1 / 31

CS548_ ADVANCED INFORMATION SECURITY

Paper Presentation #1 Improved version of LC in attacking DES. CS548_ ADVANCED INFORMATION SECURITY. 20103272 Jong Heon, Park / 20103616 Hyun Woo, Cho. Contents. Introduction Before the paper… Notations Principle of the attack Success Rate and Complexity The Computer Experiment

estherz
Télécharger la présentation

CS548_ ADVANCED INFORMATION SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Paper Presentation #1 Improved version of LC in attacking DES CS548_ADVANCED INFORMATION SECURITY 20103272 Jong Heon, Park / 20103616 Hyun Woo, Cho

  2. Contents • Introduction • Before the paper… • Notations • Principle ofthe attack • Success Rate and Complexity • The Computer Experiment • Concluding Remarks

  3. Paper Introduction • Linear Cryptanalysis • Using two linear approximate equations • Known Plaintext attack (KPA) • M. MATSUI. The first experimental cryptanalysis of the data encryption standard. LNCS, 839, 1994, 1-11. CYRPTO '94. 

  4. Paper Introduction (Cont’) • Using 12 computer to experiment the attack(HP9735/PA-RISC 99MHz) • Program described in C & assembly languagesto generate plaintexts and ciphertexts • Goal : Finding 56-bit Secret Key • Elapsed Time : 50 days • Generating plaintexts and ciphertexts : 40 days • Searching key : only 10 days

  5. Before the paper… • Hellman • Linearity between input and output of S-box • Shamir & Rueppel • Some S-boxes has linear approximate relation between input and output bits. • M. Matsui • Derive linear approximate equations which consist of P, C, and K bits • Easier search if 247 known plaintext are available than Exhaustive search

  6. Before the paper… (Cont’) • M. Matsui • Improved version of LC in breaking 16-round DES • New linear approximate equations: • Reducing the number of required plaintexts • Candidate key in order of reliability : • Increasing the success rate of attack

  7. Notations • P : plaintext; 64-bit data after the IP • C : ciphertext; 64-bit data before the IP-1 • K : secret key; 56-bit data after the PC-1 • PH, PL : upper/lower 32-bit data of P • CH, CL : upper/lower 32-bit data of C • Kr : r-th round 48-bit subkey • Fr(Xr, Kr) : r-th round F-function output • A[i] : i-th bit of A (A is any binary vector) • A[I,j,...,k] : A[i]A[j]…A[k]

  8. Principle of the attack • We accept new linear approximate equations • Iinear approximate equations based on the best 14-round expression • 2round ~ 15round linear approximate equations • P, C, and K2-15 • Find round key of 1round, 16round • Effects : reduce the number of required plaintexts • What is the linear approximate equation? • Choose P[ia,ib,ic…]  C[ja,jb,jc…] = K[ka,kb,kc…] (probability(p) ≠ ½, randomly given P, C and fixed K) • Best equation is |p-½| is maximal !!

  9. Principle of the attack(Cont’) Two Best 14-round expressions • PL[7,18,24]  CH[7,18,24,29]  CL[15]= K2[22]  K3[44]  K4[22]  K6[22]  K7[44]  K8[22]  K10[22]  K11[44]  K12[22]  K14[22] • CL[7,18,24]  PH[7,18,24,29]  PL[15]= K13[22]  K12[44]  K11[22]  K9[22]  K8[44]  K7[22]  K5[22]  K4[44]  K3[22]  K1[22] …probability : ½-1.19×2-21 (piling-up lemma)

  10. Principle of the attack(Cont’) Applying to F-functions from the 2nd to 15th round • PH[7,18,24]  F1(PL, K1)[7,18,24]  CH[15]  CL[7,18,24,29]  F16(CL ,K16)[15]= K3[22]  K4[44]  K5[22]  K7[22]  K8[44]  K9[22]  K11[22]  K12[44]  K13[22]  K15[22] • CH[7,18,24]  F16(CL ,K16)[7,18,24]  PH[15]  PL[7,18,24,29]  F1(PL ,K1)[15] = K14[22]  K13[44]  K12[22] K10[22]  K9[44]  K8[22]  K6[22]  K5[44]  K4[22]  K2[22]

  11. Principle of the attack(Cont’) • First, we solve these equations to derive some of the secret key bits • Consideration • How much memory is required? • How many secret key bits can be derived? • Effective text/key bits • which affect the left side of each equations

  12. Principle of the attack(Cont’)

  13. Principle of the attack(Cont’) • Each equation, we found 13 secret key bits • 12 effective key bits + one bit of right side • Using just 13 text bits (plaintext + ciphertext) • Total : 26 secret key bits • Using 26 text bits • Substitution of incorrect key value for K1, K16.. • P(the left side = 0) ≒ ½ • So, we count #(left side=0) for each key candidate

  14. Principle of the attack(Cont’) [ Algorithms for breaking 16-round DES ] • Data Counting Phase of first equation • Prepare 213 counters TAa (0 ≤ a < 213) where a corresponds to each value on 13 effective text bits • For each plaintext and corresponding ciphertext, compute the value of effective text bits(=a) and count up the TAa by one.

