Keywords

1 Introduction

Cryptography can be found in many IT systems. Contemporary ciphers transform plaintext into ciphertext with the usage of the generalized substitution-permutation S-P networks [1]. Many transformation rounds and long encryption keys made the cryptanalysis processes even more difficult [2]. Differential cryptanalysis was invented in 1990 by Biham and Shamir [3]. Even today, next to linear cryptanalysis, it is still one of the most popular attack techniques against many block ciphers [4].

Differential cryptanalysis can be insufficient. Despite the deliberately proposed attack, it is still a long-term process. To break the cryptographic algorithm is equivalent to solve the NP-difficult problem [1]. Any types of evolutionary computation methods, such as evolutionary algorithms (EA) are becoming more and more popular. Such algorithms are dedicated to many optimization problems, including these related to computer security. In the recent years, many papers on optimization of cryptanalytic processes, with the usage of different evolutionary techniques, such as EA and GA [5,6,7,8], Memetic Algorithms (MA) [9, 10], Particle Swarm Optimization (PSO) [11, 12] or SA [13], have been published. Usage of the evolutionary computation techniques is becoming more and more popular; however, there is still a number of problems that needs to be examined.

The suggested attack is based on the usage of GA. These algorithms operate on a solutions set called a population [14, 15] - in this case on a set of 48-bit subkeys. Each individual is subjected to evaluation, which determines the level of its usefulness, by the usage of the fitness function \(F_{f}\). GA is inspired by nature; one can encounter operations, such as reproduction, mutation or fight for survival [14, 15]. In order to achieve better GA functional quality, an additional heuristic negation operator was introduced.

During the first run, the suggested attack attempts to find 30 in 48 bits of the last \(K_{6}\) subkey. The next run, for a different symmetric input difference, makes it possible to guess the subsequent 12 bits, and the remaining 6 bits can be guessed by executing a brute-force attack. At this phase, reversal of the key schedule process is possible, owing to that 48 in 56 bits of a primary key are known. Re-execution of a brute-force attack enables recreation of an original decryption key in a sensible period of time [1].

The next section presents the DES encryption algorithm. In third section the basics of a differential cryptanalysis of the examined cipher are discussed. The next section describes the suggested genetic attack. Fifth section includes the results of particular experiments, including the comparison of the selected algorithms. The conclusions and plans for the future can be found in the last section.

2 Data Encryption Standard

DES was developed in 1975 by IBM on the basis of the Lucifer cipher [1]. In 1977 it was accepted as a worldwide ISO standard [4]. The algorithm itself is described as a Data Encryption Algorithm DEA, however, in many papers it is referred to as DES. This cipher was the first one to be commercially used [16]. DES consists of a dozen of cycles, called rounds, which are responsible for intermingling of the partial cryptograms [1]. For several years, DES resisted any types of cryptanalytic attacks. The first more serious attack, by the usage of differential cryptanalysis [3].

DES was designed in such a way that an avalanche effect is present since the initiation of the algorithm [4]. The change of the one input bit cause the change of at least half of the output bits. Moreover, the state of each output bit depends on each input bit [1]. Authors decided to use reduced version of the encryption algorithm, named as DES6, which work as original DES.

The presented DES6 cipher is a 6-round encryption algorithm, transforming 64-bit plaintext blocks into 64-bit ciphertext block by using a 64-bit K encryption key [2, 16]. Initially, the key is reduced to 56 bits by the deletion of the every 8th bit, used to verify encryption key correctness [4]. Then, K is subjected to disintegration into a set of six 48-bit subkeys, which are dedicated to each round of the algorithm, K1, ..., K6 - the detailed description of a key schedule can be found in [1, 2, 4, 16, 17]. Figure 1 presents 6-round DES algorithm.

Fig. 1.
figure 1

DES6 encryption algorithm

Full size image

After the generation of subkeys, the encryption process can be initiated. Fragment of the plaintext is subjected to initial permutation IP. The generated block is divided into two 32-bit parts, right R and left L. Subsequently, six identical cycles are performed, where the right part \(R_{i-1}\) is transferred to round function f along with a \(K_{i}\) subkey. The generated block is subjected to exclusive disjunction with the left part \(L_{i-1}\), thereby creating a new right part \(R_{i}\). The new left \(L_{i}\) part corresponds to the right \(R_{i-1}\) side from the previous round.

After the completion of all rounds, the left \(L_{6}\) and the right \(R_{6}\) parts are connected into one 64-bit block of data, which is transferred for a bit reversal permutation \(IP^{-1}\). The result of the particular bits transposition is a 64-bit block of ciphertext.

2.1 Round Function f

Each round of the algorithm use a pseudorandom function f, used to process data, presented in Fig. 2. On input, a 32-bit data portion is given, which is transferred to an expansion function E. The objective of this permutation is the equalization of length of a given block to make it the same size as a subkey, through duplication of the chosen bits. By allowing one bit to influence two substitutions, an avalanche effect is increased [4]. The obtained string is xored with the subkey bits, then it is divided into eight 6-bit B1, ..., B8 blocks.

Fig. 2.
figure 2

Round function f of the DES encryption algorithm

Full size image

Each of the \(B_{j}\) blocks is transferred to special substitution matrices called S-boxes \(S_{j}\). These permutations are used for the data compression - they transform 6-bit input into 4-bit output. \(S_{j}\) consist of integer numbers ranging from 0 to 15, noted in matrices of the size of 16 columns and 4 rows. The first and the last bit of 6-bit \(B_{j}\) string indicates the row number. The remaining four bits indicate the number of a column, from which the chosen value will be returned [4, 16].

\(S_{j}\) are the only nonlinear element of the DES cipher. Changing one bit in the input stream may lead to the alteration of all output bits. Each transformation of these hinders the cryptanalysis of the entire cipher. Information concerning the \(S_{j}\) project criteria may be found in [18].

In the end of the f function, the generated strings are concatenated with one other into one 32-bit block of data, which is then transferred to permutation P. Its objective is to copy each input bit into exactly one output bit, without duplication, nor omission of any of them [4].

3 Differential Cryptanalysis of the DES6 Cipher

The proposed algorithm is based on the chosen plaintext attack. A cryptanalyst has access to the cipher, which allows him to select pairs of plaintexts, which differ in a specified way, and to analyze generated ciphertexts. In the case of DES algorithm, the above mentioned difference is calculated on the basis of the simple operation of exclusive disjunction, which may be written as \(P'=P \oplus P^{*}\), where P and \(P^{*}\) are paired plaintexts. The pairs may be generated randomly, however, the \(P'\) difference has to be compatible with a specified value. Thereafter, one observes how the difference of a given pair changes over the course of the consecutive cipher rounds, until ciphertexts are generated. All cryptographs are generated with the same K key. By using the difference between the texts in the consecutive rounds for the bigger number of pairs, different probabilities are assigned, which can suggest the correctness of some subkeys [3, 4].

Every block cipher is characterized by some sort of nonlinearity. In the case of the DES algorithm it is derived from the inside of f function, more precisely from the \(S_{j}\) [3]. It is impossible to find any formula, which would allow us to predict the function value for the next argument [3, 4, 17]. As it was previously mentioned, each of the differences is characterized by some probability, which determines how often the f function will return the expected value [3]. These differences will be called characteristics \(\varOmega \). Assuming that \(E = E(R_{i - 1})\), input symmetric difference \(B'\) may be calculated on the basis of an expression:

(1)

On the basis of this expression, one may conclude, that used subkey has not any impact for \(B'\) difference. When the value of each \(B_{j}'\) is known, a set of all organized pairs of \((B_{j}, B_{j}^{*})\) is indicated for input symmetric difference, in accordance with the suggestion described in [17]:

$$\begin{aligned} \varDelta (B_{j}') = \{(B_{j}, B_{j} \oplus B_{j}'): B_{j} \in (\mathbb {Z}_{2})^{6}\}. \end{aligned}$$
(2)

While calculating the output symmetric difference \(C_{j}' = S_{j}(B_{j}) \oplus S_{j}(B_{j}^{*})\), for each 4-bit pair, a schedule of all possible inputs for all possible outputs is calculated using formula presented in [17]:

$$\begin{aligned} IN_{j}(B_{j}', C_{j}') = \{ B_{j} \in (\mathbb {Z}_{2})^{6}: S_{j}(B_{j}) \oplus S_{j}(B_{j} \oplus B_{j}') = C_{j}'\}. \end{aligned}$$
(3)

In most cases the distribution will be steady. Cryptanalyst’s job is to find schedules of the biggest unsteadiness. On the basis of the formula 3, an additional test set may be calculated by the usage of the following expression, formulated in [17]:

$$\begin{aligned} test_{j}(E_{j}, E_{j}^{*}, C_{j}') = \{B_{j} \oplus E_{j}: B_{j} \in IN_{j}(E_{j}', C_{j}')\}. \end{aligned}$$
(4)

If in the set \(test_{j}\) a number of elements is equal to the power of \(IN_{j}\) set, then \(test_{j}\) must include \(K_{ij}\) bits [17].

