User:Ghefchob/sandbox

This is the user sandbox of Ghefchob. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here. Other sandboxes: Main sandbox | Template sandbox Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

Differential-linear cryptanalysis is a general form of chosen plaintext cryptanalysis, that combines the ideas from both differential cryptanalysis and linear cryptanalysis. The technique allows an attacker to reduce the number of rounds that a linear characteristic must cover, resulting in a reduction (for vulnerable ciphers) in the data complexity of linear cryptanalysis attacks. It works by comparing the parity of linear approximations, for a pair of ciphertexts with a known plaintext difference (see #Technique in detail).

It was introduced by Martin Hellman and Susan K. Langford in 1994 ^[1], as an attack on 8 rounds of DES. The attack recovers 10 bits of key with an 80% success probability, given 512 chosen plaintexts ^[1]. This was an improvement of more than an order of magnitude compared to the earlier results for 8-round DES ^[1][2][3]. Later the technique has been used to successfully analyze, among others, the block ciphers Camellia^[4], IDEA ^[5] and Serpent ^[6], but it is also applicable to stream ciphers. Preneel and Wu used differential-linear cryptanalysis to break the stream cipher Phelix with significantly fewer operations than exhaustive key search ^[7], given attacker controlled nonces.

Technique in detail[edit]

To illustrate the idea we consider an application of the technique to a modified example cipher, which was adopted from a tutorial by Knudsen and Robshaw^[8]. This cipher can be distinguished from a random oracle (following the explanation of differential-linear cryptanalysis given by Biham et al.^[6]). The following figure illustrates the operation of the block cipher (block- and key sizes are omitted, as they are not needed for the explanation):

FIGURE MISSING

Chaining characteristics[edit]

Let there be a truncated characteristic, ${\displaystyle \Gamma \to \Delta }$, which holds for ${\displaystyle S_{1}}$ with probability 1, and a linear characteristic, ${\displaystyle \alpha \to \beta }$, which holds for ${\displaystyle S_{2}}$ with probability ${\displaystyle 1/2+q}$. Then if we have two messages, ${\displaystyle m_{0}}$ and ${\displaystyle m_{1}}$, with a difference of ${\displaystyle m_{0}\oplus m_{1}=\Gamma }$, we know that the difference after ${\displaystyle S_{1}}$ is ${\displaystyle x_{0}\oplus x_{1}=\Delta }$. If the linear characteristic for ${\displaystyle S_{2}}$ uses only the bits from the output difference that are constant, and the dot product between the output difference and the input mask is ${\displaystyle \Delta \cdot \alpha =0}$, then then we know that ${\displaystyle \alpha \cdot x_{0}=\alpha \cdot x_{1}}$. In other words, the input bits to the linear approximation is the same for the two messages.

The linear characteristic for ${\displaystyle S_{2}}$ gives us a probability of ${\displaystyle 1/2+q}$ for the relation ${\displaystyle \alpha \cdot x_{0}=\beta \cdot S_{2}[x_{0}]}$ to hold (and likewise for ${\displaystyle x_{1}}$). For the output parity of the two encrypted messages to be equal, the linear approximation must then either hold or fail for both messages. The probability of this happening is ${\displaystyle (1/2+q)^{2}+(1/2-q)^{2}=1/2+2q^{2}}$, which gives a bias that can be used to distinguish the cipher from a random oracle.

Distinguishing attack[edit]

The distinguishing attack on the cipher is performed by requesting the encryption of several message pairs with an input difference of ${\displaystyle \Gamma }$. For each resulting ciphertext pair, ${\displaystyle c_{0}}$ and ${\displaystyle c_{1}}$, we test if the output parity of the ciphertexts is the same (${\displaystyle \beta \cdot c_{0}{\text{ }}{\stackrel {?}{=}}{\text{ }}\beta \cdot c_{1}}$). If the cipher was implemented as a random oracle, we would expect this relation to hold with probability ${\displaystyle 1/2}$. But the differential-linear property described above tells us that the relation holds with probability ${\displaystyle 1/2+2q^{2}}$ for the cipher. Given enough chosen plaintexts (on the order of ${\displaystyle O(q^{-4})}$^[6]), we may therefore distinguish it from a random oracle.

If we add another round to the example cipher, we may use this distinguisher to recover the last subkey. Given several pairs of ciphertexts, created from plaintexts with a difference of ${\displaystyle \Gamma }$, we try every possible value for the last subkey. For every guess we calculate our way back from the ciphertexts, through the last S-Box. We may then consider the values we get to be outputs from the cipher above, and apply our distinguisher. For an incorrect guess we expect the ciphertexts to act as if they came from a random oracle, but a correct guess will exhibit the bias described above. This allows us to identify the correct value for the last subkey.

Further extensions[edit]

Biham, Dunkelman and Keller extended the technique to use differential charactersitics with a probability of less than 1^[9]. Using this generalization they were able to attack 9 rounds of DES ^[9], and 11 rounds of Serpent^[6]. It is also possible to use a combination of characteristics where ${\displaystyle \Delta \cdot \alpha =1}$, with the change that one then looks for output parities that are different ^[9]. Extending differential-linear cryptanalysis with higher-order differentials and bilinear cryptanalysis has also been explored to create new attacks^[10]

References[edit]

Category:Cryptographic attacks