Related-Mode Attacks on CTR Encryption Mode

Similar documents
Specifications in 2001

An Optimal Algorithm for Prufer Codes *

A Practical Attack on KeeLoq

Miss in the Middle Attacks on IDEA and Khufu

The stream cipher MICKEY-128 (version 1) Algorithm specification issue 1.0

Parallelism for Nested Loops with Non-uniform and Flow Dependences

Lecture - Data Encryption Standard 4

Cluster Analysis of Electrical Behavior

Cracking of the Merkle Hellman Cryptosystem Using Genetic Algorithm

Fast Computation of Shortest Path for Visiting Segments in the Plane

Load Balancing for Hex-Cell Interconnection Network

A Star-based Independent Biclique Attack on Full Rounds SQUARE

For instance, ; the five basic number-sets are increasingly more n A B & B A A = B (1)

Security Enhanced Dynamic ID based Remote User Authentication Scheme for Multi-Server Environments

A Binarization Algorithm specialized on Document Images and Photos

Support Vector Machines

F Geometric Mean Graphs

Problem Set 3 Solutions

HOMOMORPHIC ENCRYPTION SCHEMES: STEPS TO IMPROVE THE PROFICIENCY

Problem Definitions and Evaluation Criteria for Computational Expensive Optimization

Compiler Design. Spring Register Allocation. Sample Exercises and Solutions. Prof. Pedro C. Diniz

An Improved User Authentication and Key Agreement Scheme Providing User Anonymity

Private Information Retrieval (PIR)

A Lossless Watermarking Scheme for Halftone Image Authentication

Security Vulnerabilities of an Enhanced Remote User Authentication Scheme

Sum of Linear and Fractional Multiobjective Programming Problem under Fuzzy Rules Constraints

Improvement ofmanik et al. s remote user authentication scheme

CMPS 10 Introduction to Computer Science Lecture Notes

Tsinghua University at TAC 2009: Summarizing Multi-documents by Information Distance

Improvement of Spatial Resolution Using BlockMatching Based Motion Estimation and Frame. Integration

The Shortest Path of Touring Lines given in the Plane

A Fast Content-Based Multimedia Retrieval Technique Using Compressed Data

On Some Entertaining Applications of the Concept of Set in Computer Science Course

A Unified Framework for Semantics and Feature Based Relevance Feedback in Image Retrieval Systems

Hermite Splines in Lie Groups as Products of Geodesics

Enhanced Watermarking Technique for Color Images using Visual Cryptography

Constructing Minimum Connected Dominating Set: Algorithmic approach

The Research of Ellipse Parameter Fitting Algorithm of Ultrasonic Imaging Logging in the Casing Hole

Genetic Key Guided Neural Deep Learning based Encryption for Online Wireless Communication (GKNDLE)

Using Fuzzy Logic to Enhance the Large Size Remote Sensing Images

A NOTE ON FUZZY CLOSURE OF A FUZZY SET

Parallel matrix-vector multiplication

Type-2 Fuzzy Non-uniform Rational B-spline Model with Type-2 Fuzzy Data

Lecture 5: Multilayer Perceptrons

A mathematical programming approach to the analysis, design and scheduling of offshore oilfields

Non-Split Restrained Dominating Set of an Interval Graph Using an Algorithm

Mathematics 256 a course in differential equations for engineering students

Virtual Machine Migration based on Trust Measurement of Computer Node

Robust Blind Video Watermark Algorithm in Transform Domain Combining with 3D Video Correlation

Performance Evaluation of Information Retrieval Systems

ON SOME ENTERTAINING APPLICATIONS OF THE CONCEPT OF SET IN COMPUTER SCIENCE COURSE

Distributed Secret Key Management Based on ECC for Ad-hoc Network Yi-xuan WU, Hua-wei CHEN * and Lei WANG

Scheduling Remote Access to Scientific Instruments in Cyberinfrastructure for Education and Research

