1 / 31

An Expansion Algorithm for Higher Order Differential cryptanalysis of Secret Key Ciphers

An Expansion Algorithm for Higher Order Differential cryptanalysis of Secret Key Ciphers. Manish Mohan ME(CS) ID-2005H103423. Introduction. A model attack on modified MISTY1 by two -round elimination attack as an expansion of higher order differential cryptanalysis.

cerise
Télécharger la présentation

An Expansion Algorithm for Higher Order Differential cryptanalysis of Secret Key Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Expansion Algorithm for Higher Order Differential cryptanalysis of Secret Key Ciphers Manish Mohan ME(CS) ID-2005H103423

  2. Introduction • A model attack on modified MISTY1 by two -round elimination attack as an expansion of higher order differential cryptanalysis. • Study about requirement of chosen plaintext , computational cost & no of round for attack by an expansion of higher order differential cryptanalysis.

  3. Basis • Cryptography techniques are the essential components of information security systems so it is important to have a precise awareness of the security characteristics of any cryptographic technique. • cryptographic technique are classified either as public –key or symmetric cipher depending on the type of key involved. • public –key cipher resolves security problem through the application of complex mathematical process .

  4. symmetric ciphers evaluate security in each function they use and then combine these functions .symmetric ciphers have also been subject to a remarkable evolution of attack methods.as a result studying attack methods against symmetric ciphers is critical in any assesment of security.

  5. Plaintext attack linear cryptanalysis & differential cryptanalysis. • security margin & assessment of security condition . • Misty1 ,FO (function specically)& FL(auxiliary function) . • GF(2)n –galios field , finite field of the form GF(P)n. • Attack equation .

  6. Higher order differential cryptanalysis. • Higher order differenentials let us consider f(x;k),which is a functionof GF(2)n * GF(2)n -> GF(2)n. y=f(x;k) (1) x (- GF(2)n, y (- GF(2)n, k (- GF(2)s ; With (a0,a1,a2,a3,………..an-1) a linearly independent set of vector in GF(2)n ;

  7. denoting the N-th differential of F(X;k) with respect to X as ▲(N)v[aoa1,a2,,,,an-1] we can calculate the following: ▲(N)v[a0.a1,,,an-1] F(x;k) = A€ v[a0,a1..an-1] Σ F(x+a;k); if deg x {F(X;K)}=d holds ,the following properties also hold . property 1: Degx{F(X;K)}=d -> ▲(d+1) F(X;K) =0 ▲(d) F(X;k) =const

  8. property 2: When F(X) is a function of GF (2)ns->GF(2)n and V[a0,a1,…..an-1]=GF(2)n holds. ▲(N) F(X;k) = ▲(N) F(X+f;k) holds for a constant,f.

  9. Attack equation • The output H(r)(X)from round (r-2) can be calculated as follows: H(r)(X)=F˜(X;K(1,2,..(r-2))) (4) here F˜(.) is a function of GF(2)n * GF(2) (1,2..(r-2))-> GF(2)n, & K (1,2..(r-2)) are the keys for 1to round(r-2). As H(r)(X)can be calculated from the plaintext. • On the other hand ,the ciphertexts can be used to calculate as follows,through estimation of key K (r) for the last round :

  10. H(r)(X) = F(cL(X);k(r))+cR(X), (5) If deg X{H(r)(X) }=d holds,the following equation holds: ▲(d) F(X;K(1,2,..(r-2))) =constant (6) With equation (4),(5)&(6),the following expression is derived: Σ F(cL(X+A);k(r))+cR(X+A)=const (7) A€ v[a0,a1..ad-1] If the value for “const” is determined,the solution Of this equation provides the value for k(r)).this equation is referred as as an attack equation.

  11. Attack algorithm • Single –round elimination attack (algebraic method) This cryptanalysis transforms an attack equation into a set of linear equation ,which drastically reduces the computational cost. Σ F(cL(X+A);k(r))+cR(X+A) = A€ v[a0,a1..ad-1] Σ {F(cL(X+A);k(r))}+ ΣcR(X+A) € v[a0,a1..ad-1] A€ v[a0,a1..ad-1]

  12. The first term is analyzed as follows: Σ F(cL(X+A);k(r)) = Σ F(cL(X+A);k(r)) + A€ v[a0,a1..ad-1] A € v[a0,a1 ..ad-1] \{0} F(cL(X);k(r)) As a result , the following new attack equation is obtained: Σ{▲ cR(X+A)(1) F(cL(X+A);k(r)) }+ Σ cR(X+A)=constant A € v[a0,a1 ..ad-1] \{0}A € v[a0,a1 ..ad-1] \{0}

  13. When the entire order of F (.) is d (>=1), this equation should be a (D-1)th order equation with respect to k(r). • k(r)€GF(2)sserve as the coefficient of x only for terms not greater than the (D-1)th orderof x. thus ,s unknown are consider to be known . • Algebraic method treat equation (above ) as a set of n linear simultaneous equation respect to k(r) .it appears that L new unknown are present ,where L=ΣD-1i=1 Ci

