COM6014

Fundamental Security Properties and Mechanisms

Assessment 1

Cryptographic Analysis Task

Issued: 14 November 2023

Deadline for submission via MOLE: 1500 on 15 December2023

Total Marks Available 100

The marks available for this assignment make up 50%

of the total marks available for the COM6014 module.

Any queries on this assignment should be raised via the “Assessment Discussion Forum”, accessible from the main menu of the COM6014 module’s Blackboard site.

Submission format details are given at the end of this paper.

Question 1. Differential Cryptanalysis (100 Marks)

A simple 3-round substitution permutation network (SPN) cipher (inspired by the Heys Tutorial SPN cipher) is shown in Figure 1.

The cipher operates on 8-bit blocks. Key mixing is simple bitwise XOR. The 8-bit plaintext block P is XOR-ed bitwise with the 8-bit key K1before the resulting 8-bit block enters the two first-round S-boxes. The remaining key mixing operations are handled similarly.

A substitution box (S-box) is shown in Figure 2. This S-box is used throughout the cipher shown in Figure 1, i.e., the six S-boxes are identical. The S-box is identical to that given in the Heys Tutorial SPN Cipher.

The permutation part of the first two rounds is as shown in Figure 1. The final (third) round does not implement any permutation; the outputs from the final round S-boxes are simply XOR-ed bitwise with the key K4 to produce ciphertext C. The permutation is obviously different to that given in the Heys Tutorial SPN cipher since the cipher in this assessment operates over 8-bit blocks and that of the Heys Tutorial SPN cipher operates over 16-bit blocks.

It can be seen from Figure 1 that the cipher in this assessment uses four secret 8-bit keys (K1, K2, K3, and K4).

You are required to develop a 2-round differential approximation, describe how it could be used to recover the final key K4 (or part of it), implement such a recovery, and explain how the other keys (K1, K2, K3) and any remaining part of K4 could be obtained. You are required to document your efforts in a short report. Answer all question parts belowin your report.

a) Develop a suitable 2-round differential approximation for the cipher. You should:

i. state clearly your 2-round differential approximation. The approximation will involve deltas of bits from plaintexts P and deltas of bits from intermediate ciphertexts U3. [5Marks]

ii. identify the active S-boxes used in your 2-round approximation and indicate the differential approximation used in each active S-box. Give the associated probability of each such S-box approximation holding and indicate how it was obtained. [15 Marks]

iii. calculate the probability with which the 2-round differential approximation holds and show how it wascalculated. [6 Marks]

iv. identify clearly which K4  bits are targeted by the 2-round approximation (i.e. those bits it can be used to recover) and explain briefly why this is the case. [4 Marks]

v. justify the choices you have made in constructing your 2-round approximation. [5 Marks]

Different 2-round approximations may allow different K4 bits to be targeted. Your approximation may allow the full 8 bits of K4 to be targeted, or a subset of those bits.

Note: you should not overcomplicate your answers. You are NOT expected to do any step-by-step algebraic manipulations given in the lecture on DifferentialCryptanalysis or in the Heys tutorial (which serve to showwhy differential cryptanalysis works). In answering the above, you should include an annotated copy of Figure 1 in your submitted script illustrating the 2-round approximation developed. It should be obvious from your figure which S-boxes are active (participating in the approximation), what individual S-box differential approximations have been used(with their associated probabilities), and which K4 key bits are targeted by the approximation. You should supplement your annotated figure with text where necessary. Your active S-box approximations should ‘link up’ appropriately.

b) Implement (code) the cipher described above. With key values of 0x54, 0x32, 0x23 and 0x45 for K1, K2, K3 and K4 respectively, use your implementation to generate the set of 256 possible plaintext-ciphertext (P-C) pairs. (These will be used as source data for the next question part.) Your report should include the code (with helpful descriptive comments) and the first 64 P-C pairs produced.[20 Marks]

c) Describe (10 Marks), implement (20 Marks), execute and report the results of (10 Marks) an attack using your developed approximation to recover information from the final key K4 using the 256 P-C pairs you have generated. You may recover part of the final key K4 , or all of it, depending on the specific 2-round approximation you have developed. Your report should include the implemented code (with helpful descriptive comments) and the results of applying your attack. [40 Marks]

d) Describe briefly how you would recover all remaining keyinformation. You are NOT required to implement the recovery of this information. [5 Marks]