使用差分密码分析法来破解

Differential cryptanalysis is a method which analyses the effect of particular differences in plaintext pairs on the differences of the resultant ciphertext pairs. These differences can be used to assign probabilities to the possible keys and to locate the most probable key. In this post, we will see how these differences can be analyzed and exploited to break DES reduced to 6 rounds.

差分密码分析是一种分析明文对中特定差异对所得密文对差异的影响的方法。 这些差异可用于将概率分配给可能的键并找到最可能的键。 在这篇文章中，我们将看到如何分析和利用这些差异将DES减少到6轮。

This post assumes that the reader understands the Data Encryption Standard(DES). Differential Cryptanalysis usually works on many pairs of plaintexts with the same particular difference using only the resultant ciphertext pairs. For DES-like crypto-systems, the difference is chosen as a fixed XORed value of the two plaintexts. Let us quickly review the Feistel structure of DES.

这篇文章假定读者理解数据加密标准(DES) 。 差分密码分析通常仅使用结果密文对来处理具有相同特定差异的许多明文对。 对于类似DES的密码系统，将差异选择为两个明文的固定XORed值。 让我们快速回顾一下DES的Feistel结构。

Feistel结构： (Feistel Structure:)

It is a design model from which various block Ciphers are derived. DES is one such block Cipher. The Feistel model for DES takes 64 bits of plaintext and divides it into halves, L and R of 32 bits each. R₂ is calculated as L⊕(R, Key), and L₂ is the same as R. Here, Key is a 48-bit key derived from the key scheduling algorithm. This model is shown in the below figure.

它是一种设计模型，可从中导出各种块密码。 DES就是这样一种分组密码。 DES的Feistel模型采用64位明文，并将其分为两半，L和R分别为32位。 R 2计算为L 1(R，Key)，L 2与R相同。这里，Key是从密钥调度算法得到的48位密钥。 下图显示了该模型。

In an encryption algorithm, this procedure of transforming the plaintext can be used for any number of times. The output of one round is taken as the input for the next round. This is done for 16 rounds in standard DES.

在加密算法中，这种转换明文的过程可以使用多次。 一轮的输出作为下一轮的输入。 在标准DES中完成16轮测试。

Internally, f has the following structure in DES.

在内部， f在DES中具有以下结构。

f function for DES

DES的f函数

记号： (Notations:)

nₓ: A hexadecimal number is denoted by a subscript x (i.e., 10ₓ = 16)

nₓ ：十六进制数用下标x表示(即10ₓ= 16)

X, X’: At any intermediate stage during encryption of pairs of messages, X₁ and X₂ are corresponding intermediate values of two executions of the algorithm. X’ is defined to be X’ = X₁ ⊕ X₂P: The plaintext is denoted by P.T: The ciphertext is denoted by T.

X，X′：在消息对加密的任何中间阶段，X 1和X 2是算法两次执行的相应中间值。 X“被定义为X” = X 1 X 2⊕，P：明文是由P.设为T：密文由T表示

P(X): The P permutation is denoted by P(X). Note that P as a variable denotes the plaintext.E(X): The E expansion is denoted by E(X).IP(X): The initial permutation.

P(X) ：P置换由P(X)表示。 注意，作为变量的P表示明文。 E(X) ：E扩展由E(X)表示。 IP(X) ：初始排列。

(L, R): The left and right halves of the plaintext P (after the initial permutation) are denoted by L and R respectively.(l, r): The left and right halves of the ciphertext T (before the final permutation) are denoted by l and r respectively.

(L，R) ：明文P的左半部分和右半部分(在初始置换之后)分别由L和R表示。 (l，r) ：密文T的左半部分和右半部分(在最终置换之前)分别由l和r表示。

a,…., j: The 32-bit inputs of the f function in the various rounds.A,…., J: The 32-bit outputs of the f function in the various rounds

a，…。，j ： f在不同回合中的32位输入。 A，…。，J ：各个回合中f函数的32位输出

特性： (Characteristic:)

Associated with any pair of encryptions are the XOR value of its two plaintexts, the XOR of its ciphertexts, the XORs of the inputs of each round in the two executions, and the XORs of the outputs of each round in the two executions. These XOR values form an n-round characteristic. A characteristic has a probability, which is the probability that a random pair with the chosen plaintext XOR has the round and ciphertext XORs specified in the characteristic. We denote the plaintexts XOR of a characteristic by Ωₚ and its ciphertexts XOR by Ωₜ. Note that this probability arises because of different input pairs with the same XOR may lead to different output XOR.

与任何一对加密相关联的是其两个明文的XOR值，其密文的XOR，两个执行中每个回合的输入的XOR和两个执行中每个回合的输出的XOR。 这些XOR值构成一个n舍入特性。 特征具有概率，即与所选明文XOR的随机对具有特征中指定的舍入和密文XOR的概率。 我们用note表示特征的明文XOR，用note表示密文XOR。 注意，由于具有相同XOR的不同输入对可能导致不同的输出XOR，因此出现这种可能性。

To understand it better, let us have a look at an example.

