Flaws in Differential Cryptanalysis of Skipjack

This paper is motivated by some results presented by Knudsen, Robshaw and Wagner at Crypto’99 [3], that described many attacks of reduced versions of Skipjack, some of them being erroneous. Differential cryptanalysis is based on distinguishers, any attack should prove that the events that triggers the analysis has not the same probability for the cipher than for a random function. In particular, the composition of differential for successive parts of a cipher should be done very carefully to lead to an attack. This revised version of the paper includes the exact computations of some probabilities and repairs the attack of the first half of Skipjack. 1 What Is Differential Cryptanalysis? Chosen plaintext attacks. If we have a “black box” containing a symmetric block cipher, we are able to encrypt anything we want. The goal of the attack is to decrypt some given ciphertext, or even better to retrieve the key. A partial success is obtained if we have a distinguisher, i.e. a technique that gives some information about what is in the box (e.g. the algorithm used). Looking at differences. In order to check the security of a block cipher under chosen plaintext attacks, we can make statistical tests on the output when the input is cleverly chosen. The differential cryptanalysis [2] looks at the difference in the output of the cipher when a pair of input texts with some particular difference (XOR) is enciphered. If the pair of input texts is randomly chosen with their difference following some special distribution of probability, the difference of the outputs may give some information about what is inside. Building a distinguisher using a differential. More precisely, if we know that, for some keys the input of two different plaintexts with a difference in the subset ∆ gives two ciphertexts with a difference in the subset ∆∗ with non trivial probability p (this is called a differential of probability p, the common notation is ∆ →p ∆∗), then we are able to distinguish two black boxes, one with Part of this work has been supported by the CELAR, part of this work has been supported by the Commission of the European Communities through the IST Programme under Contract IST-1999-12324 (NESSIE). M. Matsui (Ed.): FSE 2001, LNCS 2355, pp. 328–335, 2002. c © Springer-Verlag Berlin Heidelberg 2002 Flaws in Differential Cryptanalysis of Skipjack 329 the given cipher and the other with a random permutation. Formally, we fix the key and we take probabilities over all pairs (c, c′) of cleartexts (or equivalently over all pairs (e, e′) of ciphertexts, since the cipher is a permutation). Then p = Pr[e ⊕ e′ ∈ ∆∗/c ⊕ c′ ∈ ∆] = Pr[c ⊕ c′ ∈ ∆/e ⊕ e′ ∈ ∆∗]Pr[e⊕e∈∆] Pr[c⊕c′∈∆] . Regular differential cryptanalysis is looking for probability close to 1. Impossible cryptanalysis [1] is looking for probability 0. The “trivial probability” is the expected probability p∗ that the differential holds for a random permutation. It is the probability that a random value is in ∆∗. In practice, a regular differential cryptanalysis encrypts n independant random pairs of plaintexts (with 1 p < n < 1 p∗ ). If one of the pair of ciphertexts has difference in ∆∗, we recognise the cipher not being a random permutation. The probability that the encryption of n pairs of plaintexts produces no pair with difference in ∆∗ is less than e−np and the probability that a set of n random pairs of texts contains a pair with difference in ∆∗ is less than np∗. If we need better probability of success, we can encrypt more pairs and have a threshold greater than one to decide if the black box is the cipher ; exact probabilities of success can be computed with Chernoff bounds. Finding weak keys. If the differential holds only for some subset of the keys, the distinguisher allows to detect these keys. Finding the key of the last rounds with reduced rounds differentials. Most block ciphers are based on a succession of identical rounds, that differ only by the subkey used. The first and last rounds may be different. If we find a differential (a distinguisher) for the cipher reduced to all but a few last rounds, we can guess with non trivial probability what is the input difference for these few last rounds. Since we exactly know the output, we might be able to find the subkeys used in those rounds. Part of the analysis may be done using the structural properties of how the key bits are used in those rounds and part of the analysis may be done by exhaustive search. The probability of success is deduced from the gap between the probability p of the differential and the trivial probability p∗. Detailed and practical analysis has been done e.g. in [2]. Composition of differentials. When we can split the cipher in two (ore more) successive ciphers (this is the case with most ciphers, putting the breakpoint between two internal rounds), a very tempting tool is to combine a differential for the first part and one for the second part. This is called a differential characteristic and the notation will be ∆ → ∆× → ∆∗. The probability of the differential ∆ → ∆∗ is greater than or equal to the probability of the differential characteristic ∆ → ∆× → ∆∗. Warning : the probability of the differential characteristic can be unrelated to the probabilities of ∆ → ∆× and ∆× → ∆∗. The very simple example below illustrate this fact. f : (a, b, c) → (a, b, (a&b) ⊕ c). An input difference 100 to f