Advertisement

Linear Cryptanalysis of DES with Asymmetries

  • Andrey Bogdanov
  • Philip S. Vejre
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10624)

Abstract

Linear cryptanalysis of DES, proposed by Matsui in 1993, has had a seminal impact on symmetric-key cryptography, having seen massive research efforts over the past two decades. It has spawned many variants, including multidimensional and zero-correlation linear cryptanalysis. These variants can claim best attacks on several ciphers, including present, Serpent, and CLEFIA. For DES, none of these variants have improved upon Matsui’s original linear cryptanalysis, which has been the best known-plaintext key-recovery attack on the cipher ever since. In a revisit, Junod concluded that when using \(2^{43}\) known plaintexts, this attack has a complexity of \(2^{41}\) DES evaluations. His analysis relies on the standard assumptions of right-key equivalence and wrong-key randomisation.

In this paper, we first investigate the validity of these fundamental assumptions when applied to DES. For the right key, we observe that strong linear approximations of DES have more than just one dominant trail and, thus, that the right keys are in fact inequivalent with respect to linear correlation. We therefore develop a new right-key model using Gaussian mixtures for approximations with several dominant trails. For the wrong key, we observe that the correlation of a strong approximation after the partial decryption with a wrong key still shows much non-randomness. To remedy this, we propose a novel wrong-key model that expresses the wrong-key linear correlation using a version of DES with more rounds. We extend the two models to the general case of multiple approximations, propose a likelihood-ratio classifier based on this generalisation, and show that it performs better than the classical Bayesian classifier.

On the practical side, we find that the distributions of right-key correlations for multiple linear approximations of DES exhibit exploitable asymmetries. In particular, not all sign combinations in the correlation values are possible. This results in our improved multiple linear attack on DES using 4 linear approximations at a time. The lowest computational complexity of \(2^{38.86}\) DES evaluations is achieved when using \(2^{42.78}\) known plaintexts. Alternatively, using \(2^{41}\) plaintexts results in a computational complexity of \(2^{49.75}\) DES evaluations. We perform practical experiments to confirm our model. To our knowledge, this is the best attack on DES.

Keywords

Linear cryptanalysis DES Mixture models Right-key equivalence Wrong-key randomisation Linear hull Multiple linear 

References

  1. 1.
    TLS stats from 1.6 billion connections to mozilla.org. https://jve.linuxwall.info/blog/index.php?post/2016/08/04/TLS-stats-from-1.6-billion-connections-to-mozilla.org. Accessed 07 Sep 2017
  2. 2.
    Biham, E., Shamir, A.: Differential cryptanalysis of the full 16-round DES. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 487–496. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-48071-4_34 CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., Cannière, C.D., Quisquater, M.: On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28628-8_1 CrossRefGoogle Scholar
  4. 4.
    Bogdanov, A., Geng, H., Wang, M., Wen, L., Collard, B.: Zero-correlation linear cryptanalysis with FFT and improved attacks on ISO standards Camellia and CLEFIA. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 306–323. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_16 CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A., Rijmen, V.: Zero-correlation linear cryptanalysis of block ciphers. IACR Cryptology ePrint Archive 2011, 123 (2011)Google Scholar
  6. 6.
    Bogdanov, A., Rijmen, V.: Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Cryptogr. 70(3), 369–383 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Bogdanov, A., Tischhauser, E.: On the wrong key randomisation and key equivalence hypotheses in Matsui’s algorithm 2. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 19–38. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_2 Google Scholar
  8. 8.
    Bogdanov, A., Tischhauser, E., Vejre, P.S.: Multivariate linear cryptanalysis: the past and future of PRESENT. IACR Cryptology ePrint Archive 2016, 667 (2016)Google Scholar
  9. 9.
    Cho, J.Y.: Linear cryptanalysis of reduced-round PRESENT. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 302–317. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11925-5_21 CrossRefGoogle Scholar
  10. 10.
    Collard, B., Standaert, F.-X., Quisquater, J.-J.: Improving the time complexity of Matsui’s linear cryptanalysis. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 77–88. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76788-6_7 CrossRefGoogle Scholar
  11. 11.
    Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, KU Leuven (1995)Google Scholar
  12. 12.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002).  https://doi.org/10.1007/978-3-662-04722-4 CrossRefzbMATHGoogle Scholar
  13. 13.
    Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptol. 1(3), 221–242 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional linear cryptanalysis of reduced round serpent. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 203–215. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-70500-0_15 CrossRefGoogle Scholar
  15. 15.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional extension of Matsui’s algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03317-9_13 CrossRefGoogle Scholar
  16. 16.
    Kaliski Jr., B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_4 Google Scholar
  17. 17.
    Junod, P.: On the complexity of Matsui’s attack. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 199–211. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45537-X_16 CrossRefGoogle Scholar
  18. 18.
    Knudsen, L.R., Mathiassen, J.E.: A chosen-plaintext linear attack on DES. In: Goos, G., Hartmanis, J., Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 262–272. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44706-7_18 CrossRefGoogle Scholar
  19. 19.
    Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_3 Google Scholar
  20. 20.
    Lindsay, B.G.: Mixture models: theory, geometry and applications. In: NSF-CBMS Regional Conference Series in Probability and Statistics, pp. i–163. JSTOR (1995)Google Scholar
  21. 21.
    Matsui, M.: Linear cryptanalysis method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48285-7_33 CrossRefGoogle Scholar
  22. 22.
    Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_1 Google Scholar
  23. 23.
    Nguyen, P.H., Wu, H., Wang, H.: Improving the algorithm 2 in multidimensional linear cryptanalysis. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 61–74. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22497-3_5 CrossRefGoogle Scholar
  24. 24.
    Nyberg, K.: Linear approximation of block ciphers. In: Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (1995).  https://doi.org/10.1007/BFb0053460 Google Scholar
  25. 25.
    Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Semaev, I.A.: New results in the linear cryptanalysis of DES. IACR Cryptology ePrint Archive 2014, 361 (2014). http://eprint.iacr.org/2014/361
  27. 27.
    Zhao, J., Wang, M., Wen, L.: Improved linear cryptanalysis of CAST-256. J. Comput. Sci. Technol. 29(6), 1134–1139 (2014)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Technical University of DenmarkKongens LyngbyDenmark

Personalised recommendations