A MOVING MESH APPROACH FOR SIMULATION BUDGET ALLOCATION ON CONTINUOUS DOMAINS

A Comparative Analysis of Encryption Algorithms for Better Utilization

Course Introduction. Algorithm 8/31/2017. COSC 320 Advanced Data Structures and Algorithms. COSC 320 Advanced Data Structures and Algorithms

PYTHON IMPLEMENTATION OF VISUAL SECRET SHARING SCHEMES

The Greedy Method. Outline and Reading. Change Money Problem. Greedy Algorithms. Applications of the Greedy Strategy. The Greedy Method Technique

Query Clustering Using a Hybrid Query Similarity Measure

Content Based Image Retrieval Using 2-D Discrete Wavelet with Texture Feature with Different Classifiers

Analysis of Continuous Beams in General

2x x l. Module 3: Element Properties Lecture 4: Lagrange and Serendipity Elements

User Authentication Based On Behavioral Mouse Dynamics Biometrics

R s s f. m y s. SPH3UW Unit 7.3 Spherical Concave Mirrors Page 1 of 12. Notes

X- Chart Using ANOM Approach

Vectorization of Image Outlines Using Rational Spline and Genetic Algorithm

Paper style and format for the Sixth International Symposium on Turbulence, Heat and Mass Transfer

Biclique Cryptanalysis Of PRESENT, LED, And KLEIN

An Approach in Coloring Semi-Regular Tilings on the Hyperbolic Plane

Learning the Kernel Parameters in Kernel Minimum Distance Classifier

A new attack on Jakobsson Hybrid Mix-Net

SLAM Summer School 2006 Practical 2: SLAM using Monocular Vision

Solitary and Traveling Wave Solutions to a Model. of Long Range Diffusion Involving Flux with. Stability Analysis

The Codesign Challenge

Cryptanalysis and Improvement of Mutual Authentication Protocol for EPC C1G2 passive RFID Tag

Oracle Database: SQL and PL/SQL Fundamentals Certification Course

Positive Semi-definite Programming Localization in Wireless Sensor Networks

Solving two-person zero-sum game by Matlab

Steps for Computing the Dissimilarity, Entropy, Herfindahl-Hirschman and. Accessibility (Gravity with Competition) Indices

Bridges and cut-vertices of Intuitionistic Fuzzy Graph Structure

Term Weighting Classification System Using the Chi-square Statistic for the Classification Subtask at NTCIR-6 Patent Retrieval Task

NAG Fortran Library Chapter Introduction. G10 Smoothing in Statistics

A new remote user authentication scheme for multi-server architecture

CHAPTER 2 DECOMPOSITION OF GRAPHS

A New Approach For the Ranking of Fuzzy Sets With Different Heights

NUMERICAL SOLVING OPTIMAL CONTROL PROBLEMS BY THE METHOD OF VARIATIONS

CACHE MEMORY DESIGN FOR INTERNET PROCESSORS

Evaluation of an Enhanced Scheme for High-level Nested Network Mobility

An Application of the Dulmage-Mendelsohn Decomposition to Sparse Null Space Bases of Full Row Rank Matrices

Two-Factor User Authentication in Multi-Server Networks

An Efficient Chaos-Based Feedback Stream cipher (ECBFSC) for Image Cryptosystems

Weaknesses of a dynamic ID-based remote user authentication. He Debiao*, Chen Jianhua, Hu Jin

Concurrent Apriori Data Mining Algorithms

Fault Detection in Rule-Based Software Systems

An Efficient Garbage Collection for Flash Memory-Based Virtual Memory Systems

The Erdős Pósa property for vertex- and edge-disjoint odd cycles in graphs on orientable surfaces

A Time-Bound Ticket-Based Mutual Authentication Scheme for Cloud Computing

Proper Choice of Data Used for the Estimation of Datum Transformation Parameters

Mining User Similarity Using Spatial-temporal Intersection

High Payload Reversible Data Hiding Scheme Using Difference Segmentation and Histogram Shifting

