CRYPTANALYSIS OF SUBSTITUTION-PERMUTATION NETWORKS USING KEY-DEPENDENT DEGENERACY

Howard M. Heys, Stafford E. Tavares
1996 Cryptologia  
This paper presents a novel cryptanalysis of Substitution- Permutation Networks using a chosen plaintext approach. The attack is based on the highly probable occurrence of key-dependent degeneracies within the network and is applicable regardless of the method of S-box keying. It is shown that a large number of rounds are required before a network is resistant to the attack. Experimental results have found 64-bit networks to be cryptanalyzable for as many as 8 to 12 rounds depending on the
more » ... pending on the S-box properties. ¡ . Introduction The concept of Substitution-Permutation Networks (SPNs) for use in block cryptosystem design originates from the "confusion" and "diffusion" principles introduced by Shannon [1]. The SPN architecture considered in this paper was first suggested by Feistel [2] and consists of rounds of non-linear substitutions (S-boxes) connected by bit permutations. Such a cryptosystem structure, referred 1 to as LUCIFER 1 by Feistel, is a simple, efficient implementation of Shannon's concepts. A general -bit SPN is composed of ¡ rounds of ¢ ¤ £ ¥ ¢ S-boxes. We shall denote the cryptosystem plaintext input as ¦ § © © and the ciphertext output as § " ! # ! $ 2. XOR mask keying: the key bits may be exclusive-ORed with the network bits prior to entering an S-box. Recent cryptanalysis techniques have had a notable effect on the perceived security of SPN cryptosystems. For example, in [6] and [7], Biham and Shamir introduce a powerful chosen plaintext cryptanalysis technique referred to as differential cryptanalysis. Utilizing highly probably occurrences of differential sequences, 1 Another variant of LUCIFER [3] more closely resembles the network structure of DES [4]. 2 Note that method 2 may actually be considered as a special case of method 1. We distinguish between the two methods for clarity. Using method 2 only is a way of ensuring that a mapping for a particular S-box is selected from the same cryptographic equivalence class [5]. 2 probabilities can be assigned to possible key values with the most probable key being selected as correct. As well, in [8], Matsui introduces the known plaintext attack of linear cryptanalysis which makes use of the likely satisfaction of linear equations involving the plaintext, ciphertext, and key bits. The applicability of differential and linear cryptanalysis to SPNs is thoroughly discussed in [9] . The cryptanalysis presented in this paper is an efficient technique for determining the network key bits. It uses a divide-and-conquer approach by examining the ciphertexts corresponding to a number of chosen plaintexts and counting the number of times a particular sub-key is consistent with a key-dependent degeneracy in the observed ciphertext. Depending on the number of rounds in the network, the correct sub-key is consistent with a significantly higher probability than the incorrect sub-keys.
doi:10.1080/0161-119691884951 fatcat:vnx4hhzq3bcy3kuxtwynhoj4am