Professional Documents
Culture Documents
Higher Order Derivatives and Differential Cryptanalysis: January 1994
Higher Order Derivatives and Differential Cryptanalysis: January 1994
net/publication/246375728
CITATIONS READS
280 2,550
1 author:
Xuejia Lai
Shanghai Jiao Tong University
148 PUBLICATIONS 4,098 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Xuejia Lai on 04 May 2016.
Xuejia Lai 1
R3 Security Engineering AG
CH-8607 Aathal, Switzerland
lai@r3.ch
Abstract
High-order derivatives of multi-variable functions are studied in this paper as
a natural generalization of the basic concept used in dierential cryptanalysis.
Possible applications of such derivatives in cryptology are discussed.
I. Introduction
In 1990, just after Jim and I published at Eurocrypt'90 our new block cipher PES 1], the
previous version of the IDEA cipher, dierential cryptanalysis was proposed by Biham
and Shamir 2] as a chosen-plaintext attack to
nd the secret-key of an iterated block
cipher. In 3], Biham and Shamir showed that the full 16-round DES can be broken by
dierential cryptanalysis using only 247 encryptions, which is the
rst reported attack
that
nds the secret-key of DES with fewer encryptions than exhaustive key-search.
Besides DES, dierential cryptanalysis has been applied successfully to many other
ciphers 4, 5], for example, the block ciphers FEAL, Khafre, REDOC, LOKI and Lucifer.
Like every cipher designer who heard a new attack that can be applied to his cipher,
we started to apply the dierential cryptanalysis to our own proposal. As I talked to
Jim about the
rst result of the analysis, he noticed immediately that the use of the
properties of a Markov chain is essential to dierential cryptanalysis. This observation
led to the concept of "Markov Cipher" which we presented in 6], where it was shown
that the dierential cryptanalysis of many (if not all) practical block ciphers can be
formulated in terms of the theory of Markov chains. For example, the implication of
the only Lemma in Biham and Shamir's paper is that DES is a Markov cipher. In
particular, a fairly tight lower bound on the complexity of a dierential cryptanalysis
attack on a cipher can be derived in terms of parameters of the Markov chain. Although
dierential cryptanalysis requires far too much chosen plaintexts to be a practical attack
on a cipher, the complexity of a dierential cryptanalysis attack is the best measure of
its cryptographic strength that is known today.
In this paper, we consider a possible generalization of the original (
rst-order) dif-
ferential cryptanalysis in terms of higher-order derivative, which is de
ned in Section 2,
where some general properties of derivatives are studied. In Section 3 we consider some
1This work was carried out at the Signal and Information Processing Laboratory of the Swiss
Federal Institute of Technology, Zurich, Switzerland
1
special properties of derivatives of binary functions. Section 4 discusses the applications
of such higher order derivatives in cryptology. In particular, we consider the relation-
ship among derivatives, dierential cryptanalysis and linear structure of cryptographic
functions.
a ( ) = ( + ) ; ( )
f x f x a f x :
( 1) derivative of at ( 1 2
i > i ) as
f a a ::: a
(2)
a1 a2 ( ) = a2 (a1 ( ))
f x f x
= a2 ( ( + 1) ; ( )) f x a f x
= ( ( + 1 + 2) ; ( + 2)) ; ( ( + 1) ; ( ))
f x a a f x a f x a f x
= ( + 1 + 2 ) ; ( + 1) ; ( + 2) + ( )
f x a a f x a f x a f x :
= (an1;:::1)a ;1 ( (3)
0 1
f x a f x
n 1 n 1
nX;2 X
=@ ( + n+
f x a 1 + n;1 ) ;
a a (ai) ::: a j1 ji
( + n)A
f x a (4)
i=0 1j <<j n;1 1 i
2
;(an;:::01)a ; ( )
1 n 1
f x (5)
nX;2 X
= ( +
f x a 1 + + n ) ; @
a (ai) ::: a j1 ji
( + n)
f x a (6)
i=0 1j <<j n;1
nX
1 i
1
;2 X nX
;2 X
; i=0 1j <<j n;1 (aij)1 ::: aji f (x) +
i=0 1j1 <<ji n;1
(aij)1 ::: aji f (x) + (an1;:::1)an;1 f (x)A (7)
1 i
0n;2
X X
= ( + 1 + + n) ; @
f x a a (ai)1 ::: a ( ( + n) ; ( ))
j ji
f x a f x (8)
i=0 1j1 <<j n;1
nX
i
1
;2 X
+ (ai)1 ::: a ( ) + (an1;:::1)a ;1 ( )A
j j
f x
n
f x (9)
i=0 1j1 <<ji n;1 i
0n;2
X X
= ( + 1 +
f x a + an) @ ; (aij)1 ::: aji (an f (x)) (10)
i=0 1j1 <<ji n;1
nX
1
;2 X
+ (aij)1 ::: aji f (x) + (an1;:::1)an;1 f (x)A (11)
i=0 1j1 <<ji n;1
0n;2
X X
= ( + 1 +
f x a + an) @ ; (aij+1)
1 ::: aji an
f (x) (12)
i=0 1j1 <<ji n;1
nX
1
;2 X
+ (aij)1 ::: aji f (x) + (an1;:::1)an;1 f (x)A (13)
i=0 1j1 <<ji n;1
0n;1 1
X X
= ( + 1 +
f x a + an) @ ; (aij)1 ::: aji an f (x)A (14)
i=0 1j1 <<ji n
2
Some basic properties of the derivative are as follows.