Transcription:

Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 282 Related-Mode Attacks on CTR Encrypton Mode Dayn Wang, Dongda Ln, and Wenlng Wu (Correspondng author: Dayn Wang) Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences Bejng 100080, Chna. (Emal: {wdy, ddln, wwl}@s.scas.ac.cn) (Receved Dec. 9, 2005; revsed and accepted Jan. 3, 2006) Abstract In ths paper, we dscuss usng CTR mode, another standard encrypton mode, to attack other standard encrypton modes and usng other standard encrypton modes to attack CTR mode under the related-mode attack model. In partcular, we pont out that when the adversary has access to an oracle under one proper mode, then almost all other related-cpher modes, whether they are encrypton modes or authentcaton modes or authentcated encrypton modes, can be attacked wth ease under the relatedmode attack model. Keywords: Block cpher, modes of operaton, relatedcpher attack, related-mode attack 1 Introducton Block cphers are often proposed wth several varants, n terms of a dfferent secret key sze and correspondng number of rounds. Wu [9] presented the related-cpher attack model applcable to related cphers n the sense that they are exactly dentcal to each other, dfferng only n the key sze and most often also n the total number of rounds. In [7], the authors generalze the concept of the related-cpher attack model to apply to a larger class of related model, n partcular cpher encryptons wth dfferent block cpher modes of operaton, but wth the underlyng block cpher beng dentcal. They called t related mode attack and further show that when the adversary has access to an oracle for any one mode of operaton of ECB, CBC, OFB, CFB, then almost all other related cpher modes can be easly attacked. But they ddn t study another standard encrypton mode CTR. In ths paper, we wll dscuss how to use CTR mode to attack other modes and how to use other modes to attack CTR mode under the related-mode attack model. In Secton 2, we brefly descrbe the standard block cpher modes of operaton. In Secton 3 and 4, we dscuss how to use CTR mode to attack other modes and how to use other modes to attack CTR mode under the relatedmode attack model. We conclude n Secton 5. 1 Fgure 1: ECB mode encrypton 2 Standard Block Cpher Encrypton Modes When encryptng a plantext P, whch s longer than the block sze, n of the underlyng block cpher, ths plantext s dvded nto m number of n-bt blocks, and each one s encrypted at a tme usng a block cpher mode of operaton that ncludes the Electronc Code Book (ECB), the Cpher Block Channg (CBC), the Cpher FeedBack (CFB), the Output FeedBack (OFB) [4, 5] and Counter Mode (CTR) [1]. The ECB mode s the smplest, where each plantext block s ndependently encrypted to a correspondng cphertext block va the underlyng block cpher keyed by secret key K: = ( ). Fgure 1 llustrates the ECB mode encrypton on two consecutve plantext blocks 1 and. Meanwhle, the CBC mode uses the prevous cphertext block as the feedback component that s exclusve- ORed (XORed) to the current plantext block, before the resultng XOR s encrypted to obtan the current cphertext block. In partcular: = ( ) where C 0 = ntalzaton vector (IV ). Fgure 2 llustrates the CBC mode encrypton on two consecutve plantext blocks 1 and.

Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 283 P 1 1 Fgure 2: CBC mode encrypton Fgure 4: OFB mode encrypton 1 ctr + ( 1) 1 ctr + Fgure 3: CFB mode encrypton Fgure 5: CTR mode encrypton The CFB mode also uses the prevous cphertext block as feedback, whch s frst encrypted and then XORed to the current plantext block to obtan the current cphertext block : = ( ) where C 0 = ntalsaton vector (IV). The CFB mode can also be vewed as a stream cpher mode by treatng X = ( ) as a keystream that s XORed to the plantext to obtan the cphertext. Fgure 3 shows the CFB mode. The OFB mode s smlar to the CFB n that a keystream s also generated to be XORed to the current plantext block to obtan the current cphertext block. The dfference s that the keystream s not a functon of the prevous cphertext block, but s the prevously encrypted feedback component X : X = (X 1 ) = (X ) where X 0 = ntalsaton vector (IV ). Note that the keystream s ndependent of prevous plantext and cphertext blocks. Fgure 4 llustrates the OFB mode. The CTR mode s smlar to the CFB n that a keystream s also generated to be XORed to the current plantext block to obtan the current cphertext block. The dfference s that the keystream s a functon of a counter, ctr, whch can also be looked on as an ntalsaton vector. Fgure 5 llustrates the CTR mode. = (ctr + ). There are two varants of the mode, one random and the other stateful. No matter whch varant s used, the ntalsaton vector, ctr, s ncluded n the cphertext as the frst block C 0 n order to enable decrypton. The counter s not allowed to wrap around. Thus the decrypton algorthm frst chops off the frst n bts C 0 and uses t as ctr, and then dvdes the rest of the strng nto n-bt blocks and decrypt cphertext usng the same method of encrypton. 3 Usng other Standard Modes to Attack CTR Throughout ths paper, we consder the case where the adversary has access to an oracle that s able to perform ether encrypton or decrypton for some fxed mode. Ths s smlar to havng access to known or chosen plantext/ cphertext queres under that mode. We show that ths oracle allows the adversary to attack other related-cpher modes, where the underlyng block cpher s the same. and respectvely denote the current plantext and cphertext block used n the nteracton wth the oracle beng exploted, whle and respectvely denote the current plantext and cphertext blocks of the related-cpher mode beng attacked. For the mode beng attacked, only the correspondng cphertext blocks, ( = 0, 1,, m) are known, where C 0 = IV s the ntalzaton vector. It s the adversary s objectve to drectly recover these unknown plantext blocks, ( = 0, 1,, m),.e. we assume a cphertext-only scenaro for the mode beng attacked. For the mode beng exploted, access to ts oracle

Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 284 P 1 P C 0 + ( 1) C 0 + 1 C 1 C Fgure 6: Explotng ECB to attack CTR P 1 P C 0 + ( 1) C 0 + 1 C 1 C Fgure 7: Explotng CBC to attack CTR allows the adversary to obtan known or chosen plantext/cphertext queres, and as necessary known or chosen IV queres - though we assume for more concrete and nterestng results that he can only access ether a mode encrypton or mode decrypton oracle, and not both at the same tme. Havng sad ths, note that a standard mode of operaton s expected to be secure aganst attacks where both encrypton and decrypton oracles are possble [2]. 3.1 Explotng an ECB Oracle Consder that the adversary has access to ether an encrypton or decrypton oracle under ECB mode. We wll show how ths oracle can be exploted to obtan the unknown plantext blocks encrypted under the CTR mode. In our current case, the adversary has access to the ECB encrypton oracle, and s explotng t to attack another related cpher n the CTR mode. In partcular, gven that he desres to know the unknown plantext block correspondng to an ntercepted cphertext block of the CTR mode, he chooses = C 0 + to feed to the ECB encrypton oracle and hence obtans the correspondng cphertext. Snce = (C 0 + ), we can get =. Ths s llustrated n Fgure 6, where the exploted oracle and the mode beng attacked are on the left and rght, respectvely, and where the rectangular boxes delmt the parts naccessble to the adversary. In summary, we requre just one chosen plantext(cp) query encrypted under ECB to obtan the plantext block correspondng to any cphertext block encrypted under CTR. 3.2 Explotng a CBC Oracle When the adversary has access to a CBC oracle, he can smlarly use ths to attack CTR mode. Attackng ths requres a CBC encrypton oracle. Frst the adversary queres the encrypton oracle and get the cphertext of plantext 1, then he chooses = (C 0 + ) and queres the oracle to obtan the correspondng cphertext. Snce = ( 1 ) = (C 0 + ) s drectly related to an ntermedate state n CTR, namely that =. Therefore, we can computer =. Ths s llustrated n Fgure 7. In summary, we requre two chosen plantext(cp) queres encrypted under CBC to obtan the plantext block correspondng to any cphertext block encrypted under CTR. 3.3 Explotng a CFB Oracle The adversary accesses a CFB decrypton oracle and chooses = C 0 +, and hence ( ) = (C 0 + ) = X can be drectly related to a smlar ntermedate state wthn CTR, namely X =. He then computes = X. See Fgure 8. Repeatng ths attack wll allow hm to other plantext blocks of the CTR. In summary, we requre just one chosen cphertext (CC) query encrypted under CFB to obtan the plantext block correspondng to any cphertext block encrypted under CTR. 3.4 Explotng an OFB Oracle In ths secton, We wll dscuss how to explot OFB oracle to attack the CTR mode.

Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 285 C 0 + ( 1) C 0 + P 1 C 1 X C P X P 1 P Fgure 8: Explotng CFB to attack CTR IV = C 0 + C 0 + ( 1) C 0 + X P 1 P 2 C 1 C 2 X P 1 P Fgure 9: Explotng OFB to attack CTR Ths s so far the hardest attack to mount, and requres a chosen-iv (CIV ) scenaro [8]. In partcular, the adversary chooses IV = C 0 +, and hence (IV ) = (C 0 +) = X. Ths ntermedate state relates between the two modes, OFB and CTR, namely X = P 1 C 1, and so he can compute = X = P 1 C 1. Ths s shown n Fgure 9. Note that n ths case the plantext and cphertext blocks of the exploted oracle do not need to be chosen but are merely known. 4 Explotng a CTR Oracle K In ths case, the adversary has access to a CTR oracle, and uses ths to attack other related-cpher modes. The CTR, CFB and OFB modes are sometmes called stream-cpher modes snce despte startng wth an underlyng block cpher,, usng t n these modes essentally results n a stream cpher. A stream-cpher mode uses the underlyng n both ts mode encrypton and decrypton, n contrast to other non-stream-cpher modes such as the ECB and CBC that use for mode encrypton and correspondngly E 1 for mode decrypton. Because of ths, t appears that stream-cpher mode oracles can only be used to construct encrypton oracles for other non-stream-cpher modes. Ths means that t wll not be possble to explot a stream-cpher mode oracle (such as CTR CFB and OFB) to attack non-stream-cpher modes (such as ECB and CBC). Instead, we consder only how stream-cpher modes can be exploted to attack other stream-cpher modes. Attackng CFB: The adversary accesses CTR decrypton oracle and chooses C 0 = 1, snce C 1 = (C 0 + 1) P 1 = ( ) P 1, and hence ( ) = C 1 P 1 = X can be drectly related to a smlar ntermedate state wthn CFB, namely X = P 1 C 1 =. He then computes = X. See Fgure 10. Repeatng ths attack wll allow hm to obtan other plantext blocks of the CFB. Attackng OFB: The adversary accesses a CTR decrypton oracle and chooses C 0 = IV 1, snce C 1 = (C 0 +1) P 1 = (IV ) P 1, and hence (IV ) = X can be drectly related to a smlar ntermedate state wthn OFB, namely X = P 1 C 1 = P 1 C 1. He then computes P 1 = X C 1. Ths s llustrated n Fgure 11. Repeatng ths attack wll allow hm to teratvely obtan the next plantext blocks of the OFB. 5 Conclusons In ths paper we dscuss how access to chosen plantexts/cphertexts n other standard encrypton modes allows related-cpher CTR mode to be attacked and how access to chosen cphertexts n the CTR mode allows almost all other related-cpher standard encrypton modes to be attacked. In Table 1, we lst our attacks and the correspondng text complextes, whle computatonal complexty s neglgble. The fve modes dscussed above are all standard encrypton modes. There are a lot of standard authentcaton modes and authentcated encrypton modes usng

Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 286 C 0 + 1 C 0 + 2 X C 1 C 2 P 1 P 2 X P 1 P Fgure 10: Explotng CTR to attack CFB C 0 + 1 C 0 + 2 X C 1 C 2 P 1 P 2 IV X P 1 P 2 C 1 C 2 Fgure 11: Explotng CTR to attack OFB Table 1: Related-mode attacks on standard encrypton modes Oracle Exploted Cpher Mode Text Complexty Attacked ECB CTR 1 CP CBC CTR 2 CP CFB CTR 1 CC OFB CTR 1 CP, 1 CIV CTR CFB 1 CC OFB 1 CC block cphers, such as authentcaton mode CMAC [6], authentcated encrypton mode GCM [3]. We further study the securty of those modes of operaton under relatedmode attack model and fnd they all are nsecure f the adversary can access to an oracle under one proper mode. So when we have the same cpher beng used as the underlyng component n dfferent block cpher modes of operaton, we should avod usng the same key n those modes n practcal applcatons. Acknowledge Ths research s supported by the Natonal Natural Scence Foundaton of Chna under Grant No.60373047 and No.90204016; the Natonal Basc Research 973 Program of Chna under Grant No.2004CB318004. References [1] http://csrc.nst.gov/encrypton/modes/ proposedmodes/ctr/ [2] A. Joux, Cryptanalyss of the EMD mode of operton, Advances n Cryptology-Eurocrypt 03, LNCS 2656, pp. 1-16, Sprnger-Verlag, 2003. [3] D. McGrew and J. Vega, The Galos/Counter Mode of Operaton (GCM), Submsson to NIST Modes of Operaton Process, 2004, Avalable at http://csrc.nst.gov/cryptotoolkt/modes/ proposedmodes/ [4] Natonal Insttute of Standards and Technology (NIST), Federal Informaton Processng Standards Publcaton 81 (FIPS PUB 81): DES Modes of Operaton, Dec. 1980. [5] Natonal Insttute of Standards and Technology (NIST), NIST Specal Publcaton 800-38A, Recommendaton for Block Cpher Modes of Operaton: Methods and Technques, Dec. 2001. [6] Natonal Insttute of Standards and Technology (NIST), NIST Specal Publcaton 800-38B, Recommendaton for Block Cpher Modes of Operaton: The CMAC Mode for Authentcaton, May 2005. [7] R. C. W. Phan and M. U. Sddq, Related-mode attacks on block cpher modes of operaton, ICCSA 2005, LNCS 3482, pp. 661-671, Sprnger-Verlag, 2005. [8] D. Wagner, Cryptanalyss of some recentlyproposed multple modes of operaton, FSE 98, LNCS 1372, pp. 254-269, Sprnger-Verlag, 1998. [9] H. Wu, Related-Cpher attacks, ICICS 02, LNCS 2513, pp. 447-455, Sprnger-Verlag, 2002.

Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 287 Dayn Wang s now a Ph.D canddate at the State Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences. Hs research nterests nclude Message Authentcaton codes and mode of operaton. E-mal address: wdy@s.scas.ac.cn. Dongda Ln s now a full tme research professor and deputy drector of State Key Labortory of Informaton Securty, Insttute of Software of the Chnese Academy of Scences. He receved hs B.S. degree n mathematcs from Shandong Unversty n 1984, and the M.S. degree and Ph. D degree n codng theory and cryptology at Insttute of Systems Scence of the Chnese Academy of Scences n 1987 and 1990 respectvely. Hs current research nterests nclude cryptology, nformaton securty, grd computng, mathematcs mechanzaton and symbolc computatons. Wenlng Wu s now a professor at the State Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences. She receved her B.S. degree and M.S. degree nmaths from Northwest Unversty n 1987 and 1990, respectvely. She receved her Ph.D degree n Cryptography from Xdan Unversty n 1997. From 1998 to 1999 she was a postdoctoral fellow n the Insttute of Software, Chnese Academy of Scence. Her current research nterests nclude theory of cryptography, mode of operaton, block cpher, stream cpher and hash functon.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback