GD5A - DRENATGES AMB TUBS PLÀSTICS 0.- ELEMENTS QUE CONTEMPLA EL PLEC

Differential cryptanalysis is a general cryptanalytic method applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In a very broad sense, it is the study of how specific differences in the input of a particular trans- formation affect the resulting output. Differential cryptanalysis was first publicized by Biham and Shamir in 1990 [47] to analyze reduced-round variants of DES [47, 48, 52] in a chosen plaintext scenario, followed by the first cryptanalysis on DES, in 1991, which recovers the key faster than exhaustive search [51]. Nevertheless, it turned out that IBM was already aware of this method [79] and so DES was designed to be resistant to differential cryptanalysis.

1.5 Techniques for symmetric cryptanalysis

Differential cryptanalysis studies the differences, usually by means of the XOR, as they evolve through the various rounds and different operations of a symmetric primi- tive. One first considers a transformation Z = F (X) which is related to the primitive specification. In the case of block ciphers, the input X is the combination of the secret key and the plaintext, i.e., X = (K, P ). Moreover, the mapping F is constructed by tracing the network of transformations which gradually convert the plaintext into the ciphertext. Any non-random behaviour of this transformation can be exploited to re- cover the secret key or part of it. In particular, a cryptanalyst tries to find an input difference ∆x and an output difference ∆z. The input difference ∆x is the combination

of the differences in the plaintext and the difference in the key which we assume to be zero, i.e., ∆x = (0, ∆p). The cryptanalyst then estimates the probability of the

differential (∆p → ∆z), i.e., Pr{F (K, P ) ⊕ F (K, P ⊕ ∆p) = ∆z}. The probability of

the differential (∆p → ∆z) can be computed over the whole input domain or a sub-

set of it. Moreover, for block ciphers, and in general for keyed symmetric primitives, the mapping F is constructed in a way that the output difference ∆z is a function

of some part of the key, called subkey. For example, when the ciphertext is partially decrypted using the last subkey, one gets the output value of F . Any abnormality in the probability of the differential can be exploited to recover the subkey or get some information about it by means of statistical methods. To this end, the cryptanalyst collects many quadruples of plaintext pairs and their corresponding ciphertext pairs where each plaintext pair has the desired difference ∆p. It is possible that some of the

plaintext pairs, which already satisfy the required input difference ∆x for the transfor-

mation F , provide the desired output difference ∆z as well. Having at least one such

pair, called a right pair, is essential to eliminate some of the wrong keys. The exact number of the required right pairs is determined by the best statistical method which the cryptanalyst can apply to recover the subkey.

Several refinements to differential cryptanalysis have attempted to improve the tech- nique for some circumstances. A variant of differential cryptanalysis uses an extended form of differences, in which some of the bits of the output difference are not fixed. Because part of the output difference is left unspecified, this is equivalent to clustering several differentials together. This type of cryptanalysis is called truncated differential cryptanalysis [155]. Another extension of differential cryptanalysis takes advantage of differentials which occur with probability zero [153, 43]; these differentials are called

impossible differentials [43]. There are also non-XOR differential cryptanalysis vari- ants [160], such as modular subtraction, modular division, or a combination of different differences in various places. The generalization of differential cryptanalysis which considers differences between differences is called higher-order differential cryptanaly- sis [155]. Higher-order differences prove to be successful in several cases where ordinary differential cryptanalysis is not applicable. Furthermore, there are also cryptanalytic methods that combine differentials in various ways, the most promising of which are the boomerang [232], amplified boomerang [146], and rectangle [46] cryptanalyses. Lastly, in related key cryptanalysis [42, 154], which is less desirable and highly disputed, a nonzero difference in the keys is also permitted.

Differential cryptanalysis of block ciphers and stream ciphers is closely related to that of hash functions, but also disparate in some aspects. The dissimilarities were recognized in early works [50, 49, 41, 197] and were later developed in hash crypt- analyses [98, 99, 101, 75, 212, 44, 45, 236, 238, 239, 237, 73, 179, 70, 168], still used extensively. A major dissimilarity is that the goal of the cryptanalyst is different. In the first case, the aim is to obtain the secret key while in the later case there is no key to be recovered and the goal is mostly to find a hash collision. Another main difference is the freedom which the cryptanalyst has in playing with the plaintext/message. In differential cryptanalysis of block ciphers, the only restriction on the chosen plaintext pairs is their imposed difference. Remember that the input X is the combination of the secret key and the plaintext, X = (K, P ). Although for a plaintext pair (P, P ⊕ ∆p),

the cryptanalyst has still the ability to choose the plaintext value P , this freedom can be hardly exploited in practice (e.g., to increase the chance of getting a right pair). This is mainly because of the fact that the secret key influences the way the input difference propagates through the cipher from the very beginning. For hash functions, however, there is no secret key involved and full control over the input X is available. Any input X for which F (X ⊕ ∆x) ⊕ F (X) = ∆z, called conforming message, yields a

collision for the underlying hash function. The recent collision finding algorithms have investigated extensive methods to use this freedom in order to efficiently find such con- forming messages by means of satisfying some conditions. These methods are referred to as message modification techniques which apparently have been used by Xiaoyun Wang as early as 1997 [233, 234]. However, they were brought to the attention of the

1.5 Techniques for symmetric cryptanalysis

international cryptographic community only in 2005 [236, 238, 239, 237]. Message mod- ification techniques use concepts such as neutral bits [44], semi-neutral bits [167, 226] and tunnels [151]. When it comes to implementation, backtracking algorithms [38, 73] are used to find a conforming message.