Upload
massimo-vitiello
View
222
Download
0
Embed Size (px)
Citation preview
7/30/2019 How to Launch a Birthday Attack Against DES
1/32
1
How to Launch A Birthday Attack
Against DES
Zhengjun Cao
Computer Sciences Department,
Universite Libre de Bruxelles, Belgium.
7/30/2019 How to Launch a Birthday Attack Against DES
2/32
2
Outline
Introduction
Description of DES
Basic ideaDescription of the birthday attack against
DES
ComplexityConclusion
References
7/30/2019 How to Launch a Birthday Attack Against DES
3/32
3
Introduction
The DES is a cipher selected as an officialFIPS for US in 1976.
Other theoretical attacks are possible
require an unrealistic amount of known orchosen plaintext to carry out.Differential cryptanalysis requires chosen plaintexts
Linear cryptanalysis needs known plaintexts
Davies attack requires known plaintexts, has acomputational complexity of , and has a 51%success rate.
472
412502
502
7/30/2019 How to Launch a Birthday Attack Against DES
4/32
4
Introduction
Birthday attack is given a function , the goal of
the attack is to find two inputs , such that
Function yields any of H different outputswith equal probability and H is sufficiently large
A pair of different arguments and with
after evaluating the function forabout different arguments on average
)()( 21 xfxf 2
x1x
f
)(xf
1x
H25.1)()( 21 xfxf
2x
7/30/2019 How to Launch a Birthday Attack Against DES
5/32
5
Description of DES
Important componentInner function
Computation path
S-boxKey schedule
Process of calculating consists of 4 steps
1.E expansion2.XOR with a subkey
3.S box transformation
4.P permutation
f
f
7/30/2019 How to Launch a Birthday Attack Against DES
6/32
6
Description of DES
DES processes plaintext blocks of ,
producing ciphertext blocks. The
effective size of the secret key is
The input key specified as a key 8
bits of which (bits 8, 16,,64) may be
used as parity bits.
K
bitsK 56
bit64
bitsn 64
bit64
7/30/2019 How to Launch a Birthday Attack Against DES
7/32
7
Description of DES
Computation path
7/30/2019 How to Launch a Birthday Attack Against DES
8/32
8
Description of DES
Inner function f
7/30/2019 How to Launch a Birthday Attack Against DES
9/32
9
Description of DES
Expansion permutation (E): 32 bits->48bits
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
7/30/2019 How to Launch a Birthday Attack Against DES
10/32
10
Description of DES
28 28
110100100
100100110
Key schedule of DES
Left rotation
7/30/2019 How to Launch a Birthday Attack Against DES
11/32
11
Description of DES
S-box for DES
7/30/2019 How to Launch a Birthday Attack Against DES
12/32
12
Description of DES
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
IP
40 8 48 16 56 24 64 3239 7 47 15 55 23 63 31
38 6 46 14 54 22 62 3037 5 45 13 53 21 61 29
36 4 44 12 52 20 60 2835 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
IP-1
Initial & final Permutations IP and IP-1
7/30/2019 How to Launch a Birthday Attack Against DES
13/32
13
Basic idea
By the last round in DES, we have
Hence
Note that both , are not accessible
Collision assumption
Suppose that there is a pair of ciphertexts
(c,c) generated by the same key and
satisfying
By the collision-assumption, we have
16K15L
151616,151516 ),( RLKRfLR
16K
15161616 ),( LRKLf
),(),'( 16161616 KLfKLf
15151616,1616 ','' LLLLRR
(1)
7/30/2019 How to Launch a Birthday Attack Against DES
14/32
14
Basic idea
Denote by where E is expansion
transformation in function
Express as
Each is length 6-bit denotes the concatenation of the two
strings
16EL)( 16LE
1616 ,KEL
f
,8,...,1],[],[ 1616
jjKjEL
]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[
]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[
161616161616161616
161616161616161616
KKKKKKKKK
ELELELELELELELELEL
,
||
15L
7/30/2019 How to Launch a Birthday Attack Against DES
15/32
15
Basic idea
