR[1
,2,4
,5,3
,8,1
4,25
]=K 1
[2,3
,5,6
] ∆
K2[2
6] ∆
K4[2
6] ∆
K5[2
,3,5
,6]
5
A-A
½+1
.56x
2-3
PL[3
,8,1
4,25
] ∆P
R[1
7] ∆
CL[3
,8,1
4,25
] ∆
CR[1
7]=K
1[26]
∆ K
3[26]
3
Equa
tions
U
sed
Pr
Equa
tion
Rou
nds
JLM
200
6020
9 12
:16
69
Fram
ewor
k fo
r diff
eren
tials
and
line
ar
appr
oxim
atio
n
�D
iffer
entia
ls�
(DX i
, DY i
)= P
r[Fi(X
i∆D
X i, K
i) ∆
F i(X
i,Ki)=
DY i
]
�[p
1, p 2
, �, p
n]= P
p i�
B i=
Max
({DX i
= D
X i-2∆
DY i
-1, 3
cic
n}) (
DX 1
, DY 1
) (D
X 2, D
Y 2) �
(DX n
, Yn)
�Li
near
App
roxi
mat
ions
�(G
X i, G
Y i)=
Pr[G
X ·X
i ∆G
Y · F
i(Xi,K
i)= 0
] -.5
�[p
1, p 2
, �, p
n]= 2
t-1P
p i�
B i=
Max
({GY i
= G
Y i-2∆
DG
X i-1
, 3c
icn}
) (G
X 1, G
Y 1) (
GX 2
, GY 2
) � (G
X n,G
Y n)
JLM
200
6020
9 12
:16
70
Mat
sui�s
alg
orith
m fo
r ext
endi
ng
diffe
rent
ials
and
line
ar a
ppro
xim
atio
n
�R
ound
-1Be
gin p 1
=max
{DY}
((DX
1, D
Y) )
If [p
1,Bn-
1]> A
Bn
, cal
l Rou
nd-2
End
�R
ound
-2Be
gin p 2
=max
{DX,
DY}
((DX
2, D
Y 2) )
If
[p1,
p2,
Bn-
2]> A
Bn
, cal
l Rou
nd-3
End
�R
ound
�i (
3cic
n)Be
gin D
Xi=
DX
i-2∆
DY i
-1
p i=m
ax{D
Y}((D
Xi,
DY i
) )
If [p
1 , p
2,�
, p i
, Bn-
i]> A
Bn
, cal
l R
ound
-(i+
1)En
d�
Rou
nd-n
Begi
n DX
n= D
Xn-
2∆ D
Y n-1
p n=m
ax{D
X,D
Y}((D
Xn,
DY)
) If
[p1
, p2,
� ,
p n]>
AB
n , t
hen
AB
n= [p
1 , p
2,� ,
p n]
End
JLM
200
6020
9 12
:16
71
Line
ar C
rypt
anal
ysis
of 8
roun
ds
7 R
ound
app
roxi
mat
ion,
p-½
= 1.
95 x
2-1
0
PL[8
,14,
25] ∆
P R[1
6,20
] ∆C
L[3,8
,14,
25]
∆C
R[1
7]=K
1[9,1
3] ∆
K3[2
6] ∆
K4[4
] ∆
K5[2
6] ∆
K7[2
6]
CL=
CL� ∆
F(C
R�,K
8)C
R=
CL�
PL
PR
∆F
k 8
CL
CR
CR�
CL�7
Rou
nd A
ppro
xim
atio
n
JLM
200
6020
9 12
:16
72
Line
ar C
rypt
anal
ysis
of f
ull D
ES
Can
be
acco
mpl
ishe
d w
ith ~
247
know
n pl
aint
exts
�U
sing
a s
light
ly m
ore
soph
istic
ated
est
imat
ion
15
roun
d ap
prox
imat
ion
(with
247
wor
k fa
ctor
)�
For e
ach
48 b
it la
st ro
und
subk
ey, d
ecry
pt c
iphe
rtext
ba
ckw
ards
acr
oss
last
roun
d fo
r all
sam
ple
ciph
erte
xts
�In
crem
ent c
ount
for a
ll su
bkey
s w
hose
line
ar e
xpre
ssio
n ho
lds
true
to th
e pe
nulti
mat
e ro
und
�Th
is is
don
e fo
r the
firs
t and
last
roun
d yi
eldi
ng 7
key
bits
ea
ch (t
otal
: 14)
JLM
200
6020
9 12
:16
73
Line
ar C
rypt
anal
ysis
of f
ull D
ES
Can
be
acco
mpl
ishe
d w
ith ~
243kn
own
plai
ntex
ts, u
sing
a m
ore
soph
istic
ated
est
imat
