cs548_ advanced information security
DESCRIPTION
Paper Presentation #1 Improved version of LC in attacking DES. CS548_ ADVANCED INFORMATION SECURITY. 20103272 Jong Heon, Park / 20103616 Hyun Woo, Cho. Contents. Introduction Before the paper… Notations Principle of the attack Success Rate and Complexity The Computer Experiment - PowerPoint PPT PresentationTRANSCRIPT
CS548_ADVANCED INFORMATION SECURITY20103272 Jong Heon, Park / 20103616 Hyun Woo,
Cho
Paper Presentation #1Improved version of LC in attacking DES
Contents Introduction Before the paper… Notations Principle of the attack Success Rate and Complexity The Computer Experiment Concluding Remarks
2 / 30
Paper Introduction
Linear Cryptanalysis Using two linear approximate equations
Known Plaintext attack (KPA)
M. MATSUI. The first experimental cryptanalysis of the data encryption standard. LNCS, 839, 1994, 1-11. CYRPTO '94.
3 / 30
Paper Introduction (Cont’)
Using 12 computer to experiment the attack(HP9735/PA-RISC 99MHz)
Program described in C & assembly languagesto generate plaintexts and ciphertexts
Goal : Finding 56-bit Secret Key Elapsed Time : 50 days
Generating plaintexts and ciphertexts : 40 days Searching key : only 10 days
4 / 30
Before the paper… Hellman
Linearity between input and output of S-box Shamir & Rueppel
Some S-boxes has linear approximate relation between input and output bits.
M. Matsui Derive linear approximate equations which
consist of P, C, and K bits Easier search if 247 known plaintext are
available than Exhaustive search
5 / 30
Before the paper… (Cont’)
M. Matsui Improved version of LC in breaking 16-
round DES New linear approximate equations :
Reducing the number of required plaintexts Candidate key in order of reliability :
Increasing the success rate of attack
6 / 30
Notations P : plaintext; 64-bit data after the IP C : ciphertext; 64-bit data before the IP-1
K : secret key; 56-bit data after the PC-1 PH, PL : upper/lower 32-bit data of P CH, CL : upper/lower 32-bit data of C Kr : r-th round 48-bit subkey Fr(Xr, Kr) : r-th round F-function output A[i] : i-th bit of A (A is any binary vector) A[I,j,...,k] : A[i]A[j]…A[k]
7 / 30
Principle of the attack We accept new linear approximate equations
Iinear approximate equations based on the best 14-round expression 2round ~ 15round linear approximate equations
P, C, and K2-15 Find round key of 1round, 16round Effects : reduce the number of required plaintexts
What is the linear approximate equation? Choose P[ia,ib,ic…] C[ja,jb,jc…] = K[ka,kb,kc…]
(probability(p) ≠ ½, randomly given P, C and fixed K)
Best equation is |p-½| is maximal !!
8 / 30
Principle of the attack (Cont’)
Two Best 14-round expressions PL[7,18,24] CH[7,18,24,29] CL[15]
= K2[22] K3[44] K4[22] K6[22] K7[44] K8[22] K10[22] K11[44] K12[22] K14[22]
CL[7,18,24] PH[7,18,24,29] PL[15]= K13[22] K12[44] K11[22] K9[22] K8[44] K7[22] K5[22] K4[44] K3[22] K1[22]
…probability : ½-1.19×2-21 (piling-up lemma)
9 / 30
Principle of the attack (Cont’)
Applying to F-functions from the 2nd to 15th round PH[7,18,24] F1(PL, K1)[7,18,24] CH[15]
CL[7,18,24,29] F16(CL ,K16)[15]= K3[22] K4[44] K5[22] K7[22] K8[44] K9[22] K11[22] K12[44] K13[22] K15[22]
CH[7,18,24] F16(CL ,K16)[7,18,24] PH[15] PL[7,18,24,29] F1(PL ,K1)[15] = K14[22] K13[44] K12[22] K10[22] K9[44] K8[22] K6[22] K5[44] K4[22] K2[22]
10 / 30
11 / 30
Principle of the attack (Cont’)
First, we solve these equations to derive some of the secret key bits
Consideration How much memory is required? How many secret key bits can be derived?
