Linear and dierential cryptanalysis in the context of AES

Bjorn Lohrmann Student ID 336924 Research project CPSC 669, Fall term 2006, University of Calgary Sunday 10th December, 2006

Introduction

In November 2001 the Rijndael cipher was announced to become standardized as FIPS PUB 197 after a 5-year standardization process. Since then it is in use not only by the US government but worldwide which makes it one of the most popular algorithms in the eld of symmetric-key block ciphers nowadays. Finding more ecient attacks on AES is still an actively researched area in cryptography. Linear and dierential cryptanalysis are some of the most widely used and applicable attacks on block ciphers. Linear cryptanalysis was invented by Mitsuru Matsui who also described it for the DES cipher (see [Ma94]) and launched a rst experimental attack on DES in 1994. Dierential cryptanalysis is generally attributed to Eli Biham and Adi Shamir who used it to attack various block ciphers and hash functions in the late 1980s and also used it to attack DES in 1992 (see [BS91]). Due to these facts, these attacks have to be taken in account when designing modern ciphers as has been done when designing Rijndael. Rijndael is an example of an SP-network with proven mathematical properties which make it resistant to conventional linear and dierential cryptanalysis. Yet, nowadays attacks on Rijndael are still based on these original forms of attacks although the concepts have been largely extended and combined with others. 1

2 CLASSICAL LINEAR CRYPTANALYSIS

This paper rst summarizes the conventional ways of doing linear and dierential cryptanalysis and then very briey summarizes why AES is not susceptible to those attacks. After a short overview of the attacks that actually have been launched on AES so far, the most recent attack which is a related-key rectangle attack is presented. The applied techniques are explained and the attack together with its results are briey described. The paper nishes with a conclusion.

2
2.1

Classical linear cryptanalysis

Summary of concept

Linear cryptanalysis for block ciphers, as introducted by Mitsuru Matsui, is a known plaintext attack in which the attacker has to obtain a so-called eective linear expression (also referred to as linear approximations ) for a given cipher algorithm and can then use it to mount his attack. This expression usually has the form: P [i1 , i2 , . . . , ia ] C [j1 , j2 , . . . , jb ] = K [k1 , k2 , . . . , kc ] where: P is the plaintext, C is the corresponding ciphertext and K is the key represented as bit sequences denotes the bitwise XOR operation A[x, y, . . . , z ] = A[x] A[y ] . . . A[z ] and A[i] denotes the i th bit of the bit sequence A
1 . The linear probability The expression has to hold with a probability p = 2 1 bias p 2 provides a measure for the eectiveness of equation (1). Assuming an iterated block cipher containing components like S-boxes, permutations and linear key-dependent transformations our major concern when constructing eective linear expressions are the S-boxes, since they are the only non-linear element in the cipher. By exploiting their statistical properties it is possible to construct expressions that hold with a relatively high probability. For each S-box we can compute a linear approximation table (or distribution table as Matsui calls it in [Ma94]). This table maps every

(1)

2 CLASSICAL LINEAR CRYPTANALYSIS

linear equation of the following form to its corresponding linear probability bias : x1 X1 . . . xm Xm = y1 Y1 . . . yn Yn where Xi , i {1, . . . , m} are the input bits of the S-box, Yj , j {1, . . . , n} are the output bits of the S-box, is the bitwise logical AND and xi , yj {0, 1} constitute coecients that can be chosen freely. The following properties of the distribution table shall be noted: when all xi = 0 then the bias is zero for all equations with j {1, . . . , n}yj = 0, an analogous property holds when all yj = 0 often the biases are not uniformly distributed The latter property makes the cipher susceptible to linear cryptanalysis. An eective linear expression for one round can be formalized as a one-round characteristic (this denition is a generalized version of Bihams in [Bi95], since his denition is taylored for use with DES): A one-round characteristic is a tuple = (P , C , K , p) where: P (T ) is a bitmask for the input (output) bits of the round K is a bitmask for the key bits of the round p is the probability that the linear expression P P C C = K K holds, where is the binary scalar product of two binary vectors One-round characteristics with a high probability can be easily constructed by exploiting the properties of the S-boxes in the round, the probability of such a characteristic is then the product of the probabilities of the active S-boxes. An active S-box is an S-box for which at least one of the input bits chosen in P is part of the linear expression. Special care has of course to be taken to incorporate elements like permutations into the construction of the characteristic. An n-round characteristic can be dened recursively as the concatenation of two characteristics:

