Delving Deeper into Cryptanalysis Techniques

Lecture 49: More on Differential Cryptoanalysis

Estimated read time: 1:20

    Summary

    In this lecture, the focus is on exploring more advanced forms of differential cryptanalysis, particularly the boomerang and impossible differential attacks, used in cryptography to break block ciphers. Differential cryptanalysis, a method to find the key in a cipher, involves analyzing how differences in input can affect the resultant differences at the output. The boomerang attack, a variant of differential cryptanalysis, is introduced as a strategy where shorter rounds can be targeted to reveal keys when longer rounds with differences are not feasible. The lecture wraps up with a brief introduction to other variants like truncated and higher-order differentials and the slide attack, emphasizing the continuous evolution and depth of cryptanalysis techniques in the field.

      Highlights

      • Exploration of differential cryptanalysis and its variants is crucial for breaking block ciphers. 🔍
      • Boomerang and impossible differential attacks showcase the versatility and depth of cryptanalysis techniques. 🛠️
      • In the boomerang attack, the use of shorter differential rounds can reveal keys without needing longer differential rounds. 🔓
      • Understanding truncated and higher-order differential attacks expands the toolbox for cryptanalysis. 🎒
      • Slide attack presents a unique strategy by assuming identical round functions in block ciphers. 💡

      Key Takeaways

      • Differential cryptanalysis is key in understanding block ciphers by examining potential differences in plaintext and ciphertext. 🧠
      • Boomerang attacks exploit shorter round differentials, offering a fresh angle on breaking cryptographic keys. 🔄
      • Impossible differential attacks explore differentials with low probabilities, offering a unique approach to cryptanalysis. 🚫
      • Various specialized differential attacks highlight the adaptable nature of cryptanalysis strategies to counter advanced encryptions. 🚀
      • The evolution of cryptanalysis has seen techniques like the slide attack, which explores identical round functions to reveal keys. 🕵️‍♂️

      Overview

      Today's lecture delved deep into the realm of differential cryptanalysis, unveiling its pivotal role in the field of cryptography, particularly for block ciphers. We revisited the foundational concepts of differential attacks and extended our understanding by exploring various advanced strategies such as the boomerang attack. This tactic shows how cryptanalysts can focus on smaller rounds to identify keys when more extended rounds do not present viable differential paths.

        The session then opened a window to the impossible differential attacks, where the key lies in identifying differentials with improbably low probabilities. By flipping the typical approach on its head, such attacks exploit these low probabilities to defeat otherwise secure encryptions. This exploration highlights the ingenuity and constant evolution present in cryptanalysis methodologies.

          Finally, the lecture subtly navigated through other differential techniques like truncated and higher-order attacks before touching on the slide attack. The slide attack stands out by its reliance on identical round functions to expose vulnerabilities that can be extrapolated to decipher encrypted data.

            The slide attack stands out by its reliance on identical round functions to expose vulnerabilities that can be extrapolated to decipher encrypted data.

              Chapters

              • 00:00 - 10:00: Introduction to Differential Cryptanalysis The chapter 'Introduction to Differential Cryptanalysis' discusses the differential attack, a specific type of non-generic attack on block ciphers. The lecture continues from previous discussions on the topic and explores some variants of the differential attack.
              • 10:00 - 15:00: Impossible Differential Cryptanalysis The chapter discusses advanced cryptographic techniques, specifically focusing on a variant of differential attacks known as the boomerang attack on block ciphers. It distinguishes between generic and non-generic attacks and revisits the fundamental concept of differential attacks, which target block ciphers over multiple rounds.
              • 15:00 - 25:00: Boomerang Attack The chapter 'Boomerang Attack' discusses a cipher structure consisting of several mini-round functions. The plaintext undergoes iterative transformations through these rounds until it becomes the ciphertext. The concept of round keys (such as the r8 round key) is introduced as essential components that help differentiate these transformations. A hint of differences (potentially differential cryptanalysis) is suggested, indicating how variations can lead to vulnerabilities or insights into the cryptographic process. The focus seems to be on understanding the intricacies of these processes in a cryptanalysis context.
              • 25:00 - 28:00: Slide Attack This chapter focuses on the concept of 'Slide Attack' in cryptography. It begins with the discussion of a differential existing where alpha transitions to beta in a function F with significant probability. The text then touches on the importance of having a high probability in these differentials for successful cryptanalysis. Specifically, it mentions the ability to find the round key in RH by employing differential cryptanalysis methods. However, there are conditions that must be met for this process to work effectively, prompting the need to outline the steps involved.