为了更好地理解它，让我们看一个例子。

a' = 0110 0000 0000 0000 0000 0000 0000 0000E(a') = 001100 000000 000000 000000 000000 000000 000000 000000

Now, for S2-S8 as input XOR is 0, so output XOR will be 0. However, for S1, as input XOR is 001100, the following distribution of output XOR arises. Hence, the probability of getting ‘E’ is 7/32 (i.e., 14/64). Permutation P, when applied to the output of S-box, results in A’ = (00 80 82 00)ₓ.

现在，对于S2-S8，输入XOR为0，因此输出XOR将为0。但是，对于S1，由于输入XOR为001100，所以输出XOR的分布如下。 因此，获得“ E”的概率为7/32(即14/64)。 置换P应用于S-box的输出时，将得出A'=(00 80 82 00)ₓ。

Possible input values for input XOR S1' = 001100 by output XOR (in hexadecimal)

通过输出XOR可以输入XOR S1'= 001100的可能输入值(十六进制)

So, we get the 1-round characteristic as Ωₜ = (L’ ⊕ 00 80 82 00, 60 00 00 00)ₓ with probability 14/64.

因此，我们以Ωₜ=(L'⊕00 80 82 00，60 00 00 00)ₓ得到1轮特征，概率为14/64。

破发DES减少至6发 (Breaking DES reduced to 6 rounds)

Having defined the notion of pairs and characteristics, we describe how it can be used to break DES reduced to 6 rounds. We will use two 3-round characteristics, both with probability 1/16 and choose the key, which is counted most often. Each of the characteristic helps us to find the 30 bits of round 6 key. However, 3 of the S-boxes are common, so we only have 42 bits. The rest of the 14 bits can be found by exhaustive search.

定义了对和特征的概念后，我们将描述如何使用它来将DES减少到6轮。 我们将使用两个三回合特征(均具有1/16的概率)并选择最常计数的密钥。 每个特性都有助于我们找到第6回合密钥的30位。 但是，有3个S盒是通用的，因此我们只有42位。 14位的其余部分可以通过穷举搜索找到。

In this kind of approach, our aim is to somehow get both the inputs of S-box and output XOR of S-box for some round (the last round is easier one because we know the output directly from the ciphertext). Then, we can iterate over the possible keys to arrive at the key.

在这种方法中，我们的目标是以某种方式获得S-box的输入和S-box的 输出XOR (最后一轮比较容易，因为我们直接从密文中知道输出)。 然后，我们可以遍历所有可能的密钥以得出密钥。

Let us suppose we have on oracle, which tells us the ciphertext for the given plaintext (remember that we are attempting a chosen-plaintext attack). Oracle knows that the DES is 6-round and also the key:

让我们假设我们在oracle上，它告诉我们给定明文的密文(记住，我们正在尝试选择明文攻击)。 Oracle知道DES是6位数，也是关键：

Key:1110111100110011011101101101111000110100010101111111000100010011

The first characteristic is:

第一个特征是：

We choose the plaintexts such that their input XOR after the Initial Permutation(IP) comes out to be (40 08 00 00 04 00 00 00)ₓ. Note that P₁⊕ P₂ is not the same as characteristic, but IP(P₁)⊕ IP(P₂) equals characteristic.

我们选择明文，以使它们在初始置换(IP)之后的输入XOR为(40 08 00 00 04 00 00 00)ₓ。 注意p₁⊕P₂ 是不一样的特性，但IP(P₁)⊕IP(P₂) 等于特征。

P₁=1101010100100010110100110111001011100001101111000011001000101010P₂=1101010100100010010100110110001011100001101111000111001000101010Characteristic:
0100000000001000000000000000000000000100000000000000000000000000P₁ after IP:
0001110101101101001000010001010100110101111110101010000011001110P₂ after IP:0101110101100101001000010001010100110001111110101010000011001110

Five S-boxes (S2, S5, S6, S7, S8) in the fourth round have zero input XORs, and hence their output XORs are zero.

第四轮中的五个S盒(S2，S5，S6，S7，S8)具有零输入XOR，因此它们的输出XOR为零。

d' = (40 08 00 00)ₓd' = 0100 0000 0000 1000 0000 0000 0000 0000E(d') = 001000 000000 000001 010000 000000 000000 000000 000000

The corresponding output XORs in the sixth round can be found by F’ = c’⊕l’.

第六轮中对应的输出XOR可通过F'=c'⊕l'找到。

l' = F' ⊕ e'e' = D' ⊕ c'F' = D' ⊕ c' ⊕ l'
Hence, F' = c' ⊕ l' for 5 of the S-boxes

The oracle gives us the corresponding ciphertexts for P₁ and P₂.