a( + ) = a + a f g f g (15)
a( ( ) ( )) = ( + )a ( ) + (a ( )) ( )
f x g x f x a g x f x g x (16)
Equation (15) is rather obvious and Equation (16) can be obtained as follows:
a( ( ) ( )) =
f x g x ( + ) ( + ); ( ) ( )
f x a g x a f x g x
= ( + )( ( + ) ; ( )) + ( ( + ) ; ( )) ( )
f x a g x a g x f x a f x g x
= ( + )a ( ) + (a ( )) ( )
f x a g x f x g x :
2
Proposition 2 Let deg( ) denote the nonlinear degree of a multi-variable polynomial
f
max(deg( ) deg( )) and deg( ) deg( ) + deg( ) and that the derivative of a linear
f g fg f g
function is a constant. 2
III. Derivatives of binary functions
In what follows, we will consider only the binary functions and the group operation is
the bitwise XOR, denoted by .
Proposition 3 Let L a 1 a2 ::: a i] be the list of all 2i possible linear combinations of
a1 a 2 ::: ai. Then, X
(ai1) ::: a ( ) =
i
f x f x ( c) (18)
c2La1 a2 ::: ai]
= (ai1;:::1)a ;1 ( i) (ai1;:::1)a ;1 ( )
i i
f x a f x (20)
0 1 0
i i
1
X X
= @ ( i )A @ f x ( c a f x )A (21)
c
c2La1 a2 ::: a ;1] c2La1 a2 ::: a ;1]
X
( )
i i
= f x c : (22)
c2La1 a2 ::: ai]
2
Corollary 4 Derivatives of binary function is independent of the order in which the
derivation is taken, i.e., for any permutation p(j ) of index j ,
(ai1) ::: a ( ) = (ai)(1) ::: a ( ) ( )
i
f x
p p i
f x (23)
The above results lead to the lower bound on the probability of derivative function
taking on a certain value. This probability is essential in cryptanalysis using such
derivatives.
Proposition 5 For function
: f F
n
2 !n
2 and linearly independent
F 1 2 i in a a ::: a
n
F2 and for any b 2 n
F2 P (ai1) ::: ai f i ; n
( ) = is either 0 or at least 2 if is uniformly
x b x
random.
Proof. From equation (18), if at input 0 the derivative takes on value , then at all x b
(2i ) inputs x 0 , 2
c c
L a 1 a2 ::: a i;1] the derivative will take on value . b 2
Proposition 6 If i is linearly dependent of
a 1 a2
a ::: a i;1 , then (ai1) ::: a f (x) = 0:
i
4
Proof. If ai is linearly dependent of a1 ::: a i;1, then a i is contained in the list
L a 1 a2 ::: ai;1]. Thus, in (21) we have
X X
(
f x c ai) = f x ( c )
c2La1 a2 ::: ai;1] c2La1 a2 ::: ai;1 ]
which implies that the derivative is zero. 2
The above result shows that derivatives should be computed at the points that are
linearly independent. Otherwise the higher order derivatives will be trivially zero, such
cases are of no interest for our purpose.
