Efficient uses of FPGAs for implementations of DES and its experimental linear cryptanalysis

In its basic version, linear cryptanalysis is a known-plaintext attack that uses a linear relation between input-bits, output-bits, and key-bits of an encryption algorithm that holds with a certain probability. If enough plaintext-ciphertext pairs are provided, this approximation can be used to assign probabilities to the possible keys and to locate the most probable one. Matsui (1993) applied it to DES, becoming the best known attack against DES. Knudsen (2000) proposed three chosen-plaintext linear attacks, the third one becoming the best chosen-plaintext attack. This paper presents two original FPGA implementations of a DES encryption/decryption core that work at data rates up to 21.3 Gbps (333 MHz). We believe that our implementations are the fastest ones known nowadays. In our design, the plaintext, the key, and the mode (encryption/decryption) can be changed with no dead cycles. Based on one of our fast DES implementations, we present an FPGA implementation of the known-plaintext linear cryptanalysis of DES. The resulting design is deployed on eight FPGAs and allows us to find 12+1 key bits in about 2.3 hours. As a comparison, the fastest software implementation known so far (in 2000) used the idle time of 18 Intel Pentium III MMX and broke a DES key in 4.32 days. Our fast linear cryptanalysis implementation made the performing of practical tests possible, allowing a comparison with Matsui´s theoretical estimations.