ion
14 ro
und
appr
oxim
atio
n�
For e
ach
48 b
it la
st ro
und
subk
ey, d
ecry
pt c
iphe
rtext
bac
kwar
ds
acro
ss la
st ro
und
for a
ll sa
mpl
e ci
pher
text
s�
Incr
emen
t cou
nt fo
r all
subk
eys
who
se li
near
exp
ress
ion
hold
s tru
e to
the
penu
ltim
ate
roun
d�
This
is d
one
for t
he fi
rst a
nd la
st ro
und
yiel
ding
13
key
bits
eac
h (to
tal:
26)
�H
ere
they
are
:P
R[8
,14,
25] ∆
CL[3
,8,1
4,25
] ∆C
R[1
7]=K
1[26]
∆ K
3[4] ∆
K4[2
6] ∆
K6[2
6] ∆
K7[4
] ∆
K8[2
6] ∆
K10
[26]
∆ K
11[4
] ∆ K
12[2
6] ∆
K14
[26]
with
pro
babi
lity
½ -1
.19x
2-21
CR[8
,14,
25] ∆
PL[3
,8,1
4,25
] ∆P
R[1
7]=K
13[2
6] ∆
K12
[24]
∆ K
11[2
6] ∆
K9[2
6] ∆
K
8[24]
∆ K
7[26]
∆ K
5[26]
∆ K
4[4] ∆
K3[2
6] ∆
K1
[26]
with
pro
babi
lity
½ -
1.19
x2-2
1
JLM
200
6020
9 12
:16
74
Des
X
�D
esX
fixe
s tw
o cr
itica
l pro
blem
s w
ith D
ES
:�
Key
size
is to
o sm
all
�Pr
actic
al L
inea
r and
Diff
eren
tial a
ttack
s re
ly o
n ac
cess
to
firs
t and
last
roun
ds o
f ite
rate
d ci
pher
�D
esX
repl
aces
the
56 b
it D
ES
key
, k w
ith a
184
bit
key
(ki,k
,ko)
�D
ES
X(k
i,k,k
o;x)=
ko∆
DES
k(x∆
k i)�
Xorin
g ke
y bi
ts a
t inp
ut a
nd o
utpu
t of c
iphe
r is
calle
d �w
hite
ning
�and
is u
sed
exte
nsiv
ely
by A
ES
can
dida
tes
�D
ES
X w
as p
ropo
sed
by R
ives
t and
doe
sn�t
adve
rsel
y af
fect
the
encr
yptio
n/de
cryp
tion
spee
d
JLM
200
6020
9 12
:16
75
Bru
te F
orce
Kno
wn-
Pla
inte
xt A
ttack
s on
DE
S
�Th
ere
are
256
= ab
out 7
.2 x
1016
poss
ible
key
s�
abou
t 72
thou
sand
trill
ion
�D
iffie
and
Hel
lman
-19
76�
a $2
0 M
mac
hine
with
1-m
illion
pro
cess
ors,
eac
h ca
pabl
e of
test
ing
1 M
DE
S k
eys/
sec,
cou
ld s
earc
h 10
12ke
ys/s
ec a
nd a
ll ke
ys in
a
day.
�
Mic
hael
Wie
ner -
1993
�$1
M m
achi
ne w
ith 5
7,60
0 se
arch
chi
ps, e
ach
test
ing
50 M
key
s/s,
coul
d br
eak
in 3
.5 h
ours
on
aver
age .
�EF
F�
7/13
/98,
$10
K R
SA
priz
e aw
arde
d to
EFF
whi
ch b
roke
DE
S w
ith
$210
K m
achi
ne.
JLM
200
6020
9 12
:16
76
DE
S A
ttack
s
�D
iffer
entia
l cry
ptan
alys
is: T
his
atta
ck re
quire
s th
e en
cryp
tion
of 2
47ch
osen
pla
inte
xts
�Li
near
cry
ptan
alys
is. B
y m
eans
of t
his
met
hod,
a
DE
S k
ey c
an b
e re
cove
red
by th
e an
alys
is o
f 243
know
n pl
aint
exts
. �
Firs
t Aid
: use
3-D
ES
or D
ES
-X: D
ES
X(k
1,k2,k
3,x)=
k2
∆D
ES
(k1,x
∆k 3
)�
This
�whi
tens
� inp
ut a
nd o
utpu
t.
