cs548_ advanced information security

CS548_ADVANCED INFORMATION SECURITY20103272 Jong Heon, Park / 20103616 Hyun Woo,

Cho

Paper Presentation #1Improved version of LC in attacking DES

Contents Introduction Before the paper… Notations Principle of the attack Success Rate and Complexity The Computer Experiment Concluding Remarks

2 / 30

Paper Introduction

Linear Cryptanalysis Using two linear approximate equations

Known Plaintext attack (KPA)

M. MATSUI. The first experimental cryptanalysis of the data encryption standard. LNCS, 839, 1994, 1-11. CYRPTO '94. 

3 / 30

Paper Introduction (Cont’)

Using 12 computer to experiment the attack(HP9735/PA-RISC 99MHz)

Program described in C & assembly languagesto generate plaintexts and ciphertexts

Goal : Finding 56-bit Secret Key Elapsed Time : 50 days

Generating plaintexts and ciphertexts : 40 days Searching key : only 10 days

4 / 30

Before the paper… Hellman

Linearity between input and output of S-box Shamir & Rueppel

Some S-boxes has linear approximate relation between input and output bits.

M. Matsui Derive linear approximate equations which

consist of P, C, and K bits Easier search if 247 known plaintext are

available than Exhaustive search

5 / 30

Before the paper… (Cont’)

M. Matsui Improved version of LC in breaking 16-

round DES New linear approximate equations :

Reducing the number of required plaintexts Candidate key in order of reliability :

Increasing the success rate of attack

6 / 30

Notations P : plaintext; 64-bit data after the IP C : ciphertext; 64-bit data before the IP-1

K : secret key; 56-bit data after the PC-1 PH, PL : upper/lower 32-bit data of P CH, CL : upper/lower 32-bit data of C Kr : r-th round 48-bit subkey Fr(Xr, Kr) : r-th round F-function output A[i] : i-th bit of A (A is any binary vector) A[I,j,...,k] : A[i]A[j]…A[k]

7 / 30

Principle of the attack We accept new linear approximate equations

Iinear approximate equations based on the best 14-round expression 2round ~ 15round linear approximate equations

P, C, and K2-15 Find round key of 1round, 16round Effects : reduce the number of required plaintexts

What is the linear approximate equation? Choose P[ia,ib,ic…] C[ja,jb,jc…] = K[ka,kb,kc…]

(probability(p) ≠ ½, randomly given P, C and fixed K)

Best equation is |p-½| is maximal !!

8 / 30

Principle of the attack (Cont’)

Two Best 14-round expressions PL[7,18,24] CH[7,18,24,29] CL[15]

= K2[22] K3[44] K4[22] K6[22] K7[44] K8[22] K10[22] K11[44] K12[22] K14[22]

CL[7,18,24] PH[7,18,24,29] PL[15]= K13[22] K12[44] K11[22] K9[22] K8[44] K7[22] K5[22] K4[44] K3[22] K1[22]

…probability : ½-1.19×2-21 (piling-up lemma)

9 / 30

Principle of the attack (Cont’)

Applying to F-functions from the 2nd to 15th round PH[7,18,24] F1(PL, K1)[7,18,24] CH[15]

CL[7,18,24,29] F16(CL ,K16)[15]= K3[22] K4[44] K5[22] K7[22] K8[44] K9[22] K11[22] K12[44] K13[22] K15[22]

CH[7,18,24] F16(CL ,K16)[7,18,24] PH[15] PL[7,18,24,29] F1(PL ,K1)[15] = K14[22] K13[44] K12[22] K10[22] K9[44] K8[22] K6[22] K5[44] K4[22] K2[22]

10 / 30

11 / 30

Principle of the attack (Cont’)

First, we solve these equations to derive some of the secret key bits

Consideration How much memory is required? How many secret key bits can be derived?

Effective text/key bits which affect the left side of each equations

12 / 30

Principle of the attack (Cont’)13 / 30

Principle of the attack (Cont’)

Each equation, we found 13 secret key bits 12 effective key bits + one bit of right side Using just 13 text bits (plaintext + ciphertext)

Total : 26 secret key bits Using 26 text bits

Substitution of incorrect key value for K1, K16.. P(the left side = 0) ≒ ½ So, we count #(left side=0) for each key

candidate

14 / 30

Principle of the attack (Cont’)

[ Algorithms for breaking 16-round DES ] Data Counting Phase of first equation

Prepare 213 counters TAa (0 ≤ a < 213) where a corresponds to each value on 13 effective text bits

For each plaintext and corresponding ciphertext, compute the value of effective text bits(=a) and count up the TAa by one.