              Lecture 49: More on Differential Cryptoanalysis Transcription

              • 00:00 - 00:30 [Music] okay so we talked about we have seen the differential attack which is a non-generic attack on block cipher so we'll continue that and we talked about some variant of differential attack like
              • 00:30 - 01:00 impossible different cell attack truncated dependences that I've hired a differential attack so those are some variant of different cell attacks so in this talk we'll talk about one variant like which is called boomerang attack boomerang attack on block side but this is also a non-generic attack so let us just recall what is the differential attack we discussed so for the differential attack it is attack on a block cipher on the are round block cipher so if we have a are round block
              • 01:00 - 01:30 cipher that means we have the are mini round function then the last round is if our and this is the plaintext this is the ciphertext now if we have some this this we call F and this is the r8 round key and if we have some difference
              • 01:30 - 02:00 differential exists alpha is going to beta in F with significant probability [Applause] high probability then we have seen we can find the here I mean the RH round key by mounting the differential cryptanalysis but for that we need to have this so let us write the step of
              • 02:00 - 02:30 this attack so so these are the staff of this attack step on so this is the difference in the time on the block cipher around block cipher okay in the first step what we do we'll try to find out that alpha beta so find an R minus 1 round differential
              • 02:30 - 03:00 alpha is going to beta that means if the input difference is alpha then the output difference will be beta in if with high enough with high probability high probability this is the first time
              • 03:00 - 03:30 so we need to have this alpha with otherwise it will not we cannot have the differential attack toward this step on step 2 so once we have this alpha beta then we can think of finding the RH round key or care so for that we keep counter if a
              • 03:30 - 04:00 counter for each possible possible round around key AR and initialize this by counters 0 initialize we initialize this
              • 04:00 - 04:30 is this counter initialize the counter to 0 all the counter value are 0 this we have already discussed us in the last lecture then in step three step three what we are doing we are picking a plaintext
              • 04:30 - 05:00 so suppose plain text is in bit so this is our if this is how our here and this is our ciphertext so we know we have an alpha beta here if the input difference is alpha output dependence will be beta so alpha is this difference cell we have okay so now we choose now we need to choose the input difference alpha in
              • 05:00 - 05:30 applied X so for that we take care uniformly we pick a with peak here st. X X uniform the from the in from the add random random that is we just if the plaintext is say if it is n bit then the
              • 05:30 - 06:00 plane takes place is all possible n bits so we choose X from this random which is a in bit in bit vector and n bit number okay 0 1 bit at random and then we choose we take X star which is basically X XOR alpha is another plain text so
              • 06:00 - 06:30 that their difference will be alpha and we encrypt both these plane takes encrypt both X and X star this is a chosen plaintext attack this is a chosen plaintext attack so we can choose the plaintext and printer can get the ciphertext
              • 06:30 - 07:00 because you have to choose the plaintext such a way that their difference is alpha okay so we encrypt both XY and we get we get the cipher text say C 1 C and sister okay and then and then we use
              • 07:00 - 07:30 this candidate key to then we use a candidate here to inverse to compute Y which is basically if our inverse so for this we need to have so this is on C we need to have here and Y star which is
              • 07:30 - 08:00 basically if our inverse sister yeah so it choose a candidate key with this we have to do for all possible keys and then we check whether Y X or Y star is beta or not if it is beta then we increase the counter corresponding to care by one if is beta then increase the
              • 08:00 - 08:30 counter value of here okay and then we will again go to we repeat step three we again choose a X so we do for all possible X until we get a significantly
              • 08:30 - 09:00 more value in the counter for some X R so this is the step for we repeat yeah we repeat step 3 many times until until some er has
              • 09:00 - 09:30 significant counter value that means suppose almost all counter all counter values are say say teen 12 and suddenly one counter we are of observing is more like so we have care so we are taking all possible values of K arts is 0 1 2
              • 09:30 - 10:00 depending on the size of the KK K bit if K is say L bit then if it is 2 to the power K minus 1 so we take a particular care and all are initialized by 0 then we do this once it is matching then we add a 1 like this so this process will repeat until we get a significant values in this counter for a for a particular
