This preview shows page 1. Sign up to view the full content.
Unformatted text preview:  Linear Cryptanalysis
Linear cryptanalysis is another type of cryptanalytic attack, invented by Mitsuru Matsui [1016,1015,1017]. This attack uses linear approximations to describe the action of a block cipher (in this case, DES.) This means that if you XOR some of the plaintext bits together, XOR some ciphertext bits together, and then XOR the result, you will get a single bit that is the XOR of some of the key bits. This is a linear approximation and will hold with some probability p. If p ` ½, then this bias can be exploited. Use collected plaintexts and associated ciphertexts to guess the values of the key bits. The more data you have, the more reliable the guess. The greater the bias, the greater the success rate with the same amount of data. How do you identify good linear approximations for DES? Find good 1round linear approximations and join them together. (Again, ignore the initial and final permutations; they don’t affect the attack.) Look at the Sboxes. There are 6 input bits and 4 output bits. The input bits can be combined using XOR in 63 useful ways (26  1), and the output bits can be combined in 15 useful ways. Now, for each Sbox you can evaluate the probability that for a randomly chosen input, an input XOR combination equals some output XOR combination. If there is a combination with a high enough bias, then linear cryptanalysis may work. If the linear approximations are unbiased, then they would hold for 32 of the 64 possible inputs. I’ll spare you the pages of tables, but the most biased Sbox is Sbox 5. In fact, the second input bit is equal to the XOR of all 4 output bits for only 12 inputs. This translates to a probability of 3/16, or a bias of 5/16, and is the most extreme bias in all the Sboxes. (Shamir noted this in [1423], but could not find a way to exploit it.) Figure 12.8 shows how to turn this into an attack against the DES round function. The input bit into Sbox 5 is b26. (I am numbering the bits from left to right and from 1 to 64. Matsui ignores t...
View Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details