This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Efficient Uses of FPGAs for Implementations of DES and Its Experimental Linear Cryptanalysis
April 2003 (vol. 52 no. 4)
pp. 473-482

Abstract—In its basic version, linear cryptanalysis is a known-plaintext attack that uses a linear relation between input-bits, output-bits, and key-bits of an encryption algorithm that holds with a certain probability. If enough plaintext-ciphertext pairs are provided, this approximation can be used to assign probabilities to the possible keys and to locate the most probable one. In 1993, Matsui applied it to DES, becoming the best known attack against DES. In 2000, Knudsen proposed three chosen-plaintext linear attacks, the third one becoming the best chosen-plaintext attack. This paper presents two original FPGA implementations of a DES encryption/decryption core that work at data rates up to 21.3 Gbps (333 MHz). We believe that our implementations are the fastest ones known nowadays. In our design, the plaintext, the key, and the mode (encryption/decrytion) can be changed with no dead cycles. Based on one of our fast DES implementations, we present an FPGA implementation of the known-plaintext linear cryptanalysis of DES. The resulting design is deployed on eight FPGAs and allows us to find 12 + 1 key bits in about 2.3 hours. As a comparison, the fastest software implementation known so far (in 2000) used the idle time of 18 Intel Pentium III MMX and broke a DES key in 4.32 days. Our fast linear cryptanalysis implementation made the performing of practical tests possible, allowing a comparison with Matsui's theoretical estimations.

[1] L.R. Knudsen and J.E. Mathiassen, “A Chosen-Plaintext Linear Attack on DES,” Proc. Int'l Symp. Foundations of Software Eng. (FSE '00), B. Schneier, ed., pp. 262-272, 2000.
[2] P. Junod, “Linear Cryptanalysis of DES,” Master's thesis, Swiss Inst. of Tech nology, 2000.
[3] P. Junod, “On the Complexity of Matsui's Attack,” Proc. ACM Symp. Applied Computing (SAC '01), pp. 216-230, 2001.
[4] M. Matsui,“Linear cryptanalysis method for DES cipher,” Advances in Cryptology: Proc. EUROCRYPT’93, pp. 386-397,Berlin, Springer-Verlag, 1994.
[5] M. Matsui, “The First Experimental Cryptanalysis of the Data Encryption Standard,” Y. Desmedt, ed., Proc. Advances in Cryptology—Crypto '94, pp. 1-11, 1994.
[6] F. Koeune, G. Rouvroy, F.-X. Standaert, J.-J. Quisquater, J.-P. David, and J.-D. Legat, “An FPGA Implementation of the Linear Cryptanalysis,” Proc. In'tl Conf. Field Programmable Logic and Applications (FPL '02), M. Glesner, P. Zipf, M. Renovell, eds., pp. 845-853, 2002.
[7] J.M. Rabaey, Digital Integrated CircuitsUpper Saddle River, N.J.: Prentice Hall, 1996.
[8] Xilinx, “Virtex 2.5V Field Programmable Gate Arrays Data Sheet,” http:/www.xilinx.com, 2002.
[9] Xilinx, V. Pasham, and S. Trimberger, “High-Speed DES and Triple DES Encryptor/Decryptor,” http://www.xilinx.com/xappxapp270.pdf, Aug. 2001.
[10] B. Schneier, Applied Cryptography, second ed. John Wiley&Sons, 1996.
[11] Nat'l Bureau of Standards, FIPS PUB 46, The Data Encryption Standard, US Dept. of Commerce, Jan. 1977.
[12] FreeIP,http://www.free-ip.com/DESindex.html, 2000.
[13] C. Patterson, “High Performance DES Encryption in Virtex FPGAs Using Jbits,” Proc. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM '01), 2000.
[14] S. Trimberger, R. Pang, and A. Singh, “A 12 Gbps DES Encryptor/Decryptor Core in an FPGA,” Proc. Cryptographic Hardware and Embedded Systems (CHES '00), pp. 156-163, 2000.
[15] M. Davio, Y. Desmedt, M. Fossprez, R. Govaerts, J. Hulsbosch, P. Neutjens, P. Piret, J.J. Quisquater, J. Vandewalle, and P. Wouters, “Analytical Characteristics of the DES,” Proc. Advances in Cryptology—Crypto '83, D. Chaum, ed., pp. 171-202, 1983.

Index Terms:
Cryptography, DES, linear cryptanalysis, FPGA, efficient implementations.
Citation:
Gaël Rouvroy, Francois-Xavier Standaert, Jean-Jacques Quisquater, Jean-Didier Legat, "Efficient Uses of FPGAs for Implementations of DES and Its Experimental Linear Cryptanalysis," IEEE Transactions on Computers, vol. 52, no. 4, pp. 473-482, April 2003, doi:10.1109/TC.2003.1190588
Usage of this product signifies your acceptance of the Terms of Use.