Two-Round Iterative Characteristics for Linear ... - Science Direct

Available online at www.sciencedirect.com

Electronic Notes in Discrete Mathematics 57 (2017) 205–210 www.elsevier.com/locate/endm

Two-Round Iterative Characteristics for Linear Cryptanalysis of Modified DES with Embedded Parity Checks Robert Tsenkov, Yuri Borissov∗

1

Institute of Mathematics and Informatics Bulgarian Academy of Sciences G. Bontchev Str. 8, 1113 Sofia, Bulgaria

Abstract We investigate two classes of 2-round iterative linear characteristics for DES-like ciphers obtained by embedding parity checks in the S-boxes of the original DES. This study complements our previous work [Linear Cryptanalysis and Modified DES with Parity Check in the S-boxes, LNCS 9540 (2016), pp. 60 – 78]. Keywords: DES-like cipher, S-box, parity check, linear cryptanalysis, iterative characteristic.

1

Introduction

No doubt that the application of iterative characteristics (ICs) is one of the most powerful tool in both differential and linear cryptanalysis (DC and LC)

1

*Corresponding author. Email address: [email protected] {Y. Borissov}. The authors were partially supported by Bulgarian NSF Grant I01/0003.

http://dx.doi.org/10.1016/j.endm.2017.02.034 1571-0653/© 2017 Elsevier B.V. All rights reserved.

206

R. Tsenkov, Y. Borissov / Electronic Notes in Discrete Mathematics 57 (2017) 205–210

from the time of their appearance in the early 1990’s (see, e.g. [1,7,5]). In his study on optimization of the DES algorithm from the perspective to resist LC [7], Matsui has underlined on distinguishing the two main approaches for constructing good multi-round linear characteristics – by at most one active S-box per round (”Type I”), and by iterating an 1-round nondeterministic approximation with zero input mask (”Type II”). In the same work, Matsui has shown that there exist some modifications of the DES where the best approximation is yielded by characteristics of the latter type. In order to clarify the intuitive understanding that embedding additional linearity into the outputs of the S-boxes of some block cipher would facilitate its linear cryptanalysis, in [4], it is investigated (mainly) the behavior of the best characteristics of Type I for modified DES cipher having a parity check in its S-boxes. In the present paper, we are focused on Type II characteristics for an extended family of ciphers. The paper is organized as follows. In Section 2, we introduce the necessary notations and definitions, recall some previous results and briefly describe the setting of this study. Section 3 comprises the results about ICs based on 1round characteristics similar to those for the DES, and Section 4 is devoted to a new type of 2-round ICs arising due to the specific modification considered. Finally, in Section 5, the conclusions are drawn.

2

Preliminaries

2.1 Notations and Definitions For basic definitions, notations and facts concerning LC, we refer the reader to [6] and [4]. Hereinafter, we recall only the most necessary ones. By NSk∗ (α, β), where 0 ≤ α ≤ 63 and 0 ≤ β ≤ 15, we shall denote the entries of the Linear Approximation Table (LAT ) for the S-box Sk of the DES. The same notation will be used for the LAT of modified S-box obtained from Sk by embedding parity check when the parity mask is clear from the context. Let us note that the parity mask may take the four values 1, 2, 4 and 8. If a linear approximation holds with probability p = 1/2 for randomly given plaintext and corresponding ciphertext, the magnitude of bias p − 1/2 represents the effectiveness of that approximation. The effectiveness of an approximation of individual S-box is deduced directly from its LAT while if more than one S-boxes are involved, the effectiveness is computed applying in appropriate way the so-called Piling-up Lemma [6]. A member of a given family of linear characteristics is called best if the