Thus for each S-box the input
of is
By the structure of and Eq(1), we have
][ jS
,8,...,1],[ jjS
f
][][ 1616 jKjEL
])[][']([])[][]([ 16161616 jKjELjSjKjELjS
7/30/2019 How to Launch a Birthday Attack Against DES
16/32
16
Basic idea
Collision for
PossiblejELjEL
PossiblejELjEL
2
1616
6
1616
2]['][
2]['][
boxjS ][
7/30/2019 How to Launch a Birthday Attack Against DES
17/32
17
Description of the birthday attack
against DES
1.Collecting proper ciphertexts
2.Computing the candidates for each
3.Local checking
4.Determining the candidates for
5.Determining the candidates for
6.Distinguishing K from the candidates
7.Outputting
8,...,1],[16 jjK
16K
K
K
7/30/2019 How to Launch a Birthday Attack Against DES
18/32
18
Description of the birthday attack
against DES
1.Collecting proper ciphertexts
Choose ciphertexts(64bit) generated by
the same key K. Collect the ciphertexts
with the same and denote the set by
Denote by ,where is the
expansion transformation in function
Express as
16RC
KRC ,16
)( 16LE 16EL E
f
16EL
]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[ 161616161616161616 ELELELELELELELELEL
7/30/2019 How to Launch a Birthday Attack Against DES
19/32
19
Description of the birthday attack
against DES
2.Computing the candidates for each
Randomly pick two ciphertexts .Integrate each string of 6-bit with
Determine the candidates for bycheck
8,...,1],[16 jjK
)][']([)][]([ 1616 ajELjSajELjS ? ][
16 jK
]['],[ 1616 jELjEL
KRCcc ,16',
a
7/30/2019 How to Launch a Birthday Attack Against DES
20/32
20
Description of the birthday attack
against DES
3.Local checking
If there does not exist any candidate for
some then goto step 2.}8,...,1{],[16 iiK
7/30/2019 How to Launch a Birthday Attack Against DES
21/32
21
Description of the birthday attack
against DES
4.Determining the candidates for
Derive the candidates for from the
candidates for
16K
16K
]8[],...,1[ 1616 KK
7/30/2019 How to Launch a Birthday Attack Against DES
22/32
22
Description of the birthday attack
against DES
5.Determining the candidates for
Derive the candidates for from by
the key schedule of DES
K
K
16K
7/30/2019 How to Launch a Birthday Attack Against DES
23/32
23
Description of the birthday attack
against DES
6.Distinguishing K from the candidates
Given a plaintext and its corresponding
ciphertext, the key (or its equivalent) can
be distinguished from its candidates by
evaluations.
7/30/2019 How to Launch a Birthday Attack Against DES
24/32
24
Description of the birthday attack
against DES
7.Outputting
If the key cannot be derived from the pair
goto step 2. Otherwise, output the key.
Remark In the above attack, we aim at
finding a collision ,which is achieved
by evaluating possible values for
This is the reason for calling it a birthday
attack.
)',( cc
K
)',(1515
LL
.8,...,1],[16 jjK
7/30/2019 How to Launch a Birthday Attack Against DES
25/32
25
Complexity
On the complexity of evaluations
To derive the candidates for
We should evaluate all 6-bit values, which
are integrated with separately.
But all evaluations can be run in
parallel and be separately restricted in
eight boxes. In this case, the time for one
evaluation is less than that for an
evaluation using one round in DES.
8,...,1],[16 jjK
]['],[ 1616 jELjEL
628
7/30/2019 How to Launch a Birthday Attack Against DES
26/32
26
Complexity
On the amount of rounds
The birthday attack against DES does not
relate to the amount of rounds.
It is entirely based on the inner function
and the key schedule in DES
This is a peculiar property of the birthdayattack.
f
7/30/2019 How to Launch a Birthday Attack Against DES
27/32
27
Complexity
On the amount of ciphertexts
By and the definition
of ,we define
To find a collision for it, i.e.,
about
arguments should be evaluated.
where is the cardinal number
of , because each ciphertext is of only
64-bit.