JLM
200
6020
9 12
:16
77
Oth
er a
ttack
s on
DE
S
�M
ultip
le L
inea
r App
roxi
mat
ions
, Knu
dsen
& R
obsh
aw�
Rel
ated
Key
s, B
iham
�In
trodu
ce c
ontro
lled
diffu
sion
pro
duci
ng p
redi
ctab
le e
ffect
that
depe
nds
on re
late
d ke
ys.
Als
o ap
plie
s to
has
h fu
nctio
ns.
�Ap
plie
s to
LO
KI a
nd L
ucife
r but
not
DE
S (b
ecau
se o
f irr
egul
ar k
ey
sele
ctio
n sc
hedu
le)
�N
on-L
inea
r App
roxi
mat
ions
, Knu
dsen
and
Rob
shaw
Har
d to
kni
t con
stra
ints
toge
ther
, som
e he
lp o
n fir
st a
nd la
st ro
unds
�D
avie
s A
ttack
, im
prov
ed b
y B
iham
and
Biry
ukov
Out
put o
n ad
jace
nt S
-box
es s
hare
key
s an
d pa
rity
of n
on-s
hare
d ke
ys
have
non
-uni
form
dis
tribu
tions
. M
argi
nally
bet
ter t
han
exha
ustiv
e se
arch
�Bo
omer
ang
Atta
ck, S
lide
atta
ck, W
agne
r.
JLM
200
6020
9 12
:16
78
Trip
le-D
ES
Par
t of F
IPS
46-
3 st
anda
rdE
ncry
pt: C
= E
(K3,
D(K
2, E
(K1,
P)))
Dec
rypt
: P =
D(K
3, E
(K2,
D(K
1, C
))
3-ke
y: K
1, K 2
, K3
all d
iffer
ent
get 1
68-b
it ke
y2-
key:
K1
= K 3
(Tw
o ke
y ve
rsio
n is
sub
ject
to a
tim
e-m
emor
y tra
de-
off a
ttack
)ge
t 112
-bit
key
bette
r tha
n do
uble
enc
rypt
ion
JLM
200
6020
9 12
:16
79
Pos
t DE
S D
esig
n C
riter
ia
�U
se in
vers
es in
GF(
2k).
(k=8
is p
opul
ar) �
Mar
s,
Rijn
dael
�
S-B
oxes
sho
uld
be s
urje
ctiv
e�
If S
-Box
es d
efin
e pe
rmut
atio
ns (p
),�
DP m
ax(p
)= m
ax {a
∫0,
b}P
r(p(
x∆a)
∆p(
x)=b
) <10
/256
�LP
max
(p) =
(2P
r(x·
a= p
(a) ·
b)-1
)2<1
/16
�Fe
w F
ixed
poi
nts
(3 fo
r 256
)
JLM
200
6020
9 12
:16
80
DE
S S
umm
ary
�D
ES
was
a g
reat
cip
her.
�Th
ey s
houl
d ha
ve s
tuck
with
a 6
4-bi
t key
. �
Mor
e se
cure
�Be
tter a
s a
Has
h pr
imiti
ve�
To m
ake
DE
S b
ette
r.�
Incr
ease
key
siz
e!�
Pre
and
post
whi
teni
ng a
nd n
on-k
ey b
ased
mix
ing
�C
alcu
late
diff
eren
tials
and
dep
ende
ncie
s an
d m
ake
them
sm
all e
noug
h so
not
eno
ugh
plai
n/ci
pher
is a
vaila
ble
for
linea
r and
diff
eren
tial a
ttack
s.
JLM
200
6020
9 12
:16
81
Hom
ewor
k 6
�P
robl
em 1
S-b
ox 4
is o
bser
ved
to h
ave
the
indi
cate
d ou
tput
xor
whe
n pr
esen
ted
with
the
indi
cate
d in
puts
In1: 0x22, In2: 0x16, Output xor: 0x0c
In1: 0x12, In2: 0x0c , Output xor: 0x05
Per
form
a d
iffer
entia
l cry
ptan
alys
is a
nd p
rodu
ce th
e po
ssib
le c
andi
date
key
(s).
You
may
find
the
tabl
es
prov
ided
in �D
C.tx
t� he
lpfu
l.
JLM
200
6020
9 12
:16
82
Hom
ewor
k 6,
pro
blem
2 (o
mit)
Con
side
r the
2 ro
und
itera
tive
diffe
rent
ial c
hara
cter
istic
for D
ES
0x
1960
0000
0000
00!
