Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

Similar documents
Differential Cryptanalysis

Introduction to Modern Symmetric-Key Ciphers

Secret Sharing. See: Shamir, How to Share a Secret, CACM, Vol. 22, No. 11, November 1979, pp c Eli Biham - June 2, Secret Sharing

The Rectangle Attack

New Cryptanalytic Results on IDEA

Secret Key Cryptography

Linear Cryptanalysis of Reduced Round Serpent

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge

New Cryptanalytic Results on IDEA

Lecture 2: Secret Key Cryptography

Differential-Linear Cryptanalysis of Serpent

CSC 474/574 Information Systems Security

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Lecture 4: Symmetric Key Encryption

RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Jordan University of Science and Technology

Symmetric Cryptography. Chapter 6

Plaintext (P) + F. Ciphertext (T)

Chapter 6: Contemporary Symmetric Ciphers

Cryptanalysis. Andreas Klappenecker Texas A&M University

This document contains additional questions; it is not intended to be treated as a complete paper.

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

EE 595 (PMP) Introduction to Security and Privacy Homework 1 Solutions

Fundamentals of Cryptography

Chapter 3 Block Ciphers and the Data Encryption Standard

Improved Truncated Differential Attacks on SAFER

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Lecture 3: Symmetric Key Encryption

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

A Differential Fault Attack against Early Rounds of (Triple-)DES

SOLUTIONS FOR HOMEWORK # 1 ANSWERS TO QUESTIONS

A General Analysis of the Security of Elastic Block Ciphers

c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

Linear Cryptanalysis. Objectives

Attack on DES. Jing Li

Module 13 Network Security. Version 1 ECE, IIT Kharagpur

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Complementing Feistel Ciphers

Block Ciphers Introduction

Network Security Technology Project

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

CSCE 813 Internet Security Symmetric Cryptography

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Math236 Discrete Maths with Applications

Elastic Block Ciphers: The Feistel Cipher Case

Cryptographic Hash Functions

Using block ciphers 1

A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak

On the Security of the 128-Bit Block Cipher DEAL

Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64

Cryptography and Network Security. Sixth Edition by William Stallings

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Secret Key Algorithms (DES)

CSC 474/574 Information Systems Security

Gurevich Lev. 31st March 2005

Block Cipher Operation. CS 6313 Fall ASU

External Encodings Do not Prevent Transient Fault Analysis

Indect Block Cipher Application

Stream Ciphers. Stream Ciphers 1

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Chapter 7 Advanced Encryption Standard (AES) 7.1

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Elastic Block Ciphers: The Feistel Cipher Case

Cryptographic Algorithms - AES

Syrvey on block ciphers

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Feedback Week 4 - Problem Set

L2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

On the Design of Secure Block Ciphers

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Some Aspects of Block Ciphers

CIS 6930/4930 Computer and Network Security. Project requirements

A Chosen-key Distinguishing Attack on Phelix

Data Encryption Standard (DES)

CIS 3362 Final Exam 12/4/2013. Name:

Computational Security, Stream and Block Cipher Functions

A Related-Key Attack on TREYFER

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Improved Attacks on Full GOST

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

PKCS #11 Message-Based Encryption and Decryption

Key Separation in Twofish

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Cryptography. Andreas Hülsing. 6 September 2016

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Symmetric Key Cryptosystems. Definition

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Hashing, One-Time Signatures, and MACs. c Eli Biham - March 21, Hashing, One-Time Signatures, and MACs

Cryptography Functions

Transcription:

Block Ciphers Tutorial c Eli Biham - May 3, 2005 146 Block Ciphers Tutorial (5)

A Known Plaintext Attack on 1-Round DES After removing the permutations IP and FP we get: L R 48 K=? F L R c Eli Biham - May 3, 2005 147 Block Ciphers Tutorial (5)

A Known Plaintext Attack on 1-Round DES (cont.) We are given a pair (M, C) where M = (L, R) and C = (L, R) and we want to find the 48-bit key K. We know that: F (R, K) = L L 1. Why is the output of all S-boxes known? 2. Given the 4 bits output of S 1 how many 6-bit combinations are possible as input to S 1? 3. How many 6-bit combinations are possible as the 6 bit key which takes part in the creation of the input to S 1? 4. How many 48-bit combinations are possible for K? c Eli Biham - May 3, 2005 148 Block Ciphers Tutorial (5)

A Known Plaintext Attack on 2-Round DES L R 48 K1 F 48 K2 F L R c Eli Biham - May 3, 2005 149 Block Ciphers Tutorial (5)

A Known Plaintext Attack on 2-Round DES (cont.) Thus, we have: F (R, K 1 ) = L R F (R, K 2 ) = L R As in the attack on one round, the first expression reduces the number of possibilities for the 48 bits of K 1 to 4 8 = 2 16 (as only a fraction of 2 of the keys pass the test). The second expression reduces the number of possibilities for the 48 bits of K 2 to 4 8 = 2 16 as well. The set of possibilities for K 1 and K 2 intersects on 40 bits, as there are 40 key bits which are common to both round keys K 1, K 2. Thus, thus we get that the average number of possible 56-bit keys is slightly above 1. c Eli Biham - May 3, 2005 150 Block Ciphers Tutorial (5)

