An Ecient Method to Find the Linear Expressions for Linear Cryptanalysis Sangjin Leey Soo Hak Sungz Kwangjo Kimy y Sect. 0710, Yusong P.O.Box 106 z Dep't of Applied Math., Pai Chai Univ. ETRI, Taejon, 305-600, KOREA Doma 2-dong, Taejon, 302-735, KOREA Abstract In this paper, we propose a simple and ecient algorithm for determining effective linear expressions for linear cryptanalysis. This algorithm gives the eective linear expressions by combining the best iterative linear expression and the locally best linear expression. The search time of the algorithm does not increase even if the number of rounds increases. Using this algorithm, we obtain the eective linear expressions for DES-like cryptosystems(DES, s2 DES, s3 DES and s5 DES). 1 Introduction In Eurocrypt'93, Matsui [3] introduced a new cryptanalysis method for DES-like cryptosystems, called linear cryptanalysis. This method needs 247 known plaintexts and ciphertexts pairs to attack DES [1]. In his improved version [4], DES can be broken with 243 known plaintexts and ciphertexts pairs. The heart in linear cryptanalysis is to nd an useful linear expression eciently. In his attack, Matsui use a 15(14)-round linear expression. This expression is believed to be the best one among all the 15(14)-round linear expressions. In [2], Biham showed that Matsui's 15-round linear expression is the best one under the condition that at most one S-box is active in a single round. However, Matsui claimed that his expression is the best without any restriction. In [9], Tokita, Sorimachi and Matsui proposed an ecient search algorithm for the best expression on linear cryptanalysis. From this algorithm, they evaluated the best probability of some DES-like cryptosystems(DES, 2 DES [5], 3 DES [6]). Their best linear expressions have a simple form, ( i.e., at most one S-box is active in each round). Although their algorithm is ecient, the search time increases rapidly as the number of rounds increases. Recently, Kim et al [7] constructed DES-like S-boxes (denoted by 5 DES S-boxes) against both dierential and linear cryptanalysis. They claimed that the best linear expression of their cryptosystem ( 5DES) does not have simple form. In this case, the search time for the best expression can not be predictable. In this paper, we propose a simple and ecient search algorithm for eective linear expressions on linear cryptanalysis. Basically, it searches the best iterative linear expression and the locally best linear expression. The search time of the algorithm is independent on the number of rounds, i.e., it does not increase even if the number of rounds increases. s s s s 1 Using this algorithm, we obtain eective linear expressions for DES-like cryptosystems (DES, 2 DES, 3 DES and 5 DES). We also show that the probabilities of the eective linear expression are close to that of the best linear expression as the number of rounds increases. s s s 2 Preliminaries The following notations are used throughout this paper and the rightmost bit is referred to as the least signicant bit. x : The hexadecimal value of ?X : The masking value of . : The inner product of and . a a: X X Y X Y Denition 1 For a given linear expression ( q F I; K , this expression is denoted by ) ?O = ?I ?K with probability I ?I with probability j ? 21 j ?Ii (1 ) satisfying ?O n linear expressions ?Oi K : q i n ?Oi+2 = ?Oi ?Ii+1 (1 ? 2) i n lead to a linear expression of n-round DES. We will denote the n-round linear expression as: ?O1 ?O2 .. . ?On ?I1 with probability ?I2 with probability p2 ; ?In with probability pn : p1 ; Also, the probability of the n-round linear expression is expressed by = 2n?1 Qni=1 p pi : The magnitude of relates with the breaking complexity of any DES-like cryptosystems by linear cryptanalysis. The most eective linear expression (i.e., is maximum) is called the best linear expression, and the probability p is called the best probability. p p 3 Iterative Linear Expressions As the number of rounds in DES-like cryptosystems increases, the problem of nding of the best linear expression becomes hard. In this section, we introduce an -round linear expression which can be extended to ( +2)-round with no approximation in the rst and last rounds. We will refer to the -round linear expression as the r-round iterative linear expression. More precisely, we dene an -round iterative linear expression as below: r r r r 2 Denition 2 An r-round linear expression satisfying ? 1 = 0 in case = 1, ? 2 = ? 