Understanding Linear Cryptanalysis

Understanding unity-dimensional cryptanalysisDipanjan Bhowmik come upThe objective of this paper is to provide a better understanding of the one-dimensional steganography Attack developed by M.Matsui 2. This paper has been written after going done observe literature in this field and has been organize in much(prenominal) a way that a beginner in this field would be able to understand the idea with little prior(prenominal) liveledge. The paper describes a innocent engrave and hence applies one-dimensional cryptanalytics to break it. The cipher has been intentionally taken to be very simple so that a beginner can in reality implement it and spawn an actual feel of the attack. The paper also describes all the algorithms involved in this attack again with the intention of allowting a beginner actually realize the attack.Keywords elongate Cryptanalysis, analog neighborhood Table, s-box, Toy cipher, Parity.IntroductionIf one feeds a ergodic foreplay with a particul ar property into a magic box and can guess the corresponding property in the end product, the magic box is some what linear.For example imagine that the box takes an comment and confers one to it. Now, lets say that the property which is looked at is whether the foreplay/ issue is even. By feeding it an input, one knows the property volition be opposite in the output severally single time. In otherwise words, adding one to an even telephone number leave always produce an preposterous number and vice versa. This magic box will be wholly linear with respect to divisibility by 2.In an iterative cipher, cuneusstitution box(s) (S-Box(s)) add non linearity to it. Ideally, an s-box should receive an input with property X and output a number that has property Y exactly 50% of the time.The property, which is being looked at in Linear Cryptanalysis is Parity.DefinitionParity It is a Boolean pass judgment (a 0 or a 1), that we get if we arrange an XOR surgical procedure on som e or all of the identification numbers of a number verbalized in binary form. The bits that ar being XORed together is defined by another number called the masquerade party. The robe lets us to ignore some of the bits of the input while calculating the parity. In order to calculate the parity, the mask value it bitwise ANDed with the input value, the bits of the firmnessant is then taken and XORed together to obtain the parity.Generating Linear contiguity Tables ( latissimus dorsis)The masked input parity concept is use to watch over linearity in the S-boxes. Every single combination of input mask vs. output mask has to be tested for all likely inputs. basically we will take an input value, mask it using an input mask and obtain its parity (Input Parity). Next, we will take the original input, run it through the S-box and mask it with 6the output mask. We then compute its parity (Output Parity). If they match, then we know that the combination of input and output mask hold s accepted for that input. After doing this for every possible input against every possible pair of input/output masks, we have made a table called the Linear Approximation Table. separately entry in the table is a number indicating the number of multiplication a specific input/output mask pair holds true when tested against all possible inputs. For example, if a certain S-box takes 4 bit inputs and produce 4 bit output, then the latissimus dorsi will be of dimension 16 x 16 and each entry will range from 0 to 16, indicating the number of successful matches between input and output parity.Algorithm 1 Algorithm for generating Linear Approximation TableFor i=0 to 2m -1 For j=0 to 2n -1 For k=0 to 2m -1If Parity (k AND i) =Parity(S-boxk AND j) then latissimus dorsiij LATij +1Where, LAT is a 2-D array of size m x m.Parity () is a function that computes the parity of the given input.M is the core number of bits fed as input to the S-box.N is the total number of bits produced as outpu t by the S-box.I ranges from 0 to 2m -1 , it represents all possible input masks.J ranges from 0 to 2n-1 representing all possible output masks.K ranges from 0 to 2m -1, it