7
Statistical analysis is one of the oldest cryptanalytic techniques, used to break many simple sub- 8
stitution ciphers. In the context of modern block ciphers statistical analysis is a generalisation of 9
linear analysis – no inhomogeneity should be present in the output of a block cipher regardless 10
of statistical properties of the plaintext – the output should always look like a pseudorandom 11
sequence. Even recently proposed ciphers – such as Madryga (Subsection3.3.1 on page 135) – 12
succumbed to ciphertext only attacks based on statistical assumptions on the plaintext. 13
Pascal Junod extensively studied this line of research in his PhD research [Jun01a, Jun01b, 14
Jun03a,Jun03b], and applied it to the design of FOX [JV04a]. FOX is also one of the very few 15
ciphers that follows the Lai-Massey design (cf. Section1.5 on page 37). 16
Any component in a new cipher design should be tested against any deviations from perfect ho- 17
mogeneity: The whole arsenal of statistical methods used to analyze PRNGs (pseudo-random 18
number generators) can be deployed. 19
2.7.1 The Davies-Murphy Attack
20
The Davies and Murphy Attack – sometimes known just as Davies’ attack [sic] – is a statistical 21
cryptanalysis technique originally devised to attack the DES (Section 3.2 on page 129). It is 22
known-plaintext attack. It was originally created in 1987 by Donald Davies and published eight 23
years later in a joint paper with Sean Murphy [DM95]. The technique was improved in 1994 by 24
Eli Biham and Alex Biryukov [BB97]. Davies’ attack, at least in theory, can be adapted to other 25
Feistel ciphers besides DES. 26
The S-boxes of the DES are balanced, i.e. when the input to any DES S-box is uniformly dis- 27
tributed, then the output is uniformly distributed as well. However, the expansion𝑒(⋅)in the 28
𝐹-function of DES generates correlations between the output bits of adjacent S-boxes, when a 29
fixed key is used. In fact, two adjacent S-boxes have an input size of 12 bits; 12 bits of the round 30
key but only 10 bits of the expanded state, say𝛼, are combined to be used as the input to the two 31
S-boxes. Two bits of𝛼are duplicated and the two instances of each of these bits are XORed with 32
two different key bits, and then go into the two S-boxes. This is what causes non-uniformity in 33
the output of the two S-boxes (and this applies to triples of S-boxes as well) and also makes the 34
correlation dependent on the key. The situation is depicted in Figure2.16 on the next page. 35
1Let𝑎
𝑚be the number of involutions over[𝑚]. Fix an element𝑥 ∈ [𝑚]. For any one of the𝑎𝑚involutions on
[𝑚],𝑥is a fixed point if and only the permutation it induces on[𝑚] ∖{𝑥}, i.e. a permutation on𝑚 − 1elements, is involutory itself, and there are𝑎𝑚−1such. This holds for each𝑥, thus the expected number of fixed points of an
involution over[𝑚]is≈ 𝑚⋅𝑎𝑚−1/𝑎𝑚. From [FS09, Example VIII.9, page 583] we know that𝑎𝑚≈ √𝑚!𝑒√𝑚(8𝜋𝑒𝑚)−1/4,
from which we get that the desired number of fixed points is asymptotically√𝑚 − 1/2 + 𝑜(1). Now put𝑚 = 2𝑛. An
exact formula is given by Lemma 2.6 in [YTH96], which confirms that the asymptotic formula gives good results already for𝑛 = 8.
Figure 2.16: Relation Between Adjacent S-boxes of the DES (as in Figure3.3 on page 131)
𝑆1 𝑆2
key bits
However, non-uniformities must be observed at a higher level in the cipher, since the outputs 1
of individual S-boxes cannot be observed when all we have is an encryption oracle. 2
The attacks this also makes use of the following observation. With respect to Figure 3.2 on 3
page 130, we have𝐹(𝑅𝑖, 𝑘𝑖)= 𝐿𝑖⊕ 𝑅𝑖+1Hence, if𝑖 < 𝑟, we have: 4
𝐹(𝑅𝑖, 𝑘𝑖)= 𝐿𝑖⊕ 𝐿𝑖+2 . (2.22)
This remark is true for each round except the last one (where𝑖 + 2has no sense). 5
Now, ignoring the initial and final permutation, let𝐿‖𝑅 = 𝐿1‖𝑅1and𝐿′‖𝑅′ = 𝑅
𝑟+1‖𝐿𝑟+1be the
6
plaintext and ciphertext, respectively. If we take the XOR of the equations (2.22) for all even𝑖, 7
we obtain the following relation: 8
𝑅 ⊕ 𝐿′=⨁𝑟/2 𝑗=1
𝐹(𝑅2𝑗, 𝐿2𝑗) . If we XOR the odd rounds, we obtain instead:
9 𝑅′⊕ 𝐿 = 𝑟/2 ⨁ 𝑖=1 𝐹(𝑅2𝑖−1, 𝐿2𝑖−1) .
Each plaintext/ciphertext pair thus gives the XOR of the outputs of the F-Functions of the even 10
rounds, as well as the corresponding sum for the odd rounds. That is what allows the attacker 11
to observe a non-uniform distribution of the outputs of the F-Functions (induced by the non- 12
uniformity of S-box pairs) by analysing a large quantity of plaintext/ciphertext pairs. 13
The attack starts by calculating the empirical distribution of certain characteristics based on 14
many known plaintext/ciphertext pairs. Bits of the key can thus be deduced given sufficiently 15
many known plaintexts by correlating the outputs with the inferred distributions. Davies’ orig- 16
inal attack allowed to find 2 parity bits requiring256.6known plaintexts, and finding 16 parity 17
bits requires285.6 known plaintexts. Thus, in his original form, the attack is slower than ex- 18
haustive search. 19
Eli Biham and Alex Biryukov’s improvements permit to mount attacks faster than brute force. 20
These consist in: considering different pairs of S-boxes than Davies; splitting the attack in a 21
known plaintext collection phase and an online analysis phase; and describing tradeoffs be- 22
tween the number of plaintexts, the success rate and the time of analysis. One tradeoff requires 23
250known plaintexts and250steps of analysis with a 51% success rate to break the full DES. A 24
different attack can find 24 bits of the key with252known plaintexts with 53% success rate, us-
25
ing only217DES encryptions and231further elementary machine instructions in the analysis 26
phase. Suggestions how to design S-boxes immune to these attacks are also given in [BB97]. 1
In 1998, Thomas Pornin [Por98] developed techniques for analyzing and maximizing a cipher’s 2
resistance to this kind of cryptanalysis. 3
Sébastien Kunz-Jacques and Frédéric Muller [KM05] further reduced the complexity of the 4
Biham-Biryukov variant to245chosenplaintexts and study the relation of the Davies-Murphy 5
attack to linear cryptanalysis. 6