1 I r x O I and ?Or?1 = ?Ir otherwise, is called an r-round iterative linear expression. The following point can be easily derived from the denition of an -round iterative linear expression. r Remark: Let = f? ?Ii 1 g be an -round iterative linear expression. Then the collection of the linear expressions with reversed order is also an -round iterative linear expression,i.e., ?Or ?Ir ?Or?1 ?Ir?1 ... ?O1 ?I1 is an -round iterative linear expression. 2 For simplicity, we denote this -round iterative linear expression by ~r Then we can build ( + 1) + 1 round linear expression by combining r ~r and ?. ?r ? ~r ? ? r ? if is odd, ?r ? ~r ? ? ~r ? if is even, where \?" represents 0x 0x i.e., it means that no approximation is done. If r has probability r , then the probability of ( + 1) + 1 round linear expression is 2k?1 rk by piling-up lemma [3]. Now, we nd the best r-round iterative linear expression (i.e., the probability r is maximum) for DES-like cryptosystems. For a given 1-round iterative linear expression as: 0x DES has the best 1-round iterative linear expression with probability 4 68 10?2 such as: 0 10 0 21x 0x In the above linear expression, two neighbouring S-boxes ( 7 and 8) are active. Each S-box has a linear expression with common input bits of F-function. On the other hand, 3 DES and 5DES do not have 1-round iterative linear expression due to their design criteria. Let a 2-round iterative linear expression be the following form : ? ? DES has the best 2-round iterative linear expression with probability 3 91 10?3 such as 00 00 00 01x 00 00 00 20x 00 00 00 20x 00 00 00 01x r Oi ; i r r r ; ; : r r r : k ; ; k k ; P r k P P : : a c : S s S s ; : : ; : 3 Let a 3-round iterative linear expression be the following form : ? ? ; ; : DES has the best 3-round linear expression with probability 6 10 10?3 such as : 01 04 00 80x 00 00 80 00x 21 04 00 80x 00 00 80 00x 20 00 00 00x 00 00 80 00x ; ; : Let a 4-round iterative linear expression be the following form: ? ? ? ; ; ; : DES has the best 4-round iterative linear expression with probability 7 63 10?5 such as : 00 00 00 08x 00 00 04 00x 00 00 00 20x 00 00 04 01x 00 00 04 00x 00 00 00 28x 00 00 00 01x 00 00 00 20x ; ; ; : Table 1 shows the best probabilities of r-round(1 4) iterative linear expressions for DES, 2 DES, 3 DES, and 5 DES. In Table 1, \*" indicates that the iterative linear expression does not exist. r s s s Table 1: Prob. of the best iterative linear expressions round 1 2 3 4 DES 4 68 10?2 3 91 10?3 6 10 10?3 7 63 10?5 : : : : 3 5 DES DES DES ? 2 5 85 10 * * ? 3 ? 3 5 85 10 3 90 10 1 95 10?3 2 19 10?3 5 85 10?3 1 09 10?3 3 66 10?4 9 15 10?5 1 52 10?5 s 2 s s : : : : : : : : : : Table 2 shows the best r-round iterative linear expressions for 5 DES. s 4 s 2 DES, s 3 DES, and Table 2: The best iterative linear expressions round 2 ? 3 ? 4 ? DES 00400000x 00010000x 00010000x 00001000x 00400000x 00000040x 00100000x 00110000x 00400000x s DES 00040000x 00001000x 00008000x 01040080x 20000000x 20000000x 00008000x 00009000x 00040000x 2 s 3 DES 00000 00x 10000000x 00011000x 20000080x 00040000x 00002000x 00000080x 00000 80x 10000000x s 5 a a 4 The Search Method for Eective Linear Expressions In this section, we present a simple and ecient algorithm to nd an eective linear expression for linear cryptanalysis. This algorithm derives the eective linear expression by combining the best iterative linear expression and the locally best linear expression. This technique can be applicable to many DES-like cryptosystems. The search time of the algorithm does not increases even if the number of rounds increases. Now, we state the algorithm as follows. Step 1. Find the best -round (1 4) iterative linear expression and denote it by r r r : Step 2. Select a good iterative linear expression (say, ) among all the . Let denoted by the probability of the best -round iterative expression. Select an iterative expression N such that N r Pr r 60 2 N +1 ?1 60 N +1 PN 60 = 1max 2 r+1 ?1 r4 60 r+1 (1) Pr 60 60 (Note that 2 r+1 ?1 rr+1 is the probability of 61 ( i.e., lcm( + 1) + 1 1 4) round linear expression constructed by r ~r and ?) Step 3. Find (number of iterations) satisfying ( + 1) + 2 ( + 1)( + 1) + 2 Step 4. Construct ( + 1) + 1 round linear expression by -round iterative linear expression N and/or ~N Step 5. Construct -round expression by combining the ( + 1) + 1 round linear expression and the locally best linear expressions. r P ; k N N k n < k N : n N 5 ; r ; k N k : In Step 1, can be heuristically determined. Also, in Step 5, the combined expression is the form of p ? ? q , where p and q are locally best linear expressions, is the iterative linear expression. Example 1 We will describe how to nd a 6-round eective linear expression in DES. From Table 1, 1 = 4 68 10?2 2 = 3 91 10?3 3 = 6 10 10?3 and 4 = 7 63 10?5 Then by Eq.