R. Tsenkov, Y. Borissov / Electronic Notes in Discrete Mathematics 57 (2017) 205–210

207

effectiveness of the corresponding linear approximation reaches maximum in the set of effectiveness. 2.2 Some Previous Results In [4], we have studied the properties of the LATs and deduced best linear characteristics based on at most one active S-box per round (i.e. of Type I) when a parity check bit is embedded in the outputs of all S-boxes of the DES. We have proved that for thus obtained four ciphers, the effectiveness of the best 1-round and 3-round characteristics always declines. In regard to the larger number of rounds, we have shown that (depending on the parity bit position) the effectiveness of best multi-round characteristics may grow but mostly diminish compared to the original cipher (see, [4] for details). Due to the specific input expansion in the DES, there exists a special kind of 1-round characteristics based on pairs of approximations of adjacent S-boxes (see, [6, Ch.5.4]). These characteristics have zero input but nonzero output masks, and a valuable effectiveness. They allow the construction of 2-round ICs where in every second round the trivial one is applied. But, it turns out that the effectiveness of these ICs is lower than the best one obtained by using at most one active S-box per round, as remarked by Matsui. 2.3 The Settings of Our Study The subject of present study is a family of modified DES ciphers whose parity check position for each separate S-box is chosen arbitrarily and independently among the four existing possibilities. We shall represent the parity mask configurations thus appearing as sequences of mask values arranged in increasing order of the S-boxes (from left to right). Also, as in [4], w.l.o.g. we assume odd parity checks ensuring in this way that the extended family of ciphers considered here contains the already studied four ones.

3

Characteristics with Zero Input Mask

The same kind of ICs as those for the original DES mentioned in subsection 2.2, does exist for the ciphers under consideration. First, we examine the claim pointed out by Matsui [7] (on the relationship between Type I and Type II characteristics) in case of the considered ciphers and ICs. We find out that it holds true as well. For example, when the parity masks configuration 22222222 is picked up, the best 16-round IC of kind considered (based on NS7∗ (3, 3) = 6 and NS8∗ (48, 2) = 12) has effectiveness

R. Tsenkov, Y. Borissov / Electronic Notes in Discrete Mathematics 57 (2017) 205–210

208

effectiveness

configurations

optimal S-box approximations

max.

0.0352

16384 = 47

NS7∗ (3, 3) = 6, NS8∗ (48, 2) = 12

min.

0.0156

432

NS5∗ (3, 1) = 4, NS6∗ (48, 1) = 8

DES

0.0469

–

NS7∗ (3, 15) = 8, NS8∗ (48, 13) = −12

Table 1 Optimal characteristics of the kind considered and their effectiveness.

of 2.9 · 10−10 , while the best characteristics within the set of those using ”at most one active S-box per round” are with lower effectiveness of 4.8 · 10−11 as can be seen from [4]. Next, we carry out an exhaustive search over the set of all parity mask configurations to find optimal values of the effectiveness of ICs of the kind considered. We are interested in both: the highest vulnerability (maximum of the best effectiveness), and the highest resistance (minimum of the best effectiveness) towards LC which can be achieved by ciphers of that family. The values found are presented in Table 1. Besides the effectiveness of 1-round characteristics exploited by those ICs, this table contains the number of the optimal parity mask configurations, as well as sets of S-box approximations (for the instant configurations: 81111112 and 82211111) which achieve those extrema (maximum and minimum, respectively). For the sake of comparison, the fourth row of Table 1 reflects the corresponding facts about the original DES. A careful analysis of our experimental data supports the following. Proposition 3.1 The effectiveness of best 2-round IC of particular interest reaches the maximum of 9 · 2−8 within the family of considered modified DES ciphers if and only if the parity mask applied to S8 is 2. Sketch of Proof. It is easy to see that one will get an 1-round characteristic with maximal effectiveness applying simultaneously the pair of approximations corresponding to NS7∗ (3, 3) and NS8∗ (48, 2), and this holds if and only if the parity mask of S8 equals to 2. 2 Remark 3.2 Analyzing the numerical results from Table 1, one can observe that the maximum value of the effectiveness for a single round exceeds more than twice the minimum one. This would lead to considerable gap in the resulting 2r-round effectiveness of order more than 2r .