4 Proposed NGA Attack

From the point of view of the cryptanalysis, IP and \(IP^{-1}\) permutation may be omitted. The attack begins with the selection of two most probable 3-round characteristics \(\varOmega _{P}^{1}\) and \(\varOmega _{P}^{2}\), presented on Fig. 3.

Fig. 3.
figure 3

Two 3-round characteristics \(\varOmega _{P}^{1}\) and \(\varOmega _{P}^{2}\)

Full size image

Probability of each characteristic \(\varOmega \) is calculated through product of probabilities in the specified cipher rounds - in both cases it equals \(P_{\varOmega } = {}^{1}\!/\!{_{16}}\). In the 4th round of S-box cipher \(S_{2}, S_{5}, S_{6}, S_{7}, S_{8}\) for \(\varOmega _{P}^{1}\) and \(S_{1}, S_{2}, S_{4}, S_{5}, S_{6}\) for \(\varOmega _{P}^{2}\) take the input \(B_j'\) difference and return the output \(C_j'\) difference, which equals zero. It creates the basis for the estimation of \(I_{1} = \{2,5,6,7,8\}\) for \(\varOmega _{P}^{1}\) and \(I_{2} = \{1,2,4,5,6\}\) for \(\varOmega _{P}^{2}\) sets.

The attack begins with the generation of the specified amount of plaintext pairs and their cryptographs, which symmetric difference is equal to consecutively proposed by \(\varOmega _{P}^{1}\) and \(\varOmega _{P}^{2}\). Further algorithm description will pertain to \(\varOmega _{P}^{1}\) marked with \(\varOmega \) and \(I_1\) set marked with I. Algorithm initiation for \(\varOmega _{2}^{P}\) requires only a different symmetric difference and \(I_2\) set.

Not every generated pair, despite appropriate difference, is correct. Filtration is performed during this phase. For each pair a set of \(test_j\) is determined, then its numerical amount is examined. If:

$$\begin{aligned} \bigwedge _{j \in I} |test_{j}| > 0 \end{aligned}$$
(5)

then the pair may suggest the correct subkey bits, otherwise it is omitted. During the filtration phase, approximately 60% of all generated pairs are rejected.

Table 1. \(F_f\) values for SGA, NGA and SA attacks
Full size table

The basis of the formulated attack is to guess the \(K_6\) subkey. Owing to the knowledge of \(C'\) and \(R_{5}\) part difference, equal to \(L_{6}\), one can analyze different subkeys by comparing S-boxes output with \(C'\). The execution of brute-force attack would require checking \(2^{30}\) subkeys, that is approximately 1 073 741 824 combinations. In this case, GA can be used as a great optimization tool.

Each individual is represented by one 30-bit \(K_j\) subkey. Initial population consists of N randomly generated chromosomes. During the repeating algorithm iterations, under the influence of genetic operators, individuals evolve, improving the quality of their adaptation. The fitness function was defined as follows:

$$\begin{aligned} F_f = \sum \limits _{i=0}^n L - H \sum \limits _{j \in I} (S_{j}(B_{j}) \oplus S_{j}(B_{j}^{*})), P^{-1}(R_{6}' \oplus L_{3}')), \end{aligned}$$
(6)

where H stands for Hamming distance, L is a subkey length, \(P_{\varOmega }\) is the characteristic probability. The estimation of \(L_3'\) value is possible, and \(R_6'\) may be obtained by analyzing a pair of ciphertexts. \(F_f\) counts the number of identical bits between S-boxes result and \(C'\) differences.

In the suggested attack the tournament selection was used. It randomly chooses subset of individuals, from among these only one will be subjected to the crossover process. The remaining individuals are returned to the population, afterwards this process is repeated in order to find the second parent.