2 CLASSICAL LINEAR CRYPTANALYSIS An n-round characteristic n = (P,n , C,n , K,n , pn ) is the result of the concatenation of an m-round characteristic m = (P,m , C,m , K,m , pm ) and an r-round characteristic r = (P,r , C,r , K,r , pr ), where: P,n = P,m C,n = C,r K,n is the concatenation of K,m and K,r the condition C,m = P,r holds pn is the probability that the linear expression P P,n C C,n = Kn K,n holds, where Kn is the concatenation of the key bit sequences Km and Kr

To compute the probability pn Matsui introduced his "Piling-up Lemma": If Xi {0, 1} (1 i n) are independent random variables for which P (Xi = 0) = pi holds, then the following equation holds: P (X1 X2 . . . Xn = 0) = 1 1 + 2n1 (pi ) 2 2 i=1
n

Although the assumption this lemma makes does not hold in practice for our expression, the "Piling-up Lemma" still provides a good approximation of the true pn for us. Thus the probability pn of two concatenated 1 characteristics m and r can be approximated as pn = 1 +2(pm 2 )(pr 1 ). 2 2 We can now mount a known plaintext attack against an n-round iterated block-cipher and recover some bits of the last round-key if we have the following: a carefully chosen (n 1)-round characteristic = (P , X , K , p) with a suciently high probability p a suciently high number N of plaintext/ciphertext samples (Pi , Ci ) By the target partial round-key K we shall denote the bits of the n-th round-key which "get in touch" with the output of the S-boxes in the n-th

2 CLASSICAL LINEAR CRYPTANALYSIS

round that receive as input the output bits from the (n 1)-th round that are part of our linear approximation. Each possible K value shall have a counter associated with it. We now run the last round backwards for each possible key and plaintext/ciphertext pair: for each possible tuple ((Pi , Ci ), K ) do run Ci and K backwards through the steps of the last round to obtain its inputs Xi if Pi P Xi X = 0, increase the counter for the key K Let T denote the number of plaintexts for which Pi P Xi X = 0. The attacker now applies the following algorithm to choose the most likely target partial round-key K : if T >
N 2

then K := Kmax Kmin Kmin Kmax if p > if p < if p > if p <

1 2 1 2 1 2 1 2

else K :=

where Kmax is the key with the highest counter value, and Kmin the one with the lowest. According to [HE01] N can be approximated as: N
1 . (p 1 )2 2

2.2

AES and classical linear cryptanalysis

When analyzing the resistance of a block cipher against linear cryptanalysis one would intuitively try to nd the linear characteristic with the maximum linear probability bias and if the bias is suciently low call the cipher secure against linear cryptanalysis. But although this may provide a good heuristic, it does not suce for a strict mathematical proof of security due to the socalled linear hull eect rst described by Nyberg in [Ny94]. The linear hull eect is one of the most important reasons why the actual bias of a

3 CLASSICAL DIFFERENTIAL CRYPTANALYSIS

linear approximation can signicantly diverge from the approximated bias in the used characteristic. Intuitively, the eect takes place when a linear expression has multiple linear characteristics with dierent, high biases and thus dierent active S-boxes. The set of characteristics with the same input and output but dierent key masks and biases is called the linear hull. Therefore in order to prove the security of a cipher against linear cryptanalysis one has to provide suciently low upper bounds to the probability of a linear hull. Using the fact that AES is a special case of an SPN-structure, [Pa02] shows that the maximum linear hull probability of 4-round Rijndaellike structures can be bounded with 4q 19 + 6q 18 + 4q 17 + q 16 if the maximum linear probability q of an S-box is q < 23 . For AES the same paper shows that q = 26 and that thus the maximum linear hull probability of 4-round Rijndael-like structures is bounded by 4 2114 +6 2108 +4 2102 +296 1.06 296 . This statement holds even more so for AES which has more than four rounds and it can therefore be considered secure against conventional linear cryptanalysis.