(1), 60 2 602 ?1 12 = 229 (4 68 10?2 )30 = 6 87 10?32 60 2 603 ?1 23 = 219 (3 91?3 )20 = 3 66 10?43 60 60 2 4 ?1 34 = 214 (6 10 10?3 )15 = 9 87 10?30 60 2 605 ?1 45 = 211 (7 63 10?5 )12 = 7 97 10?47 We choose that 3 is the best iterative linear expression. Next after computing such that (3+1) +2 6 (3+1)( +1)+2 holds, we can get = 1. By using the 3-round iterative expression 3 , we can build a 5-round linear expression with probability 6 10 10?3 , i.e., 0x 0x 01 04 00 80x 00 00 80 00x 00 00 80 00x 20 00 00 00x 21 04 00 80x 00 00 80 00x 0x 0x Finally, we nd the locally best 1-round expression which can be concatenate with the above 5-round linear expression. In other words, we search the best 1-round expression satisfying ?O = 01 04 00 80x or 21 04 00 80x From the distribution tables of the linear expression of S-boxes in DES, the best 1-round expression is 21 04 00 80x 00 00 80 00x with probability 3 1 10?1 Hence we have an eective 6-round linear expression with probability 3 8 10?3 such as : 0x 0x 01 04 00 80x 00 00 80 00x 00 00 80 00x 20 00 00 00x 21 04 00 80x 00 00 80 00x 0x 0x 21 04 00 80x 00 00 80 00x Note that this 6-round expression is the best one. Using this algorithm, we can nd eective linear expressions for DES-like cryptosystems (DES, 2DES, 3 DES and 5 DES). Table 3 shows the probabilities of the eective n-round linear expressions and the best n-round probabilities ( = 10 12 14 16) [8]. From the table, we note that the eective n-round expressions are good linear expressions. In Table 3, we can see that n and n do not have the same value in 5 DES case. However, this can be avoided if we modify Step 3 as below. Step 30. Find satisfying ( + 1) + 2 ( + 1)( + 1) + 2. r P : ;P : ;P : : P ; P : : : P : P : : P : : k k < k k : ; ; ; ; : : : : : ; ; ; ; ; : s s s n P k ; P N ; ; s k < n 6 N k : Table 3: Prob. of eective linear expressions and their best linear expressions. round DES 10 12 P s P P s P P s P P 9:07 10?6 9:07 10?6 2:09 10?7 2:35 10?7 1:20 10?5 1:20 10?5 6:94 10?8 7:42 10?8 14 5:67 10?7 5:67 10?7 1:59 10?8 1:59 10?8 6:03 10?7 6:03 10?7 1:94 10?9 2:04 10?9 16 8 88 10?8 8 88 10?8 n 2 DES n 9 17 10?10 9 67 10?10 n 3 DES n 7 07 10?8 7 07 10?8 n 5 DES n 1 82 10?10 1 86 10?10 n n denotes the probability of the eective n-round linear expression. n denotes the best probability of n-round linear expression. Pn 4:66 10?5 4:66 10?5 3:62 10?6 3:62 10?6 5:15 10?5 5:15 10?5 8:89 10?7 1:02 10?6 : : : : : : : : P P 5 Conclusion In this paper, we proposed a simple and ecient algorithm for determining eective linear expressions for DES-like cryptosystems based on iterative linear expressions. We showed that the eective linear expressions become good expressions as the number of rounds increases. In particular, when the number of rounds is greater than or equals to 10, the eective expressions are the best expressions for DES and 3 DES. This algorithm is suitable to a case where the best expression can be derived from more than 2 active Sboxes in a single round and also is useful to evaluate the security of DES-like cryptosystems against linear cryptanalysis. s References [1] \Data Encryption Standard", FIPS-Pub.46, National Bureau of Standard, 1977. [2] E. Biham, \On Matsui's Linear Cryptanalysis", Extended Abstracts of Eurocrypt'94, Italy, 1994. [3] M. Matsui, \Linear Cryptanalysis Method for DES Cipher", Proc. of Eurocrypt'93, Norway, 1993. [4] M. Matsui, \The First Experimental Cryptanalysis of the Data Encryption Standard", Proc. of Crypto'94, USA, 1994. [5] K. Kim, \Construction of DES-like S-boxes Based on Boolean Functions Satisfying SAC", Proc. of Asiacrypt'91, Japan, 1991. [6] K. Kim, S. Park and S. Lee, \Reconstruction of 2 DES S-boxes and their Immunity to Dierential Cryptanalysis", Proc. of JW-ISC'93, Korea, 1993. s 7 [7] K. Kim, S. Lee, S. Park, and D. Lee, \How to Strengthn DES against Two Robust Attacks",. To appear in Proc.of JW-ISC'95. [8] T. Tokita, Private Communication, 1994. [9] T. Tokita, T. Sorimachi and M. Matsui, \An Ecient Search Algorithm for the Best Expression on Linear Cryptanalysis", Technical Report of Information SECurity of IEICE, ISEC93-97, Mar., 1994. 8
© Copyright 2026 Paperzz