0x19
6000
0000
0000
, p=1
/234
Sup
pose
for t
he fo
llow
ing
ques
tions
we
can
alw
ays
find
chos
en p
lain
text
w
ith S
/N ra
tio h
igh
enou
gh to
requ
ire o
nly
10 �r
ight
pai
rs� f
or a
su
cces
sful
diff
eren
tial c
rypt
anal
ysis
(�D
C�)
.
a.O
n av
erag
e, h
ow m
any
chos
en p
lain
cip
herte
xtpa
irs a
re re
quire
d fo
r a
succ
essf
ul D
C o
n tw
o ro
unds
?b.
On
aver
age,
how
man
y ch
osen
pla
in c
iphe
rtext
pairs
are
requ
ired
for
a su
cces
sful
DC
on
ten
roun
ds?
c.A
fter h
ow m
any
roun
ds is
DC
impo
ssib
le b
ecau
se th
ere
cann
ot
poss
ibly
be
enou
gh p
lain
cip
herte
xtpa
irs to
suc
ceed
?
JLM
200
6020
9 12
:16
83
Hom
ewor
k 6
�P
robl
em 3
A c
erta
in c
iphe
r Cw
ith 6
bit
key
k 1, k
2, k 3
, k4,
k 5, k
6ha
s 4
linea
r co
nstra
ints
. G
iven
the
corre
spon
ding
pla
inte
xt, c
iphe
rtext
pairs
and
sub
stitu
ting
the
equa
tions
bec
ome:
0= k
1∆k 3∆
k 40=
k4∆
k 50=
k1∆
k 21=
k1∆
k 6
Gue
ssin
g k 1
and
k 3ca
lcul
ate
k 2, k
4, k 5
, k6.
How
man
y en
cryp
tions
are
ne
eded
to d
isco
ver t
he c
orre
ct k
ey w
ith e
xhau
stiv
e se
arch
in th
ew
orst
cas
e?H
ow m
any
are
need
ed w
ith th
ese
cons
train
ts?
JLM
200
6020
9 12
:16
84
Hom
ewor
k 6,
pro
blem
4(A
) Sup
pose
the
ciph
er C
has
a lin
ear c
onst
rain
t (E
quat
ion
1) th
at h
olds
w
ith p
roba
bilit
y p=
.75
whe
re th
e in
put t
o C
is p
lain
text
bits
i 1||i
2||�
||i6;
the
outp
ut is
the
ciph
erte
xtbi
ts o
1||o 2
||�||o
6un
der k
ey b
its
k 1||k
2||�
||k6.
The
con
stan
ts a
1, a 2
, �, a
6, b 1
, b2,
�, b
6, c 1
, c2,
�, c
6, d
are
all k
now
n.E
quat
ion
1: a
1i 1∆
a 2i 2∆
a3i 3∆
a 4i 4∆
a 5i 5∆
a 6i 6∆
b 1o 1∆
b 2o 2∆
b3o
3∆b 4
o 4∆
b 5o 5∆
b 6o 6
=
�c 1
k 1∆
c 2k 2∆
c3k
3∆c 4
k 4∆
c 5k 5∆
c 6k 6∆
dFi
nally
, sup
pose
upo
n su
bstit
utin
g va
lues
from
3 p
lain
text
/cip
herte
xtpa
irs
the
left
hand
sid
e of
equ
atio
n 1
has
valu
es 1
,1,0
, res
pect
ivel
y.W
hat a
re th
e od
ds th
at c
1k1∆
c 2k 2∆
c3k
3∆c 4
k 4∆
c 5k 5∆
c 6k 6∆
d=1
rath
er th
an
0?
(B)
Supp
ose
the
sam
e se
tup
as in
A b
ut 3
out
of 4
pla
inte
xt/c
iphe
rtext
pairs
�v
ote�
that
c1k
1∆c 2
k 2∆
c3k
3∆c 4
k 4∆
c 5k 5∆
c 6k 6∆
d=1.
W
hat a
re th
e od
ds th
at c
1k1∆
c 2k 2∆
c3k
3∆c 4
k 4∆
c 5k 5∆
c 6k 6∆
d=1
rath
er th
an
0?
JLM
200
6020
9 12
:16
85
Hom
ewor
k 6,
pro
blem
4(C
) Con
stru
ctin
g a
mul
ti-ro
und
cons
train
tS
uppo
se C
is a
four
roun
d ite
rativ
e ci
pher
with
pla
inte
xt in
put,
P a
nd
ciph
erte
xtou
tput
C w
here
eac
h ro
und
has
6 bi
t inp
ut I
and
6 bi
t out
put
O a
nd p
er ro
und
keys
K(1
) , K(2
) ,�K(6
) . U
sing
Mat
sui�s
not
atio
n su
ppos
e th
e co
ntra
ints
:I[1
,2] ∆
O[3
,4]=
K(1
) [1,3
]R
1I[3
,4] ∆
O[1
,5]=
K(2
) [4,6
]R
2I[1
,5] ∆
O[1
,6]=
K(3
) [1,5
]R
3I[1
,6] ∆
O[2
,5]=
K(4
) [2]
R4
hold
with
pro
babi
litie
s p 1
= .8
, p2=
.9, p
3= .8
, p4=
.9, r
espe
ctiv
ely.