Effective text/key bits which affect the left side of each equations
12 / 30
Principle of the attack (Cont’)13 / 30
Principle of the attack (Cont’)
Each equation, we found 13 secret key bits 12 effective key bits + one bit of right side Using just 13 text bits (plaintext + ciphertext)
Total : 26 secret key bits Using 26 text bits
Substitution of incorrect key value for K1, K16.. P(the left side = 0) ≒ ½ So, we count #(left side=0) for each key
candidate
14 / 30
Principle of the attack (Cont’)
[ Algorithms for breaking 16-round DES ] Data Counting Phase of first equation
Prepare 213 counters TAa (0 ≤ a < 213) where a corresponds to each value on 13 effective text bits
For each plaintext and corresponding ciphertext, compute the value of effective text bits(=a) and count up the TAa by one.
15 / 30
Principle of the attack (Cont’)
Key Counting Phase of first equation Prepare 212 counters KAb (0 ≤ b < 213) where a
corresponds to each value on 12 effective key bits. For each b, KAb is the sum of TAa such that left side
of first equation (be uniquely determined by a, b) equal to zero.
Rearrange KAb in order of |KAb – N/2| and rename them KAcb (0 ≤ c < 212) Then, for each c.. If (KAcb – N/2) ≤ 0, guess that right side of equation is 0. If (KAcb – N/2) > 0, guess that right side of equation is 1.
Second equation can be solved in the same manner.
16 / 30
Principle of the attack (Cont’)
Total of 26 secret key bits (after the PC-1) K[0], K[1], K[3], K[4], K[8], K[9], K[14], K[15], K[18],
K[19], K[24], K[25], K[31], K[32], K[38], K[39], K[41], K[42], K[44], K[45], K[50], K[51], K[54], K[55], K[5] K[13] K[17] K[20] K[46], K[2] K[7] K[11] K[22] K[26] K[37] K[52]
Exhaustive Search Phase(Finding remaning 30 key bits) Let Wm (m=0,1,2…) be a series of candidates for
the 26 key bits arranged in order of their reliabiity For each Wm, search for the remaining key bits until
the correct value is found
17 / 30
Success Rate and Complexity DES reduced to 8 rounds
Left side of equation is essentially the same
Best 6-round expression
(6)
(7)
18 / 30
Success Rate and Complexity(cont’) Full 16 round DES to 8-round DES Equation of number of N random
plaintext, success rate
Depend on
19 / 30
Success Rate and Complexity(cont’) Full 16 round DES to 8-round DES Lemma 1.
Let N be the number of given random plaintexts and p be the probability that the following eq holds.
Assuming |p-1/2| is small
20 / 30
Success Rate and Complexity(cont’) Full 16 round DES to 8-round DES
8 round DES
16 round DES
21 / 30
Success Rate and Complexity(cont’) Full 16 round DES to 8-round DES Lemma 1. Success rate of our attack on 8-round DES
with N8 Same that on 16round DES with N16
plaintexts
equivalent to
22 / 30
Success Rate and Complexity(cont’) Computer experiments in Solving eq (6) 100,000 times to estimate (4)
23 / 30
Success Rate and Complexity(cont’)
24 / 30
The Computer Experiment First computer experiment in breaking
DES Implemented software only C and assembly languages 1000 lines 1Mbyte in running
25 / 30
The Computer Experiment(cont’)
26 / 30
The Computer Experiment(cont’)
27 / 30
Concluding Remarks Improvement of linear cryptanalysis Presented the first successful
experimentBreaking full 16-round DES
Remaining 30 Key bits – it also Possible Result fig.2, fig.3 – Simple function,
Formalized- New combination will give more effective
28 / 30
Nowdays. EFF made DES attack Hardware in 1998
Decode 56hours (56bit Key) 22hours in 1999
More than 128bit Keys Safe in present.
29 / 30
References National Bureau of Standards: Data Encryption Standard. (1977) Matsui, M.: Linear Cryptanalysis Method for DES cipher. Matsui M.:
On correlation between the order of S-boxes and the strength of DES.(1993)
Matsui, M.: On correlation between the order of S-boxes and the strength of DES.(1994)
Hellman, M., Merkle, R., Schroeppel, R., Washinton, L., Diffie, W., Pohlig, S., Schweizer, P.: Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard. (1976)
Shamir, A: On the security of DES.(1985) Davies, D., Murphy, S.: Pairs and triplets of DES s-boxes.(preprint) Ruepple, R.A. ,: Analysis and design of stream ciphers. (1986) 김광조 : DES 의 선형 해독법에 관한 해설 (3) 한국정보보호학회 ,
정보보호학회지 通信情報保護學會誌 第 4 卷 第 1 號 , 1994. 3, pp. 30 ~ 43 (14pages)
30 / 30
Korex527 at gmail.comBetelgs at chol.com
Any Question?Any Question?