3
3.1

Classical dierential cryptanalysis

Summary of concept

In classical dierential cryptanalysis we analyze the eect of particular differences in plaintext pairs on the dierences in the corresponding ciphertext pairs in order to be able to assign probabilities to possible keys. Having done that the most probable key is usually a good guess. Dierential cryptanalysis is thus a known plaintext attack. In this paper we will use XOR as the operation to compute dierences between the bit representations of values. This is common for many ciphers but note that other ciphers might require other ways of computing dierences. Given a pair of values X and X with X = X X our rst focus lies in analyzing the dierent components of the cipher. In block-ciphers we usually nd components like XOR, permutations and S-boxes. X turns out to be invariant in the XOR operation and permutations:

3 CLASSICAL DIFFERENTIAL CRYPTANALYSIS

P (X ) P (X ) = P ( X ) (X V ) (X V ) = X where P is a permutation and V is an arbitrary value. Therefore the main focus lies on the S-boxes, where this invariance does not hold. For an S-box we can compute a so-called dierence distribution table. This table provides a mapping from all possible input XORs and output XORs to the actual number of possible pairs with such an input and output XOR. This encourages the following denition (see [BS91]): We say that X may cause Y (X Y ) with probability p by an S-box, if for a fraction p of the pairs in which the input XOR of the S-box equals X, the output XOR equals Y. Crucial observations for dierence distribution tables are: given a X the probabilities for tributed when X = 0 then Y =0 Y are often are not uniformly dis-

These properties can be exploited to create so-called characteristics with high probabilities (see below). In iterated ciphers (cryptosystems that iterate a weak function n times) we can now characterize the encryption of a plaintext pair as a so-called nround characteristic: An n-round characteristic is a tuple = (P , , T ) where: P is the plaintext pair XOR T is the corresponding ciphertext pair XOR = (1 , . . . , n ) where i describes the input and output XORs in the i-th round adjacent i satisfy "additional requirements that link them together"

3 CLASSICAL DIFFERENTIAL CRYPTANALYSIS

The mentioned "additional requirements" are dependent on the concrete details of the cipher being analyzed but essentially they describe a way in which the the output XOR of round i relates to the input XOR of round i + 1. A characteristic is usually associated with a probability p that a random plaintext pair with the plaintext pair XOR in P has the ciphertext pair XOR C and the round XORs in when encrypted with a random, independent round-keys. Those pairs are referred to as right pairs. The assumption that the round-keys are independent usually does not hold in practice since often a key-schedule is used to derive the round-keys from a single key, but the probability p usually still constitutes a good approximation. Using dependent round-keys and thus dropping this assumption would only complicate the theoretic analysis unnecessarily. The probability of a 1-round characteristic can be calculated using the aforementioned dierence distribution tables for the involved active S-boxes. An active S-box is an S-box that receives a non-zero input dierence. Under the assumption that the input XORs of the S-boxes in a round are independent from each other, the probability p of a 1-round characteristic can be computed as: p=
S i SA

PSi ( XSi

YSi ) YSi ) is the

where SA is the set of active S-boxes and PSi ( XSi probability that XSi may cause YSi by S-box Si .