),( 16161615 KLfRL
1516, :16
LLC KR
KRC ,16
D162D
KRC ,16
162)'(')( 16,151516, 16161616 LPLLLP KRKR
7/30/2019 How to Launch a Birthday Attack Against DES
28/32
28
Complexity
On the amount of candidates for K in
each iteration
Define the block-distance between
as
Best case block-distance is the MAX, 8
Worst case block-distance is the Min, 1
On average, a leads to candidates for
K. We conjecture the amount of
candidates for in each iteration is
16K
]}['][:{# 1616 ELELd
K
6
7
182
KRCcc ,16',
7/30/2019 How to Launch a Birthday Attack Against DES
29/32
29
Complexity
On the amount of iterations
In the worst case is ,the average
amount of iterations is .
Hence, the birthday should evaluate
candidates for .
3022
)1( DD
K
482
7/30/2019 How to Launch a Birthday Attack Against DES
30/32
30
Complexity
On the amount of plaintexts
In the proposed attack, we need a
plaintext and the corresponding ciphertext
to distinguish the key (or its equivalents)
from its candidates.
Note that the resulting amount of the key
or its equivalents will be sharply
decreased as the increase of plaintexts.
7/30/2019 How to Launch a Birthday Attack Against DES
31/32
31
Conclusion
We believe the simple derivation of
candidates for from and the
relationship can be a serious
problem in DES. it is due to historicalconsiderations instead of a contrived
process.
K 16K
ii RL 1
7/30/2019 How to Launch a Birthday Attack Against DES
32/32
32
References
[1] http://en.wikipedia.org/wiki/Data_Encryption_Standard [2] http://en.wikipedia.org/wiki/Birthday_attack
[3] http://dhost.info/pasjagor/des/start.php?id=0
[4] E.Biham, A.Biryukov. An Improvement of Davies' Attack on DES, Journal of Cryptology. 1997, 10(3), 195-206
[5] E.Biham, O.Dunkelman, N.Keller. Enhancing Dierential-Linear Cryptanalysis. Advances in
Cryptology-ASIACRYPT'2002. LNCS 2501, Springer-Verlag, 1990, 254-266
[6] E.Biham, A.Shamir. Dierential Cryptanalysis of DES-like Cryptosystems, Advances in Cryptology-
CRYPTO'1990. LNCS 537, Springer-Verlag, 1990. 2-21
[7] A.Biryukov, C.Canniere, M.Quisquater. On Multiple Linear Approximations, Advances in
Cryptology-CRYPTO'2004. LNCS 3152, Springer-Verlag, 2004. 1-22
[8] S.Burton, J.Kaliski, R.Matthew. Linear Cryptanalysis Using Multiple Approximations, Advances in
Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 26-39
[9] D.Coppersmith. The data encryption standard (DES) and its strength against attacks. IBM Journal
of Research and Development. 1994, 38 (3), 243-250
[10] K.Campbell, M.Wiener. DES is not a Group. Advances in Cryptology-CRYPTO'1992. LNCS 740,
Springer-Verlag, 1992, 512-520
[11] W.Die, M.Hellman. Exhaustive Cryptanalysis of the NBS Data Encryption Standard, IEEE Com-
puter 10(6), June 1977, 74C84
[12] J.Gilmore. Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design. O'Reilly, 1998[13] P.Junod. On the Complexity of Matsui's Attack. Selected Areas in Cryptography'2001, LNCS 2259,
Springer-Verlag, 2001, 199C211.
[14] L.Knudsen, J.Mathiassen. A Chosen-Plaintext Linear Attack on DES, Fast Software Encryption-
FSE'2000. LNCS 1978, Springer-Verlag, 2000, 262-272
[15] M.Matsui. Linear Cryptanalysis Method for DES Cipher, Advances in Cryptology-
EUROCRYPT'1993. LNCS 765, Springer-Verlag, 1993, 386-397
[16] M.Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard, Advances in
Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 1-11