Descendant chromosomes are generated as the result of the crossover process. Point of parents bisection is chosen randomly from 1 to 30. Subkeys are intersected according to the chosen point, and then they exchange their genetic material. Newly created individuals may be subject to mutation operator, which objective is to randomly swap two chosen bits of the chromosome.

Newly generated individuals are a subjected to an additional heuristic negation operator. Entails negating each bit of the chromosome, with a certain probability \(P_n\), and remembering the most favourable variant. The heuristic negation operator is activated last.

Fig. 4.
figure 4

Cryptanalysis results of DES6 for SGA, NGA and SA attacks

Full size image

The execution of the above mentioned attack for \(\varOmega _{P}^{1}\) and \(I_1\) allows us to guess 30 in 48 subkey \(K_6\) bits. Repetition of this attack for \(\varOmega _{P}^{2}\) and \(I_2\) will enable the obtainment of 12 additional bits. Complete \(K_6\) subkey will lack only 6 bits of S-box \(S_3\), which may be easily guessed by executing brute-force attack. Knowing the entire subkey, the disintegration of the K key process may be reversed; due to this 48 in 56 primary key bits will be found. The remaining 8 bits may be guessed by the re-execution of the brute-force attack.

The SGA attack is the same as the NGA one described above, except the additional heuristic negation operator. It used same crossover, mutation and selection operators. It was decided to skip describing SGA attack.

4.1 Simulated Annealing Attack

At the beginning the initial temperature \(T_0\) and the minimum temperature \(T_{MIN}\) are determined. In each algorithm’s iteration, T temperature is reduced by a \(n \in [0, 1]\) constant and a new \(K_6'\) subkey is generated, through the change of one random bit into the opposite one. If the new individual proves to be better than his predecessor, he substitutes him. Additionally, a probability function is introduced, which enables the acceptance of the solution, in case it is worse:

$$\begin{aligned} Probability = \exp \Big ({\frac{F_{f}(K_{6}') - F_{f}(K_{6})}{k \cdot T}}\Big ), \end{aligned}$$
(7)

where k is the Boltzmann constant. This process is repeated until the minimum temperature \(T_{MIN}\) is reached.

5 Experimental Results

All algorithms were implemented using the C# programming language and were executed on the same computer equipped with an Intel i5 processor clocked at 3.2 GHz. For SGA and NGA attacks the maximum allowed number of iterations was set to 100. Population in both algorithms consisted of 70 chromosomes. The tournament selection used 5 individuals to find each parent. The crossover probability \(P_c\) was set to 0.8, the mutation probability \(P_m\) to 0.02. The additional heuristic negation operator, used in NGA named as \(P_n\), was set to 0.25. The population leader was saved and was moved to the offspring population in every generation. For SA attack the starting temperature \(T_0\) was set to 1000, the minimum temperature \(T_{MIN}\) to 0.001. The temperature T was decreased in each iteration by coolingRate set to 0.99. For each algorithm 160 pairs of plaintexts where generated randomly, all of them satisfy condition defined in expression 5. Also the number of correctly found bits have been counted for every experiment. All encryption keys were generated randomly.

Table 1 presents results of all algorithms. It contains statistical information about \(F_f\) in last iteration t of each algorithm and number of matching bits \(F_b\).

Many times SGA algorithm found about 27–29 bits of correct encryption subkey. Unfortunately in cryptanalysis all bits of subkeys are required. Simple GA found valid subkey only 2 times. NGA attack find perfect subkey almost every time. 85% of tested subkeys where successfully broken. SA did not find any valid solution. In first experiment for \(\varOmega ^1_P\) it found 22 bits of subkey. All experiments were selected randomly. Figure 4 presents a results for first three experiments for each attack. Comparing all presented algorithms and their results can be easily notice, the proposed NGA algorithm was the most effective one.

6 Conclusions and Future Work

This paper presents genetic differential cryptanalysis directed to DES6 encryption algorithm. Attack was enriched by GA with an additional heuristic negation operator. The proposed algorithm was compared with simple GA (SGA) and simulated annealing (SA) attacks. The NGA attack turned out to be the best from all algorithms, it broke valid parts of \(K_6\) in 85% of cases.

The presented attack should be tested on more complex variants of DES cipher such as DES8, DES12 or original DES algorithms. Also any adaptive techniques should be used to modify GA parameters during execution. Other metaheuristic alternatives like Particle Swarm Optimization (PSO) or Memetic Algorithms (MA) can provide interesting results.