              • 10:00 - 10:30 cure and that corresponding cure is say say 4 k km we get got it 100 and this like this then obviously this will be the key ok so this is the this is the version of the differential attack and for impossible' differential attack there is one variant of this differential attack which is called
              • 10:30 - 11:00 impossible differential attack okay so this attack is similar so instead of high probability we have with very low probability so so we have a alpha-beta differential which is having very low
              • 11:00 - 11:30 probability so that is that is why it is called impossible now in this counter what we do we just repeat this and we just increase the counter like this and if we see in this counter if we repeat the step three if some significantly counter value is low has significant low value low counter value so that means say all are say 50
              • 11:30 - 12:00 90 I say 8 to our 1979 suddenly one value said two then two is the because we have this low probability for this so this is the version of impossible differential attack which was introduced by Bham in 1999 and this differential cryptanalysis was introduced on D is to
              • 12:00 - 12:30 break D is by Bahaman by Bham and Samir in 1993 I think yeah 1993 and they broke the DES so this is the best known attack after the exhaustive search attack of electronics founder foundation so this is the so I think in 1993 I think half
              • 12:30 - 13:00 1993 Bihar and sunny attack on des my differential cryptanalysis and for this attack they
              • 13:00 - 13:30 have to they have the chosen the size of the plane takes two to the four forty seven chosen plane takes so this is chosen plaintext attack and size of the plaintext they have chosen this 2 to the power 47 so that is the complexity of this attack so this was broke the IDS was broke by this differential filter and they have a book on this and so
              • 13:30 - 14:00 there are some other variant of differential attack is also they are like truncated differential attacks higher order differential attack so we will not discuss all this so higher order so instead of first order I will take second order difference ok higher order differential attack differential
              • 14:00 - 14:30 cryptanalysis so these are there in the literature if you are interested in come have a look so this was introduced in 1995 I think 1995 by most same and like and then another version is the truncated one truncated differential
              • 14:30 - 15:00 attack was introduced by not seen in 1995 and another version of this differential attack is boomerang attack which we'll discuss here so we talk about vomiting attacks boomerang block cipher okay so so it is
              • 15:00 - 15:30 a variant of difference CL attached so we are looking for so in differential attack what we are doing we have a are round block cipher and we are just looking for if our if our and then we are just looking for a difference in
              • 15:30 - 16:00 this long round like our -1 rounds so we are looking for a difference alpha is going to be time this long round so that difference may exist may not exist so that is the problem with differential attack because this is a long round okay so the idea is if we instead of long round if we have a short round short difference like if we have difference up
              • 16:00 - 16:30 to this then if you have difference up to this then can you add can you mount the attack so that is the version that is the version of differential attack that is called boomerang attack so in remaining at of what we have say we have a plaintext a we have this block cipher which is basically a in bit and suppose we break this into
              • 16:30 - 17:00 zero I mean you are a zero so that means we have zero then when you have it you want over here okay now suppose we we know that there is some difference alpha
              • 17:00 - 17:30 is going to beta here with probability P so we know know this suppose suppose the difference exists suppose the difference here alpha is going to beta with probability P P is high probability exists in easy row and and suppose here
              • 17:30 - 18:00 also beta is going to some Delta so beta is going to Delta with probability Q in e1 so suppose these two difference we have like alpha is going to beta and
              • 18:00 - 18:30 beta is going to Delta instead of having long difference if we can find out some sort difference on sort around this is the shorter round then whole rounds like this then we can mount them and if this part two probability are significantly high like more than half then we can think of then one can mount the differential a boomerang attack so how so basically what we will do here
              • 18:30 - 19:00 so idea of this attack is so we know that in we know the different differential here is alpha beta and here differential is beta Delta okay now what we do we first choose a plaintext over here so this is our block sample first is a plaintext be on P 2 such that P 1 X 4 P 2 its alpha okay and this is a
              • 19:00 - 19:30 chosen plaintext attack not on the chosen field results I do you also chosen ciphertext attack so this boomerang at IJ is boomerang attack it is chosen plaintext as well as chosen chosen ciphertext my chosen ciphertext will come in a moment okay so now the