The probability of an n-round characteristic is the product of the probabilities of its rounds. We can now mount a chosen plaintext attack against an n-round iterated block-cipher and recover some bits of the last round-key if we have the following: a carefully chosen (n 1)-round characteristic = (P , , T ) with a suciently high probability pC a sucient number of plaintext pairs (Pi , Pi ) with Pi Pi = Pi = P

the corresponding ciphertext pair (Ci , Ci ) for each plaintext pair

3 CLASSICAL DIFFERENTIAL CRYPTANALYSIS

By the target partial round-key K we shall denote the bits of the n-th round-key which "get in touch" with the output of the S-boxes in the n-th round that have a non-zero input XOR. The concatenated input XOR of all S-boxes in the last round is T (or a permutation of it depending on the cipher). Each K shall have a counter value associated with it. We now run the last round backwards for each possible key and plaintext pair: for each possible tuple ((Pi , Pi ), K ) do run Ci , Ci and K backwards through the steps of the last round to obtain its inputs (Xi , Xi ) if Xi Xi and T are equal increase the counter for the key K The steps of the last round are of course cipher dependent, but should usually contain at least an S-box and a (invertible) key-dependent transformation. After all, the target partial round-key with the largest counter value is likely to be the real K . The higher the probability pC of our characteristic the fewer plaintext pairs we need. According to [HE01] the sucient number of plaintext pairs can be approximated as: N where c is a small constant. c pC

3.2

AES and classical dierential cryptanalysis

Analogous to proving security against linear cryptanalysis it is not sucient to prove that the maximum probability of a dierential characteristic is suciently low because there is also a dierential hull for a dierential as there is a linear hull for a linear approximation. A dierential can be dened as a tuple ( P, C ), where P is the plaintext dierence and C is the ciphertext dierence. For a dierential there might exist several characteristics with different, signicant probabilities. The set of these characteristics constitutes the dierential hull and therefore security against dierential cryptanalysis means that the maximum probability of all dierentials (or their dierential hulls respectively) needs to have suciently low bounds.

4 ATTACKS ON AES

10

[Pa02] shows that the maximum dierential probability of 4-round Rijndaellike structures is 1.06 296 . This statement holds even more so for AES which has more than four rounds and it can therefore be considered secure against conventional dierential cryptanalysis.

4
4.1

Attacks on AES
Short summary of recent attacks

There have been numerous attempts to break the security of AES over the past years. According to [IK06] the most recent attack on a 9-round version of AES-192, launched in 2005 by Biham, Dunkelman and Keller is a relatedkey attack that uses dierential cryptanalysis in a larger construction. Earlier attacks on weakened AES versions usually combined improved versions of dierential cryptanalysis with other attack schemes. In the following section I will rst present the techniques used in the mentioned attack by Biham and then present the results of his attack as a representative of current attacks on AES.

4.2

Boomerang and rectangle attacks

First of all the concepts of boomerang, rectangle and related-key attacks will be summarized and it will nish with a discussion of the actual attack. 4.2.1 Boomerang attacks

A boomerang attack, as introduced by David Wagner in [Wa99] is an adaptive chosen plaintext and ciphertext attack. A cipher E is seen as a compound of two subciphers E0 and E1 with E = E1 (E0 ()). The idea is to use two short dierentials with high probability for the subciphers instead of using a long dierential with a high enough probability for the whole cipher which can be very dicult, if not impossible. 1 Let and denote dierentials for E0 and E1 , which hold with probabilities p and q . In general it works as follows: choose a plaintext P and generate P = P obtain C = E (P ) and C = E (P ) with two chosen plaintext queries

4 ATTACKS ON AES generate D = C and D = C

11

obtain Q = E 1 (D) and Q = E 1 (D ) with two adaptive chosen ciphertext queries

Figure 1: Quartet structure (source: [WPba]) The goal is to obtain a so-called quartet structure at an intermediate value halfway through the cipher. The conditions for such a quartet structure are: 1. P P = =QQ

2. E0 (P ) E0 (P ) =
1 1 3. E1 (C ) E1 (D) =

= E0 (Q) E0 (Q )
1 1 (C ) E1 (D ) = E1

4. C D =

=C D

4 ATTACKS ON AES

12

The left part of 1. is obviously fullled by the appropriate choice of P and P . The probability that (P, P ) is a right pair with respect to is p, therefore the left half of 2. holds with probability p. The probability that (C, D) and (C , D ) are right pairs with respect to is q 2 so conditions 3. and 4. hold with this probability. Given this, it is possible to show that E0 (Q) E0 (Q ) = and thus the right side of 1. holds with probability p. This gives a total probability of (pq )2 for nding a quartet for the two given dierentials. Figure 1 depicts the described setup. Since it is possible to mount the attack for all possible s and s the 2 probability of nding a right quartet for E is ( pq )2 where p = P (
2 and q = ). P ( We can now use these dierentials to retrieve subkey material in a similar fashion as in conventional dierential cryptanalysis.