  14. As a set of N-th differentials produce n linear equations. Now at least L equations arerequired to solve equation (10),the number of N-th differentials required is M=ceiling function (L/N),which means that • No of chosen plain text required is M * 2N • Computational cost required to calculate of total process(key) is M * 2N * L

  15. Eventually , the following equation is obtained : k0 b0 k1 b1 - A - ks-1 k0k1 - - bL-1 Ks-2ks-1 - K0k1—ks-1

  16. Two-round elimination attack • The two-round elimination attack ,which solves the last two rounds together using a brute force search, means the algorithm uses a brute force search to derive an attack equation for the subkey in the last round and uses algebraic method for the last two rounds. • If k(r) is correctly estimated , k(r-1) can be obtained and the attack equation remains possible .however ,if k(r) is incorrectly estimated ,the attack equation becomes impossible and cannot be solved.

  17. Let us expand the attack equation as follows : [ A΄][k(r-1)]=[B] Here A΄ is an (L+m)*L coefficient matrix. • As solving the attack equation while estimating the sub-key k(r) of the last round at the same time. If rank (A΄)=L, the unknown k(r-1) can be determined solving this equation .Taking A΄i (o<=i<=L-1) a column vector of A΄ ,the attack equation can be rewrite as follows: A΄0k0 +A΄1k1+ A2΄k2+· · · · · · · +A΄L-1kL-1=B If this equation hold than B exist from A΄i.

  18. Let the probability p that this equation holds. there are 2L+m types of elements in the subspace by vector A΄0 ,A΄1,A΄2…,A΄L-1. on the other hand ,there are 2L types of elements for B. thus ,p can be calculated as follows: p=2L/2L+m=2-m • To remove false sub-keys, a set of linear equation is required with which 2s2-m<<1 holds. • As only the correct key satisfy all of the equations , the false values are removed by performing 2m extra calculation iterations. Thus M΄sets of N-th differentials are required , where M΄= ceiling function ((L+m)/n),

  19. The two-round elimination attack requires M΄ * 2N chosen plain text & M΄ * 2N+s * L calculation as M΄ * 2N F- function calculation are required .after having derived the attack equation ,L F- function calculations are performed to determine the coefficent matrix . thus ,the computational cost required to solve two round of sub –keys while estimating the sub-key for the last round at the same time corresponds to M΄ * 2N * L F- function calculation .In addition ,excess calculations are also required to remove the 2s,so that M΄ * 2N+s * L F- function calculation .

  20. MISTY, MISTY1 & Modified MISTY1 • MISTY mean • Types of MISTY • Why need of MISTY • Structure of MISTY • What mean of MISTY1 • What mean of modified MISTY1 • Way to implement MISTY1

  21. Effective selected chosen plaintext • The structure of MISTY1 enables division of the plain texts into eight sub block as shown in fig : p=(x7,x6,x5,x4,x3,x2,x1,x0) xi = GF(2)7,i=even GF(2)9,i=odd

  22. Number of chosen plaintext pairs and computational cost required in Attack using the seventh differentials: • Single –round elimination attack: The attack applies the algebraic method . the total no of unknowns is L=2 * (9+7+7c2) =74. As a set of seventh differentials derives seven linear equations, the number of seventh differentials is M=ceiling function (L/N )= ceiling function (74/7)=11. consequently, the number of chosen plaintexts required is M * 2N=11*27=1408 & number of F-function calculation M * 2N * L =11*27*74=217 these result show that the attacker can attack five round modified MISTY1 more efficiently than performing a brute force search for the key.

  23. Two round elimination attack • As application of the two round elimination attack using seventh differentials : s=75 m=91is set so 2s*2-m=275*2-91<<1 Thus ,the number of seventh differentials pairs required is M΄= ceiling function ((74+91)/7)=24

  24. Consequently, the number of chosen plaintexts required is M * 2N=24*27=212. and the number of f-function calculation required is M * 2N+s * L =11*27+75*74=293. • These result show that the attacker can attack six-round modified MISTY1more efficiently than performing brute force attack.

  25. Summary • This slide proposes a two –round elimination attack that combines algebraic method and brute force search as an expansion of higher order differential cryptanalysis. The requirement for the chosen plaintexts and the computational cost are shown and the effectiveness of the attack is confirmed with a model attack on modified MISTY1.

  26. The result of this study show that MISTY1 without FL functions can be attacked using higher order differentials. using a brute force search for the round -6 sub-keys and algebraic method for the round -5 sub-keys, 212 chosen plaintexts and 293 F- function calculation are required. Thus ,this attack is 230fold faster than the brute force search for a 128 bit secret key . In conclusion, we can say at the least that a block cipher with a feistel structure that uses the FO functions of MISTY1 is not secure against higher order differential cryptanalysis if not constructed with at least seven rounds .

  27. Questions.

More Related