Oracle为我们提供了P1和P2的相应密文。

T₁=0101010011000110011001011101011110010001110101110111011001001110T₂=1110010000110100001111111000001001010110011100110101000011010010

Apply the IP to undo the effect of Final Permutation (FP) applied in the last round.

应用IP取消上一轮应用的最终置换(FP)的效果。

After application of IP:
T₁=1110111101111001111011110011110000111010010001001000000011101010T₂=1111000111110110000101110010010010001001001001110000010010111100

Now, extract the first 32 bits as f and last 32 bits as l.

现在，将前32位提取为f，将后32位提取为l。

f₁ = 0011 1010 0100 0100 1000 0000 1110 1010f₂ = 1000 1001 0010 0111 0000 0100 1011 1100l₁ = 0011 1010 0100 0100 1000 0000 1110 1010l₂ = 1000 1001 0010 0111 0000 0100 1011 1100Input of S-box:E(f₁) = 000111 110100 001000 001001 010000 000001 011101 010100E(f₂) = 010001 010010 100100 001110 100000 001001 010111 111001

Due to the probabilistic nature of characteristic, each input pair do not suggest the correct key. We take the one which occurs most often over many input pairs. Iterating over all possible 64 values of a key for each of the corresponding five S-boxes, increase the count of the key for which the above f values result in the XOR given by F’ =c’⊕l’. The output XOR of S-box is P_inverse(F’).

由于特性的概率性质，每个输入对均不建议正确的键。 我们采用在许多输入对中最常出现的那个。 为对应的五个S盒中的每一个迭代所有可能的64个键值，增加键的计数，上述f值导致F'=c'⊕l'给出的XOR。 S-box的输出XOR为P_inverse(F')。

c' = 0000 0100 0000 0000 0000 0000 0000 0000l' = 1011 0011 0110 0011 1000 0100 0101 0110F' = 1011 0111 0110 0011 1000 0100 0101 0110Output of S-box:
1100 1101 0100 0100 0100 1101 0001 1011

For S2, the given input pairs increase the count of keys ’011011’, ‘011101’, ‘111011’, and ‘111101’. Let us validate this for key ‘011011’ (all values in the box below correspond to S2 only). E(f1)[S2] denotes the input for S2 in the sixth round.

对于S2，给定的输入对增加了键“ 011011”，“ 011101”，“ 111011”和“ 111101”的计数。 让我们对键“ 011011”进行验证(以下框中的所有值仅对应于S2)。 E(f1)[S2]表示第六轮S2的输入。

E(f₁)[S2] ⊕ 011011 = 110100 ⊕ 011011 = 101111
E(f₂)[S2] ⊕ 011011 = 010010 ⊕ 011011 = 001001S2(101111) = 0010
S2(001001) = 11110010 ⊕ 1111 = 1101 = Output XOR of S-box 2

Analyzing for 250 input pairs, we get the following key bits corresponding to 5 of the S-boxes:

分析250个输入对，我们得到对应于5个S盒的以下关键位：

Key bits corresponding to the blocks:
S2: 111101
S5: 011010
S6: 101100
S7: 111011
S8: 010011

Similarly, find the other 30 bits of S1, S2, S4, S5, S6 using the second characteristic.

类似地，使用第二个特性找到S1，S2，S4，S5，S6的其他30位。

Analyzing using the second characteristic, we get:

使用第二个特征进行分析，我们得到：

Key bits corresponding to the blocks:
S1: 110010
S2: 111101
S4: 100110
S5: 011010
S6: 101100

The computed key values corresponding to S2, S5, S6 must be the same using both the characteristics. Otherwise, analyze more input pairs. Now we have 42 bits of the 56-bit key. Their positions can be determined using a key scheduling algorithm. The remaining 14 bits of keys can be found using brute force.

使用这两个特性，对应于S2，S5，S6的计算键值必须相同。 否则，分析更多的输入对。 现在我们有56位密钥中的42位。 可以使用密钥调度算法确定其位置。 其余的14位密钥可以使用蛮力找到。

Key guessed after analyzing using 2 characteristics:x11011xxx011001x0xx1011xx10x111xx01xx10x01x1011x11x1000xx001x01xKey guessed after brute force on remaining 14 bits:1110111x0011001x0111011x1101111x0011010x0101011x1111000x0001001xActual Key:1110111100110011011101101101111000110100010101111111000100010011

Note that, only 56 bits out of 64 bits are used in various keys by the key scheduling algorithm. Every 8th bit is dropped before applying the key scheduling algorithm.

注意，密钥调度算法在各种密钥中仅使用了64位中的56位。 在应用密钥调度算法之前，第8位将被丢弃。

Hurrah. We just broke the 6-round DES.

欢呼。 我们刚刚突破了6轮DES。

翻译自: https://medium.com/lotus-fruit/breaking-des-using-differential-cryptanalysis-958e8118ff41