Download presentation

Presentation is loading. Please wait.

Published byMohammed Waugh Modified over 2 years ago

1
LOKI LOKI block ciphers family (LOKI89.LOKI91) Similar to DES(except : F function, initial and final permutation, key scheduling algorithm ) K1=K L,K2=K R K3~K16: K i = ROL12(K J ), where J=i-2 K 3 = ROL(K 1 ) ROL12 代表 Rotate to Left 12 bits

2

3

4
Chosen key attack Chosen key chosen plaintext Knows only the relationship between two key,not the keys themselves Independent of number of rounds LOKI89, LOKI91

5
LOKI89 Original 64bit key K=(K L, K R ) K 1 = K L, K 2 = K R K 3 ~K 16, K i = ROL12(K J ), where J=i-2 ex: K 3 =ROL12(K 1 ), K 4 =ROL12(K 2 ) ….. New key K* = (K 2, K 3 ) = ( K R, ROL12(K L ) ) K 1 *= K L * = K 2, K 2 * = K R * = K 3 K 3 * ~K 16 * K i * of K* = K(i+1) of K ex: K 3 *= ROL12(K 1 *) = ROL12(K 2 ) = K 4 K 4 * = K 5

6
LOKI89 Original 64bit key K=(K L, K R ) K 1 = K L, K 2 = K R K 3 ~K 16, K i = ROL12(K J ), where J=i-2 ex: K 3 =ROL12(K 1 ), K 4 =ROL12(K 2 ) ….. New key K* = (K 2, K 3 ) = ( K R, ROL12(K L ) ) K 1 *= K L * = K 2, K 2 * = K R * = K 3 K 3 * ~K 16 * K i * of K* = K(i+1) of K ex: K 3 *= ROL12(K 1 *) = ROL12(K 2 ) = K 4 K 4 * = K 5

7
KRKR KLKL KRKR ROL12(K L)

8

9
使用 related key K and K* If the data are the same in both executions shifted by one round EX: data before 2nd round (under key K) = data before 1st round (under key K*):

10

11
plaintext P encrypted under key K data before 2nd round (under key K): ( P R ⊕ K R, P L ⊕ K L ⊕ F ( P R ⊕ K R, K L ) ) -----(1) data before 1st round (under key K*): P* ⊕ K* = ( P L * ⊕ K L *, P R * ⊕ K R * ) = ( P L * ⊕ K R, P R * ⊕ ROL12 (K L ) )------(2)

12
P L ⊕ K L P R ⊕ K R F( P R ⊕ K R, K L )

13
由 (1) = (2) P R ⊕ K R = P L * ⊕ K R ∴ P R = P L * ---(3) P L ⊕ K L ⊕ F( P R ⊕ K R, K L ) = P R * ⊕ ROL12(K L ) ∴ P L ⊕ K L ⊕ F( P R ⊕ K R, K L ) ⊕ ROL12(K L ) = P R *---(4) P* = (P R, P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L )) (a) C* = (C R ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ), C L ) (b)

14
chosen key chosen plaintext P* = (P R, P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L )) (a) C* = (C R ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ), C L ) (b) 已知 2 16 個 chosen key P, 2 16 個 P *, P R = P L * 2 unknown related key K, K*, K* = (K2,K3) Exist two plaintext P i, P j* such that P R * = P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ) By checking C R * = C L

15
chosen key chosen plaintext PRPR Randomly chosen 32 bits 2 16 個 P 0 ~ P P * 0 ~ P * Chosen 32 bits value

16
由 equation (a),(b) 相作 XOR 再搬移 F( P R ⊕ K R, K L )) ⊕ F(C L ⊕ K R ⊕ K L ) = P R* ⊕ P L ⊕ C L* ⊕ C R only unknown part : K R ⊕ K L 帶回 (a),(b) 可求出 K L ⊕ ROL12(K L ), 可以推出 K 和 K*

17
LOKI91 A random plaintext P C=LOKI91(P,K) and C*=LOKI91(P*,K*) K* = ( K R,ROL25(K L ) ) K1,K2 share the same 32 bits 2 32 possible values of K1,K2 calculate 2 32 data before 3rd round, P* 找出 real K1,K2 by verifying the relationship between cipher texts

18
32bit K R 32bit K L

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google