represents all possible inputs to S-box.Let us assume an S-box that takes 4 bit inputs and produces 4 bit output. Both the input and output ranges from 0 to 15. Such a S-box is injective in nature.For much(prenominal) an S-box, the algorithm to generate the Linear Approximation Table is modified as by-lineAlgorithm 2 Algorithm for generating Linear Approximation Table for the S-box given in trope 1.For i=0 to 15 For j=0 to 15 For k=0 to 15If Parity (k AND i) =Parity(S-boxk AND j) thenLATij LATij +1In this case, the LAT generated is of dimension 16 x 16.The interest table depicts the LinearApproximation Table generated for the S-box given in fig. 1 using algorithm 2.Similarly, the LAT for any of the stilbesterol S-box can also be generated, For DES S-box the algorithm is modified as the followingAlgorithm 3 A lgorithm for generating LAT for DES S-Box.For i=0 to 15 For j=0 to 63 For k=0 to 15If Parity (k AND i) =Parity(S-boxk AND j) thenLATij ATij +1In this case, the LAT is of dimension 16 x 64, the reason being DES S-box takes 4 bit input and produces 6 bit output. mountain Up PrincipleOne of the fundamental tools used for linear cryptanalysis is the big bucks Up Principle. Let us conceder two random binary variables X1 and X2, and let us assumeAndThen, the luck of the relationship X1(+)X2 will beThat is, X1 (+) X2 will be 0 when X1=X2 i.e. when both X1 and X2 ar 0 and both X1 and X2 ar 1. And X1 (+) X2 will be 1 when X1 X2 i.e. when X1=0 and X2=1 or X1=1 and X2=0. Accordingly probabilities are computed, assuming X1 and X2 are independent.We are particularly fire in deviation of the hazard from , so, let us consider p1=1/2+ 1 and p2=1/2+2, where 1 and 2 are the deviation of p1 and p2 from respectively from and are referred to as probability prejudice.Now, P(X1 (+) X2=0)=(1/2 + 1). (1/2+2) + (1-(1/2+1)).(1-(1/2+2))=1/2+2.1.2So, probability bias of X1 (+) X2 is given by1,2=2.1.2Generally, if X1,X2,Xn are n independent random binary variables, then the probability of X1 (+) X2 (+) (+) Xn=0 is given by the Piling Up Lemma.P( X1 (+) X2 (+) Xn =0) = + 2 n-1 . i=1n i.(1)And the probability bias of (+) X2 (+) (+) Xn=0 is given by1n=2 n-1 . i=1n iNote that, P( X1 (+) X2 (+) Xn =0) = , if there comprise some i such that i=0 or pi=1/2. And P( X1 (+) X2 (+) Xn =0) = 0 or 1, if for all i, i=+1/2 or -1/2 respectively or pi=0 or 1 respectively.Attacking a Toy postal codeLet us consider a toy cipher that takes 4 bit input goes through two iterations of key addition and block make outstitution and yields a 4 bit output. The following figure diagrammatically represents the toy cipher.P1, P2, P3, P4 represents the 4 bit on the face of it textbook editionC1, C2, C3, C4 represents 4 bit cipher text.K0, K1, K2 are 4 bit sub keysTotal key length is of 12 bits.The cipher us es two identical S-boxes, which is same as the S-box described earlier.The following algorithm implements the toy cipherAlgorithm 4 Implementing Toy CipherKyek0,k1,k2Sbox=E,4,D,1,2,F,B,8,A,6,C,5,9,0,7For i=0 to 15// 16 possible inputs p=i For j= 0 to 1// 2 iterationspSbox p (+) Keyj Ci p (+) Key2 //final key whitening stepThe toy cipher yields the following output when KeyB,7,FThe first step towards attacking the cipher begins by obtaining an comparability of the form X1 (+) X2 (+)(+) Xn =0. Such an expression can be obtained using Linear Approximation Table. In our example P(LATFA)=12/16 or equivalently predetermine( LATFA)=4/16,k where F is the input mask and A is the output mask. It should be noted that although LAT00=16 but it cannot be used.Let Uij demote the jth input of ith S-Box and Vij relate the jth output of the ith S-Box.So, P(U11 (+) U12 (+) U13 (+) U14 =V11 (+) V13)= 12/16Let Kij denote the jth bit of the ith sub key, then U11 = P1 (+) K01, U12 =P2 (+) K02, U13 = P 3 (+) K03, and U14 = P4 (+) K04, where Pi denotes the ith plain text bit.Therefore, P( P1 (+) K01 (+) P2 (+) K02 (+) P3 (+) K03 (+) P4 (+) K04 = V11 (+) V13)) = 12/16orP ( P1 (+) P2 (+) P3 (+) P4 (+) K0 = V11 (+) V13) = 12/ 16Since, U21 = V11 (+) K11 or, V11 = U21 (+) K11 and U23 = V23 (+) K13 or, V13 = U23 (+) K13Hence, P (P1 (+) P2 (+) P3 (+) P4 (+)K0 = U21 (+) K11 (+)U23 (+) K13) = 12/ 16or, P (P1 (+) P2 (+) P3 (+) P4 (+)K0 (+) K11 (+) K13 = U21 (+)U23) = 12/ 16Let us assume K=K0 (+) K11 (+) K13, which can either be 0 or 1Therefore, P (P1 (+) P2 (+) P3 (+) P4 (+) K= U21 (+)U23) = 12/ 16 Or,P (P1 (+) P2 (+) P3 (+) P4 = U21 (+)U23) =Now, as we have obtained a linear expression with a comparatively high probability bias, we would now partially decrypt the cipher text to obtain U2 (input to the 2nd S-Box). The following algorithm does this.Algorithm 5 partly decrypting the cipher textC 3,B,6,D,1,7,F,2,4,9,E,5,8,A,C,0Isbox E,3,4,6,1,C,A,F,7,D,9,6,B,2,0,5For k=0 to 15prok 0For I = 0 to 15pdc ki isbox Ci (+) kIf Parity (pdcki AND A) = Parity ( I AND F) thenprok prok +1It should be noted that Parity (pdcki AND A) = Parity ( I AND F) is the algorithmic execution of instrument of P1 (+) P2 (+) P3 (+) P4 (+) = U21 (+) U23. Since, bit wise ANDing retrieves the required bits when ANDed with a mask having 1 in the required position in its binary equivalent.The algorithm yields the following probabilities.From the result we observe that probability when key=F is 12/16 which matches with our evaluate probability, there by indicating that K2=F.It should be noted that in our example, it so happened that there is only one candidate for K2, but generally there may be more than one candidate and all of then should be given due consideration.For the next round, we use the partially decrypted cipher text with respect to key =F as the cipher text and perform the procedure defined as algorithm 5.That is , now CB,1,D,4,0,7,E,2,6,A,3,9,F,C,8,5The output yielded at this poin t is given below.At this time we are comparing the plain text block P1, P2, P3, P4 to the input of the first S-Box i.e. U1, U2, U3, U4, so the pass judgment probability is computed asP( P1 (+) P2 (+) P3 (+) P4 = P1 (+) P2 (+) P3 (+) P4) =1Or, P( P1 (+) P2 (+) P3 (+) P4 = P1 (+) P2 (+) P3 (+) P4 (+) K0) =Or, P( P1 (+) P2 (+) P3 (+) P4 = P1 (+) K01 (+) P2 (+) K02 (+) P3 (+) K03 (+) P4 (+) K04) =Or, P( P1 (+) P2 (+) P3 (+) P4 = U11 (+) U12 (+) U13 (+) U14) =The expected probability match4es with the observed probability for sub key K1= 7. Therefore with high degree of certainty, K1=7.So, we retain the partially decrypted cipher text for sub key =7, which is contained in pdc7i for i=0 to 15. The partially cipher text for sub key =7 is given in the following table.Now, in order to obtain the sub key K0, we compulsion simply to choose any pair of plain text and partially decrypted cipher text and perform a bitwise XOR operation.Say, we choose (4,F), then 4 (+) F = B, So, K0=B.Thus, the actual key =B, 7, F, which is the key we originally used in our example toy cipher.It should be noted that, at every step of our attack, we obtain unique sub key values that matches our expected probability, which may not be the case all the time. And in such situations where multiple sub keys matches the expected probability we need to consider each of these sub keys.ObservationsIf the Linear Approximation Table (LAT) has an entry such that Bias (LATij) =1/2 (50%) and i=j, then the S-box is prone to Linear attack. So, such an S-box is a strict no for any cipherIf the Linear Approximation Table has entries such that Bias(LATij) =1/2 and Bias (LATjk) = where i j k , then such a cipher is also vulnerable to Linear Attack.If Bias(LATij) = where ij and there is no pair such that Bias(LATij)=1/2 and Bias(LATjk)=1/2 where i j k , then after a certain number of iterations, Linear Cryptanalysis becomes ineffective. The observation is illustrated using the following graph.ConclusionAs the number of iterations of an iterative cipher increases and observations 1 and 2 does not hold, Linear Cryptanalysis becomes increasingly less effective.ReferencesHeys,H.M,2002,A Tutorial on Linear And Differential Cryptanalysis, Cryptologia,XXV(3),189-221.Matsui, M.,1994,Linear Cr4yptanalysis Method For DES Cipher, Advance in Cryptlogy-EUROCRYPT93, Springer-Verlag,386-397.Jakobson, B.T.,Abyar, M.,Nordholt, P.S.,2006,Linear And Differential CryptanalysisPaar, C., Pelzl, J.,2010,Understanding Cryptography.BerlinSpringer-Nerlag.