4.2.2

Amplied boomerang attacks

There is a variant of boomerang attacks which is only a chosen plaintext attack. In this so-called amplied boomerang attack we encrypt many plaintext pairs with input dierence and look for quartets that match the boomerang conditions. The probability for two pairs (P, P ) and (Q, Q ) with dierence 1 1 2 to form a quartet is 21 n (pq ) since the probability that E1 (C ) E1 (D ) = 1 1 (which can be proven to enforce E1 (C ) E1 (D ) = ) is 2n . 4.2.3 Rectangle attacks

A rectangle attack is an improved version of a amplied boomerang attack which uses all possible s and s at the same time. It can be shown 1 pq )2 where p and q are that the probability of nding a right quartet is 2 n ( dened as before.

4.3

Related-key attacks

In conventional dierential cryptanalysis we try to nd dierentials with a high probability assuming that it is uniformly distributed over all possible plaintexts and keys. Sometimes this does not hold for all keys and it is possible to nd sets of keys for which the probability is either very high or very low. A so-called related key dierential is dened as a tuple ( P, C, K )

4 ATTACKS ON AES for which the probability P [EK (P ) EK

K (P

13

P) =

C]

is high enough, given an arbitrary plaintext P and key K . 4.3.1 Related-key boomerang attacks

A related-key boomerang attack is very similar to a conventional boomerang attack. The dierence is that we use related-key dierentials instead of ordinary dierentials. Let us assume the same dierentials as in section 4.2.1 1 where the E0 dierential has a key dierence K0 and the E1 dierential has a key dierence K1 . Given an unknown but xed key K we now have a set of four dierent keys: Ka = K Kb = Ka Kc = K a Kd = Ka K0 K1 K0 K1

The process of obtaining a plaintext quartet is again very similar to the one in section 4.2.1. The only dierences are that P is encrypted with Ka , P is encrypted with Kc , D is decrypted with Kb and D is decrypted with Kd . The probability for nding a quartet remains the same under the condition that all related-key dierentials for E0 have the same key dierence K0 and 1 all related-key dierentials for E1 have the same key dierence K1 . When constructing a related-key dierential one needs to consider the dierences of the subkeys yielded by the key-schedule, since this has inuence on the probability that the dierential holds. In case of a linear key-schedule algorithm it is easy to predict the subkey dierences, but when it is nonlinear (which is for example true for AES) the dierential properties of the key-schedule algorithm need to be examined, meaning that the probabilities that a key dierence results in the required subkey dierences have to be computed. Then the attacker can try several key dierences until he has found one that yields the required subkey dierences.

4 ATTACKS ON AES 4.3.2 Related-key rectangle attacks

14

The relation between related-key rectangle and related key boomerang attacks is completely analogous to the relation between rectangle and boomerang attacks.

4.4

Attack on 9-round AES-192

The attack is a related-key rectangle attack. The cipher is decomposed as 1 follows: Rounds 4-6 are covered by E0 , rounds 7-9 are covered by E1 . The remaining rounds before round 4 are not covered by any dierential. The details of the dierentials construction are somewhat technical and will be omitted here. The attack begins with the construction of the 2 dierentials E0 and E1 . As worked out in [Bi05] the rst dierential is ((0, 0, , ), , (, 0, 0, 0, , 0)) where = M ixColumns(0 , 0, 0, 0) is a 32-bit dierence given a known 8-bit dierence 0 . The value of of is unique and can be easily computed since dierences propagate linearly through M ixColumns. Since this is a rectangle attack the value of can be chosen. Due to technical details there are 1274 possible values. The probability of the E0 dierential is p = 113.96 . 1 The construction of the second dierential for E1 is somewhat trickier since the key dierence cannot guarantee the required subkey dierences in rounds 7-9. The related-key dierential is ( , (0, 0, , ), (, , , 0, , 0)) where = (0, 1 , 0, 0) and = (0 , 0, 0, 0) are 32-bit dierences. The value of 1 is unknown but it can be determined since it is one of 127 possible values. The dierence can be chosen out of 1274 possible values, again due to technical reasons. The probability for the dierential is q = 1. The attack tries all possible quartets of keys (Ka , Kb , Kc , Kd ) that could satisfy the required subkey dierences and mounts a rectangle attack for each of them until the right one has been found. With the right key quartet it is possible to recover 120 subkey bits. For remaining key bits an exhaustive key search can be done. The complexity of the attack has a data complexity of 287 related-key chosen plaintexts and a time complexity of 2125 encryptions.