15 / 30

Principle of the attack (Cont’)

Key Counting Phase of first equation Prepare 212 counters KAb (0 ≤ b < 213) where a

corresponds to each value on 12 effective key bits. For each b, KAb is the sum of TAa such that left side

of first equation (be uniquely determined by a, b) equal to zero.

Rearrange KAb in order of |KAb – N/2| and rename them KAcb (0 ≤ c < 212) Then, for each c.. If (KAcb – N/2) ≤ 0, guess that right side of equation is 0. If (KAcb – N/2) > 0, guess that right side of equation is 1.

Second equation can be solved in the same manner.

16 / 30

Principle of the attack (Cont’)

Total of 26 secret key bits (after the PC-1) K[0], K[1], K[3], K[4], K[8], K[9], K[14], K[15], K[18],

K[19], K[24], K[25], K[31], K[32], K[38], K[39], K[41], K[42], K[44], K[45], K[50], K[51], K[54], K[55], K[5] K[13] K[17] K[20] K[46], K[2] K[7] K[11] K[22] K[26] K[37] K[52]

Exhaustive Search Phase(Finding remaning 30 key bits) Let Wm (m=0,1,2…) be a series of candidates for

the 26 key bits arranged in order of their reliabiity For each Wm, search for the remaining key bits until

the correct value is found

17 / 30

Success Rate and Complexity DES reduced to 8 rounds

Left side of equation is essentially the same

Best 6-round expression

(6)

(7)

18 / 30

Success Rate and Complexity(cont’) Full 16 round DES to 8-round DES Equation of number of N random

plaintext, success rate

Depend on

19 / 30

Success Rate and Complexity(cont’) Full 16 round DES to 8-round DES Lemma 1.

Let N be the number of given random plaintexts and p be the probability that the following eq holds.

Assuming |p-1/2| is small

20 / 30

Success Rate and Complexity(cont’) Full 16 round DES to 8-round DES

8 round DES

16 round DES

21 / 30

Success Rate and Complexity(cont’) Full 16 round DES to 8-round DES Lemma 1. Success rate of our attack on 8-round DES

with N8 Same that on 16round DES with N16

plaintexts

equivalent to

22 / 30

Success Rate and Complexity(cont’) Computer experiments in Solving eq (6) 100,000 times to estimate (4)

23 / 30

Success Rate and Complexity(cont’)

24 / 30

The Computer Experiment First computer experiment in breaking

DES Implemented software only C and assembly languages 1000 lines 1Mbyte in running

25 / 30

The Computer Experiment(cont’)

26 / 30

The Computer Experiment(cont’)

27 / 30

Concluding Remarks Improvement of linear cryptanalysis Presented the first successful

experimentBreaking full 16-round DES

Remaining 30 Key bits – it also Possible Result fig.2, fig.3 – Simple function,

Formalized- New combination will give more effective

28 / 30

Nowdays. EFF made DES attack Hardware in 1998

Decode 56hours (56bit Key) 22hours in 1999

More than 128bit Keys Safe in present.

29 / 30

References National Bureau of Standards: Data Encryption Standard. (1977) Matsui, M.: Linear Cryptanalysis Method for DES cipher. Matsui M.:

On correlation between the order of S-boxes and the strength of DES.(1993)

Matsui, M.: On correlation between the order of S-boxes and the strength of DES.(1994)

Hellman, M., Merkle, R., Schroeppel, R., Washinton, L., Diffie, W., Pohlig, S., Schweizer, P.: Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard. (1976)

Shamir, A: On the security of DES.(1985) Davies, D., Murphy, S.: Pairs and triplets of DES s-boxes.(preprint) Ruepple, R.A. ,: Analysis and design of stream ciphers. (1986) 김광조 : DES 의 선형 해독법에 관한 해설 (3) 한국정보보호학회 ,

정보보호학회지 通信情報保護學會誌 第 4 卷 第 1 號 , 1994. 3, pp. 30 ~ 43 (14pages)

30 / 30

Korex527 at gmail.comBetelgs at chol.com

Any Question?Any Question?