  15. Principle of the attack(Cont’) • Key Counting Phase of first equation • Prepare 212 counters KAb (0 ≤ b < 213) where a corresponds to each value on 12 effective key bits. • For each b, KAb is the sum of TAa such that left side of first equation (be uniquely determined by a, b) equal to zero. • Rearrange KAb in order of |KAb – N/2| and rename them KAcb (0 ≤ c < 212) Then, for each c.. • If (KAcb – N/2) ≤ 0, guess that right side of equation is 0. • If (KAcb – N/2) >0, guess that right side of equation is 1. • Second equation can be solved in the same manner.

  16. Principle of the attack(Cont’) • Total of 26 secret key bits (after the PC-1) • K[0], K[1], K[3], K[4], K[8], K[9], K[14], K[15], K[18], K[19], K[24], K[25], K[31], K[32], K[38], K[39], K[41], K[42], K[44], K[45], K[50], K[51], K[54], K[55], K[5]  K[13]  K[17]  K[20]  K[46], K[2]  K[7]  K[11]  K[22]  K[26]  K[37]  K[52] • Exhaustive Search Phase(Finding remaning 30 key bits) • Let Wm (m=0,1,2…) be a series of candidates for the 26 key bits arranged in order of their reliabiity • For each Wm, search for the remaining key bits until the correct value is found

  17. Success Rate and Complexity • DES reduced to 8 rounds • Left side of equation is essentially the same • Best 6-round expression (6) (7)

  18. Success Rate and Complexity(cont’) • Full 16 round DES to 8-round DES • Equation of number of N random plaintext, success rate • Depend on

  19. Success Rate and Complexity(cont’) • Full 16 round DES to 8-round DES • Lemma 1. • Let N be the number of given random plaintexts and p be the probability that the following eq holds. • Assuming |p-1/2| is small

  20. Success Rate and Complexity(cont’) • Full 16 round DES to 8-round DES 8 round DES 16 round DES

  21. Success Rate and Complexity(cont’) • Full 16 round DES to 8-round DES • Lemma 1. • Success rate of our attack on 8-round DES with N8 • Same that on 16round DES with N16 plaintexts • equivalent to

  22. Success Rate and Complexity(cont’) • Computer experiments in Solving eq (6) • 100,000 times to estimate (4)

  23. Success Rate and Complexity(cont’)

  24. The Computer Experiment • First computer experiment in breaking DES • Implemented software only • C and assembly languages 1000 lines • 1Mbyte in running

  25. The Computer Experiment(cont’)

  26. The Computer Experiment(cont’)

  27. Concluding Remarks • Improvement of linear cryptanalysis • Presented the first successful experimentBreaking full 16-round DES • Remaining 30 Key bits – it also Possible • Result fig.2, fig.3 – Simple function, Formalized - New combination will give more effective

  28. Nowdays. • EFF made DES attack Hardware in 1998 • Decode 56hours (56bit Key) • 22hours in 1999 • More than 128bit Keys Safe in present.

  29. References • National Bureau of Standards: Data Encryption Standard. (1977) • Matsui, M.: Linear Cryptanalysis Method for DES cipher. Matsui M.: On correlation between the order of S-boxes and the strength of DES.(1993) • Matsui, M.: On correlation between the order of S-boxes and the strength of DES.(1994) • Hellman, M., Merkle, R., Schroeppel, R., Washinton, L., Diffie, W., Pohlig, S., Schweizer, P.: Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard. (1976) • Shamir, A: On the security of DES.(1985) • Davies, D., Murphy, S.: Pairs and triplets of DES s-boxes.(preprint) • Ruepple, R.A. ,: Analysis and design of stream ciphers. (1986) • 김광조 : DES의선형 해독법에 관한 해설(3) 한국정보보호학회, 정보보호학회지 通信情報保護學會誌 第4卷 第1號, 1994. 3, pp. 30 ~ 43 (14pages)

  30. Any Question? Korex527 at gmail.com Betelgs at chol.com

More Related