R. Tsenkov, Y. Borissov / Electronic Notes in Discrete Mathematics 57 (2017) 205–210

4

209

Characteristics with parity-keeping input mask

For the considered DES modifications, we distinguish a different kind of 1round characteristics that can be incorporated to give 2-round ICs in a similar way. The input mask of a newly kind characteristic is defined by the following Definition 4.1 A mask corresponding to a nonempty set of input bits for the S-boxes in a given round of the modified DES that can be partitioned into disjoint subsets each one being the set of all output bits of some S-box in its previous round, is called parity-keeping input mask. Remark 4.2 Obviously, the XOR-sum determined by a parity-keeping input mask equals identically to a constant (i.e., the parity of the number of involved S-boxes since we assume only odd parity checks). To show the existence of such masks, as well as computing the effectiveness of corresponding approximations, one complies with the modified LATs of the S-boxes involved. In respect to the so defined masks one can state and prove the following. Proposition 4.3 Every 1-round characteristic with parity-keeping input mask is based on approximations of at least 4 different S-boxes. Sketch of Proof. Follows by the fact that all input bits for any S-box in a given round come from the outputs of distinct S-boxes of a previous round which is due to the specific chosen round permutation of the DES. 2 Proposition 4.4 The effectiveness of an IC based on parity-keeping input mask is strictly smaller than 9 · 2−8 . Proof. First, recall that in [4], we have shown the largest magnitude of 18 for the modified LATs entries. It can be also easily proved that if such an entry participates in some characteristic with parity-keeping mask then this characteristic is based on at least 7 different S-box approximations and thus has effectiveness of at most 26 · (18/64) · (16/64)6 = 9 · 2−35 < 9 · 2−8 . On the other hand, if some characteristic does not contain LAT’s entries of magnitude 18 then its effectiveness can be upper bounded by 23 · (16/64)4 = 2−5 = (8/9) · 9 · 2−8 < 9 · 2−8 as it is implied by Proposition 4.3 and the Piling-up Lemma. 2 Remark 4.5 According to Proposition 3.1, the maximal effectiveness of the best ICs considered in Section 3 is equal to 9·2−8. Thus, the above proposition points out that this value cannot be achieved by an IC of the second kind.

210

5

R. Tsenkov, Y. Borissov / Electronic Notes in Discrete Mathematics 57 (2017) 205–210

Conclusion

First, we demonstrate that similarly to the conclusion drawn about the four ciphers considered in [4], the maximal achievable effectiveness of 2-round ICs (based on the pairs of adjacent S-boxes) for the extended family of modified DES ciphers, is lower than that of the original DES. An experimental study reveals the ciphers of that family possessing the highest resistance as well as those with the highest vulnerability in the initial stage of the LC based on such ICs. In addition, a simple characterization of the most vulnerable configurations among the studied ones can be proved. Second, we reveal a new class of 2-round ICs (namely, based on parity-keeping input masks) arising due to the specific modification considered. But, as indicated by the last proven proposition and subsequent remark, the corresponding LC may be more complicated. Finally, it is worth mentioning that our study utilizes the Piling-up Lemma for estimating the complexity of linear attacks of particular interest in the spirit of ”average between all possible random keys” [2] while that evaluation may not be directly valid when searching for ”a specific unknown key” [3].

References [1] Biham E., A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Journal of Cryptology, 4(1) (1991), 3–72. [2] Biham E., On Matsui’s linear cryptanalysis, Advances in Cryptology EUROCRYPT’94, Springer, LNCS 950 (1995), 341–355. [3] Bl¨ ocher U., M. Dichtl, Problems with the linear cryptanalysis of DES using more than one active S-box per round, Fast Software Encryption 1994, Springer, LNCS 1008 (1995), 265–274. [4] Borissov Y., P. Boyvalenkov, R. Tsenkov, Linear cryptanalysis and modified DES with parity check in the S-boxes, Second Conference on Cryptography and Information Security in the Balkans, Springer, LNCS 9540 (2016), 60–78. [5] Knudsen L. R., Iterative Characteristics of DES and s2 -DES, Advances in Cryptology - CRYPTO’92, Springer, LNCS 740 (1993), 497–511. [6] Matsui M., Linear cryptanalysis of DES cipher (I), version http://www.cs.bilkent.edu.tr/˜selcuk/teaching/cs519/Matsui-LC.pdf.

1.03,

[7] Matsui M., On correlation between the order of S-boxes and the strength of DES, Advances in Cryptology - EUROCRYPT’94, Springer, LNCS 950 (1995), 366–375.