Proposition 7 For any function : n
2 ! m
2 , the n-th derivative of f
is a constant.
! is invertible, then (n ; 1)-th derivative of f is a constant.
f F F
If f : F2n n
F2
Proof. Each component function of can have a nonlinear degree at most . When
;1
f n
1010(
=0 x x1 2 x x 2 3) = x2 x2 :
Thus, (2)
(0001 1010) ( 1 2 3 4) = 0 Note that (0001) and (1010) are linearly inde-
f x x x x :
the dierence of a pair of distinct inputs and and where is a possible dierence for
x x b
is the conditional probability that is the dierence of the outputs given that the
b y
P y b x a
P ( = j = ) = ( ( + ) ; ( ) = ) = (a = )
y b x a P f x a f x b P f b : (24)
Proposition 8 The probability of a dierential ( ) is the probability that the rst a b
possible to derive the key for the last round from the known 2i outputs and from the
anticipated derivative value. Although some independent preliminary experiments 7, 8]
indicated that cryptanalysis using high order derivative may not be more powerful than
the
rst order dierential cryptanalysis, we expect, however, that the derivative will
provide new measurement for the strength of cryptographic functions.
Linear structure and derivatives A function is said to have a linear structure if
there is a nonzero , such that ( + ) ; ( ) remains invariant for all . The study of
f
a f x a f x x
linear structure has lead to attacks on cipher functions 9, 10] and to the nonlinearity
criteria for cryptographic functions 11, 12]. From the de
nitions, it is easy to see
that function ( ) has a linear structure if and only if there is a nonzero such that
f x a
trivial -th derivatives of function should take on each possible value roughly uniform.
i
In particular a binary function from 2n to 2n, the nontrivial -th derivatives should
F F i
References
1] X. Lai and J. L. Massey, \A Proposal for a New Block Encryption Standard",
Advances in Cryptology { EUROCRYPT'90, Proceedings, LNCS 473, pp. 389-
404, Springer-Verlag, Berlin, 1991.
2] E. Biham and A. Shamir, \Dierential Cryptanalysis of DES{like Cryptosys-
tems", Advances in Cryptology { CRYPTO'90, Proceedings, LNCS 537, pp. 2-21,
Springer-Verlag, Berlin 1991.
3] E. Biham and A. Shamir, \Dierential Cryptanalysis of the full 16-round DES",
Abstracts of CRYPTO'92.
6
4] E. Biham and A. Shamir, \Dierential Cryptanalysis of FEAL and N-Hash",
Advances in Cryptology { EUROCRYPT'91, Proceedings, LNCS 547, pp. 1-16,
Springer-Verlag, Berlin 1991.
5] E. Biham and A. Shamir, \Dierential Cryptanalysis of Snefru, Khafre, REDOC-
II, LOKI and Lucifer", Advances in Cryptology { CRYPTO'91, Proceedings,
LNCS 576, pp. 156-171, Springer-Verlag, Berlin 1992.
6] X. Lai, J. L. Massey and S. Murphy, \Markov Ciphers and Dierential Crypt-
analysis", Advances in Cryptology { EUROCRYPT'91, Proceedings, LNCS 547,
pp. 17-38, Springer-Verlag, Berlin, 1991.
7] C. Harpes, \Notes on High Order Dierential Cryptanalysis of DES," Internal
report, Signal and Information Processing Laboratory, Swiss Federal Institute of
Technology, August 12, 1993.
8] E. Biham, \Higher Order Dierential Cryptanalysis," (Preliminary draft) August
13, 1993.
9] D. Chaum, J.H. Evertse, Cryptanalysis of DES with a reduced number of rounds,
Advances in Cryptology - CRYPTO'85, Proceedings, pp. 192{211, Springer-Verlag,
1986.
10] J.H. Evertse, Linear structures in block ciphers, Advances in Cryptology - EURO-
CRYPT'87, Proceedings, pp. 249{266, Springer-Verlag, 1988.
11] W. Meier, O. Staelbach, Nonlinearity criteria for cryptographic functions, Ad-
vances in Cryptology - EUROCRYPT'89, Proceedings, pp. 549{562, Springer-
Verlag, 1990.
12] K. Nyberg, On the construction of highly nonlinear permutations, Advances in
Cryptology - EUROCRYPT'92, Proceedings, pp. 92{98, Springer-Verlag, 1993.