A Known Plaintext Attack on 4-Round DES After 4 rounds there are still bits which are unaffected by some key bits. For example: Original key bit 46 is not used in round 1. It is used in round 2 (in K 2 ) for the creation of the input to S 5, thus it affects the 4 bits at the output of S 5. These 4 bits become bits 8, 14, 25 and 3 after the permutation P. Key bit 46 is not used in round 3. Bits 8, 14, 25, 3 affect the output of S 1, S 2, S 3, S 4, S 6, S 7 in round 3, thus leaving the output bits of S 5 and S 8 unaffected by key bit 46. There are 8 bits in the left -bit output of round 3 unaffected from key bit 46. There are 8 bits in the right -bit output of round 4. unaffected from key bit 46 (but they are affected by the other key bits and by the plaintext). c Eli Biham - May 3, 2005 151 Block Ciphers Tutorial (5)

A Known Plaintext Attack on 4-Round DES (cont.) This property can be used for a known plaintext attack: 1. Fix key bit 46 to be zero. 2. For every key K 1 with the key bit 46 set to zero (there are 2 55 such keys): (a) Encrypt the plaintext: C = E K 1(P ). (b) Compare the 8 bits which are unaffected by key bit 46 in C to the same 8 bits in the given ciphertext C. (c) If those bits are the same: Denote K 1 with the 46 th bit set to one by K 2. If E K 1(P ) = C then K 1 is probably the key. If E K 2(P ) = C then K 2 is probably the key. If neither, continue to next key. c Eli Biham - May 3, 2005 152 Block Ciphers Tutorial (5)

A Known Plaintext Attack on 4-Round DES (cont.) Analysis: We encrypt the plaintext with all 2 55 possibilities for the key K 1. 2 47 keys on average agree with the ciphertext on the 8 bits. Therefore, we encrypt 2 47 possible K 2 values in order to find the original key. The resulting time complexity is 2 55 + 2 47 encryptions instead of 2 56. Remark: When using the complementation property with this attack we get 2 54 + 2 46 encryptions in the worst case, and 2 53 + 2 45 encryptions in the average case. c Eli Biham - May 3, 2005 153 Block Ciphers Tutorial (5)

A Known Plaintext Attack On 5-Round DES Key bit 52 can be also used for an attack on 4 rounds: Original key bit 52 is not used in round 1. It is used in round 2 (in K 2 ) for the creation of the input to S 1, thus it affects the 4 bits at the output of S 1. These 4 bits become bits 9, 17, 23 and 31 after the permutation P. Key bit 52 is not used in round 3. Bits 9, 17, 23, 31 affect the output of S 2, S 3, S 4, S 5, S 6, S 8 in round 3, thus leaving the output bits of S 1 and S 7 unaffected by key bit 52. There are 8 bits in the left bit output of round 3 unaffected from key bit 52. There are 8 bits in the right bit output of round 4 unaffected from key bit 52. c Eli Biham - May 3, 2005 154 Block Ciphers Tutorial (5)

A Known Plaintext Attack On 5-Round DES (cont.) Key bit 52 has another property it is not used in the 5 th round. c Eli Biham - May 3, 2005 155 Block Ciphers Tutorial (5)

A Known Plaintext Attack On 5-Round DES (cont.) Thus, we can use it for the following known plaintext attack: 1. Fix key bit 52 to be zero. 2. For every key K 1 with the key bit 52 set to zero (there are 2 55 such keys): (a) Encrypt the plaintext up to round 4: E 4 K 1 (P ). (b) Decrypt the ciphertext one round: D 1 K 1 (C). (c) Compare the 8 bits which are unaffected by key bit 52 in E 4 K 1 (P ) to the same 8 bits in D 1 K 1 (C). (d) If those bits are the same: Denote K 1 with the 52 th bit set to one by K 2. If E K 1(P ) = C then K 1 is probably the key. If E K 2(P ) = C then K 2 is probably the key. c Eli Biham - May 3, 2005 156 Block Ciphers Tutorial (5)

A Known Plaintext Attack On 5-Round DES (cont.) Analysis: We encrypt the plaintext with all 2 55 possibilities for the key K 1 with key bit 52 set to zero. We are left with 2 47 keys on average. We also encrypt these 2 47 possible K 2 in order to find the original key. Thus, we perform 2 55 +2 47 encryptions instead of 2 56. Remark: As in the attack on 4 rounds when using the complementation property we get 2 54 + 2 46 encryptions in the worst case, and 2 53 + 2 45 encryptions in the average case. c Eli Biham - May 3, 2005 157 Block Ciphers Tutorial (5)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback