Markov Ciphers and Diierential Cryptanalysis

This paper considers the security of iterated block ciphers against the di erential cryptanalysis introduced by Biham and Shamir Di erential cryptanalysis is a chosen plaintext attack on secret key block ciphers that are based on iterating a cryptographically weak function r times e g the round Data Encryption Standard DES It is shown that the success of such attacks on an r round cipher depends on the existence of r round di erentials that have high probabilities where an i round di erential is de ned as a couple such that a pair of distinct plaintexts with di erence can result in a pair of i th round outputs that have di erence for an appropriate notion of di erence The probabilities of such di erentials can be used to determine a lower bound on the complexity of a di erential cryptanalysis attack and to show when an r round cipher is not vulnerable to such attacks The concept of Markov ciphers is introduced for iterated ciphers because of its signi cance in di erential cryptanalysis If an iterated cipher is Markov and its round subkeys are independent then the sequence of di erences at each round output forms a Markov chain It follows from a result of Biham and Shamir that DES is a Markov cipher It is shown that for the appropriate notion of di erence the Proposed Encryption Standard PES of Lai and Massey which is an round iterated cipher is a Markov cipher as are also the mini version of PES with block length and bits It is shown that PES and PES are immune to di erential cryptanalysis after su ciently many rounds A detailed cryptanalysis of the full size PES is given and shows that the very plausibly most probable round di erential has a probability about A di erential cryptanalysis attack of PES based on this di erential is shown to require all possible encryptions This cryptanalysis of PES suggested a new design principle for Markov ciphers viz that their transition probability matrices should not be symmetric A minor modi cation of PES consistent with all the original design principles is proposed that satis es this new design criterion This modi ed cipher called Improved PES IPES is described and shown to be highly resistant to di erential cryptanalysis Introduction Many secret key block ciphers are cryptosystems based on iterating a cryptographically weak function several times Each iteration is called a round The output of each round is a function of the output of the previous round and of a subkey derived from the full secret key by a key schedule algorithm Such a secret key block cipher with r iterations is called an r round iterated cipher For example the well known Data Encryption Standard DES is a round iterated cipher Di erential cryptanalysis introduced by Biham and Shamir in is a chosen plaintext at tack to nd the secret key of an iterated ciphers It analyzes the e ect of the di erence of a pair of plaintexts on the di erence of succeeding round outputs in an r round iterated cipher In Section we describe di erential cryptanalysis of a general r round iterated cipher in terms of r round di erentials instead of in terms of the i round characteristics used in The hypothesis of stochastic equivalence which has been implicitly assumed in di erential crypt analysis is explicitly formulated in Section It is pointed out that one of the two prerequisites for di erential cryptanalysis to succeed on an r round cipher is the existence of an r round di erential with high probability and it is shown that a lower bound on the complexity of di erential cryptanalysis can be obtained from the maximum di erential probability In Section Markov ciphers are de ned as iterated ciphers whose round functions satisfy the condition that the di erential probability is independent of the choice of one of the component plaintexts under an appropriate de nition of di erence It is shown that for a Markov cipher with independent subkeys the sequence of round di erences forms a Markov chain It follows from a result of Biham and Shamir that DES is a Markov cipher The study of di erential cryptanalysis for an r round Markov cipher is reduced to the study of the transition probabilities created by its round function In particular Markov chain techniques can be used to show whether the cipher is secure against di erential cryptanalysis after su ciently many rounds At Eurocrypt a new iterated cipher the Proposed Encryption Standard PES was in troduced by Lai and Massey The PES contains rounds plus an output transformation In Section standard PES with block length bits and mini versions of PES with block length and are considered These are all shown to be Markov ciphers The ciphers PES and PES are shown to be immune to di erential cryptanalysis after su ciently many rounds A detailed cryptanalysis of PES given in the Appendix shows that the very plausibly most likely one round di erential has probability about which leads to a round di erential with probability about Di erential cryptanalysis of PES based on this di erential requires the cryptanalyst to perform all possible encryptions The attacker thus obtains the secret key after encryptions which is much less than the encryptions of an exhaustive key search however the encryptions specify the entire mapping from plaintext to ciphertext