              • 19:30 - 20:00 input difference is alpha now we include so this is the block cipher so this is chosen plaintext attack so it will give us C 1 C 2 so C 1 C 2 is the ciphertext corresponding to P 1 P 2 okay now what we do we choose C 3 C 4 such that C 3 is basically C 1 X or Delta and C 4 is basically C 2 X 4 Delta now so that C 1
              • 20:00 - 20:30 C 3 if you take their input if their difference is Delta okay now if their difference is Delta now here so if we have alpha over here we'll get beta over here with great delta over here with high probability so that is the difference we have so if alpha is the difference over here and if the Delta is
              • 20:30 - 21:00 the difference over here then we should have difference over here beta ok so yeah so how can bound these attack so now we choose a see once I see 3c4 like this so they are input differences so now this is a chosen ciphertext only attack also so now we get corresponding plaintext we will give the input as the ciphertext we
              • 21:00 - 21:30 will get P 3 P 4 okay now now this is now P 3 P 4 we get so now we know this fact that C 1 so we know this fact C 3 [Applause] so if we come back here C 3 X 4 X 4 with
              • 21:30 - 22:00 you our university 4 so this should give us beta which is again same as e 0 P 3 X or e 0 P 4 so that means we check we check this if we 0 if this is so we
              • 22:00 - 22:30 check this if this is alpha then we increase the counter by 1 so we are expecting this to be alpha because we are choosing this Delta so that means we should get here beta so that means if we get here beta then their difference would be alpha so if we get alpha then we will increase the counter by 1 like this so this is basically the attack
              • 22:30 - 23:00 model of this boomerang attack but here we are we are we do not require the long difference cell we can have short differential then also we can just mount the different cell attack by this way so let us just write the attacking formally so step by step okay so boomerang attack so so we just
              • 23:00 - 23:30 tape on so we know the alpha-beta difference is there so we ask for we choose a plaintext p1 p2 cause that beyond XOR p2 is alpha okay and we get
              • 23:30 - 24:00 the corresponding ciphertext from here we get the corresponding ciphertext C 1 and C 2 okay so this is the step one so step two is basically we choose C 3 which is basically C 1 X or Delta and C 4 is basically C 2 X 4 Delta so that means C 1 C 3 have difference Delta and
              • 24:00 - 24:30 C 2 C 4 instead is there it's the difference Delta and then we ask though this is a chosen cipher text also so you ask to decrypt this plane takes to get to get the decrypt the cipher text to get u 3 P 4 okay so once we have P 3 P 4 then we check this is the step 3 then we
              • 24:30 - 25:00 check whether P 3 P 4 is alpha or not if it is alpha then we increase the counter so we repeat this step until we get some significant probability a significant frequency in the this in this table okay so this is the boomerang attacking the last attack I will just give you the idea of slide attack which was introduced by Baruch off in 1999 we
              • 25:00 - 25:30 recover and walk tomorrow so this is slide attack this is also a turn on block cipher okay so idea is we can slide the block cipher block cipher is our round so here in this attack we assume all the round functions are similar which is it so this is this is our round block cipher [Applause] okay so this is plain text this is
              • 25:30 - 26:00 cipher text and we are assuming so this is the ideal case we are assuming all the round functions are same for AES for DES all those they are same because they are all fish this is structure but in the first round we have a IP of we have a extra permutation operation and in the AES we have same but in the last round we don't have the mix column operation so anyway so this is the sire block cipher over here as before in order to have this sly data to what we all need
              • 26:00 - 26:30 to have all the these are same and we have the same key now what we do we slide this one position so suppose this is P and this is C this is plain tech this is Hypertech now we take these as a plane takes over here it's like this structure in one position so another F must be there and if we denote this by P
              • 26:30 - 27:00 star so P star is basically F of P and then what is the sister then the system will because this is C basically so C star will be basically F of C okay now from this two equation if we can solve the key so key are we are assuming same so you have a same key for all round same key so comma K comma Q so from this
              • 27:00 - 27:30 if we can solve a 12 K so that is that are if you have this equation if we can solve K so this is not always it is possible to get the solution if this F is the easy function then one can then we can solve the case from this and one example of easy
              • 27:30 - 28:00 function is three-round des is easy function so this attack they have applied on three-round des the slider so reduce down des ok so thank you