Wha
t is
the
prob
abilit
y th
at
P[1
,2] ∆
C[2
,5]=
K(1
) [1,3
] ∆K
(2) [4
,6] ∆
K(3
) [1,5
] ∆K
(4) [2
]?
JLM
200
6020
9 12
:16
86
Hom
ewor
k 6,
pro
blem
4(D
) Sup
pose
C is
a m
ulti
roun
d ite
rativ
e ci
pher
with
40
bit p
lain
text
inpu
t, P
, and
ci
pher
text
outp
ut, C
, and
40
bit k
ey.
Supp
ose,
usin
g M
atsu
i�s n
otat
ion,
that
th
e fo
llow
ing
four
line
arly
inde
pend
ent c
onst
rain
ts:
i.P
[a1(1
) , a 2
(1) ,�
, a40
(1) ] ∆
C[b
1(1) ,
b 2(1
) ,�, b
40(1
) ]= K
[c1(1
) , c 2
(1) ,�
, c40
(1) ]
ii.P
[a1(2
) , a 2
(2) ,�
, a40
(2) ] ∆
C[b
1(2) ,
b 2(2
) ,�, b
40(2
) ]= K
[c1(2
) , c 2
(2) ,�
, c40
(2) ]
iii.P
[a1(3
) , a 2
(3) ,�
, a40
(3) ] ∆
C[b
1(3) ,
b 2(3
) ,�, b
40(3
) ]= K
[c1(3
) , c 2
(3) ,�
, c40
(3) ]
iv.
P[a
1(4) ,
a 2(4
) ,�, a
40(4
) ] ∆
C[b
1(4) ,
b 2(4
) ,�, b
40(4
) ]= K
[c1(4
) , c 2
(4) ,�
, c40
(4) ]
hold
with
pro
babi
litie
s p 1
= .7
5, p
2= .7
, p3=
.8, p
4= .9
, res
pect
ivel
y.Su
ppos
e th
at o
n 10
pla
inte
xt/c
iphe
rtext
pairs
the
LHS
of i
, ii,
iii an
d iv
�vot
e�th
at th
e R
HS
of t
he e
quat
ions
are
0 w
ith ta
llies
(2,8
,2,8
)W
hat i
s th
e pr
obab
ilitie
s th
at e
ach
of th
e m
ost p
opul
ar c
hoic
es fo
r the
resu
lting
co
nstra
ints
is c
orre
ct?
Wha
t is
the
prob
abilit
y th
at a
ll 4
are
corre
ct?
If a
ll 4
are
corre
ct, a
nd a
ssum
ing
C ta
kes
1 m
icro
seco
nd/e
ncry
pt, w
hat i
s th
e tim
e to
br
eak
C b
y ex
haus
tive
sear
ch (a
ssum
ing
a se
rial p
roce
ssor
)? H
ow a
bout
by
appl
ying
the
4 co
nstra
ints
and
sea
rchi
ng fo
r the
rem
aini
ng k
ey b
its (a
ssum
ing
a se
rial p
roce
ssor
)?
PS
: Key
sea
rch
is a
�triv
ially
par
alle
lizab
le� o
pera
tion.
JLM
200
6020
9 12
:16
87
Hom
ewor
k 6,
pro
blem
4
(E) I
n th
e le
ctur
e w
e no
ted
that
ther
e w
as a
line
ar a
ttack
that
wor
ked
on 1
6ro
und
DE
S w
ith 2
43pl
aint
ext/c
iphe
rtext
pairs
whe
re th
e ba
sic
cons
train
the
ld w
ith p
roba
bilit
y p=
½ +
ew
here
e= 1
.19
x 2-2
1 is
the
�bia
s�. U
sing
this
fact
, est
imat
e fo
r wha
t p, t
here
are
not
eno
ugh
corr
espo
ndin
gpl
ain/
ciph
er te
xts
to e
nabl
e ap
plyi
ng th
e Li
near
cry
ptan
alys
is to
redu
ce th
ese
arch
key
spac
e.
JLM
200
6020
9 12
:16
88
End
Pap
er
�D
one