5 CONCLUSION

15

Conclusion

The presented attack manages to weaken 9-round AES-192, so that it takes less time than an exhaustive key search to recover the key. Despite that fact the required time and data complexity are still beyond feasibility at the current stage. Especially considering that for the real 12-round AES-192 data and time complexity for such an attack would increase tremendously again, AES can still be considered secure against the best currently known attack by Biham.

References
Matsuru Matsui: "Linear cryptanalysis method for DES cipher", Advances in Cryptology - EUROCRYPT 93: Workshop on the Theory and Application of Cryptographic Techniques, Lofthus, Norway, May 1993. Proceedings, pp. 386-397, Springer-Verlag Berlin Heidelberg, 1994 Eli Biham: "On Matsuis Linear Cryptanalysis", Advances in Cryptology - EUROCRYPT 94, LNCS 950, pp. 341-355, 1995, Springer-Verlag Berlin Heidelberg, 1995 Eli Biham, Adi Shamir: "Dierential cryptanalysis of DES-like cryptosystems", Journal of Cryptology, Volume 4, Number 1 / January, 1991, pp. 3-72, Springer New York, 1991 H. M. Heys: "A Tutorial on Linear and Dierential Cryptanalysis", Technical Report CORR 2001-17, Centre for Applied Cryptographic Research, Department of Combinatorics and Optimization, University of Waterloo, Mar. 2001. (Also appears in Cryptologia, vol. XXVI, no. 3, pp. 189-221, 2002.) A.Biryukov, C.De Canniere: "Linear Cryptanalysis", Encyclopedia of Cryptography and Security", (Kluwer), 2004, to appear. On the internet under: http://homes.esat.kuleuven.be/ abiryuko/Enc/e32.pdf

[Ma94]

[Bi95]

[BS91]

[HE01]

[BC04]

6 REFERENCES [Ny94]

16

K. Nyberg: "Linear approximations of block ciphers", Advances in Cryptology - EUROCRYPT 94, LNCS 950, pp. 439-444, 1995, Springer-Verlag Berlin Heidelberg, 1995 Sangwoo Park, Soo Hak Sung, Seongtaek Chee, E-Joong Yoon, Jongin Lim: "On the Security of Rijndael-Like Structures against Dierential and Linear Cryptanalysis", ASIACRYPT 2002, LNCS2501, pp.176?191, 2002, Springer-Verlag Berlin Heidelberg, 2002 IAIK Krypto Group - AES Lounge. On the internet under: http://www.iaik.tugraz.at/research/krypto/AES/ Eli Biham, Orr Dunkelman, Nathan Keller: "Related-Key Boomerang and Rectangle Attacks", Advances in Cryptology EUROCRYPT 2005, pp. 507-525. Springer-Verlag Berlin Heidelberg, 2005 David Wagner: "The Boomerang Attack", Fast Software Encryption: 6th International Workshop, FSE99, Rome, Italy, March 1999, Springer-Verlag Berlin Heidelberg 1999 Wikipedia, the free encyclopedia, article on "Boomerang attack". On the internet under: http://en.wikipedia.org/wiki/Boomerang_attack

[Pa02]

[IK06]

[Bi05]

[Wa99]

[WPba]