Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh.

Published byJamil Ludgate Modified over 9 years ago

Similar presentations

Presentation on theme: "Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh

2 Dan Boneh Exhaustive Search for block cipher key Goal: given a few input output pairs ( m i, c i = E(k, m i ) ) i=1,..,3 find key k. Lemma: Suppose DES is an ideal cipher ( 2 56 random invertible functions ) Then ∀ m, c there is at most one key k s.t. c = DES(k, m) Proof: with prob. ≥ 1 – 1/256 ≈ 99.5%

3 Dan Boneh Exhaustive Search for block cipher key For two DES pairs ( m 1, c 1 =DES(k, m 1 ) ), ( m 2, c 2 =DES(k, m 2 ) ) unicity prob. ≈ 1 - 1/2 71 For AES-128: given two inp/out pairs, unicity prob. ≈ 1 - 1/2 128 ⇒ two input/output pairs are enough for exhaustive key search.

4 Dan Boneh DES challenge msg = “The unknown messages is: XXXX … “ CT = c 1 c 2 c 3 c 4 Goal: find k ∈ {0,1} 56 s.t. DES(k, m i ) = c i for i=1,2,3 1997: Internet search -- 3 months 1998: EFF machine (deep crack) -- 3 days (250K $) 1999: combined search -- 22 hours 2006: COPACOBANA (120 FPGAs) -- 7 days (10K $) ⇒ 56-bit ciphers should not be used !! (128-bit key ⇒ 2 72 days)

5 Dan Boneh Strengthening DES against ex. search Method 1: Triple-DES Let E : K × M M be a block cipher Define 3E: K 3 × M M as For 3DES: key-size = 3×56 = 168 bits. 3×slower than DES. (simple attack in time ≈2 118 ) 3E ( (k 1,k 2,k 3 ), m ) =

6 Dan Boneh Why not double DES? Define 2E ( (k 1,k 2 ), m ) = E ( k 1, E(k 2, m) ) Attack: M = (m 1,…, m 10 ), C = (c 1,…,c 10 ). step 1: build table. sort on 2 nd column key-len = 112 bits for DES m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) 2 56 entries

7 Dan Boneh Meet in the middle attack Attack: M = (m 1,…, m 10 ), C = (c 1,…,c 10 ) step 1: build table. Step 2: for all k ∈ {0,1} 56 do: test if D(k, C) is in 2 nd column. if so then E(k i,M) = D(k,C) ⇒ (k i,k) = (k 2,k 1 ) m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M)

8 Dan Boneh Meet in the middle attack Time = 2 56 log(2 56 ) + 2 56 log(2 56 ) < 2 63 << 2 112, space ≈ 2 56 Same attack on 3DES: Time = 2 118, space ≈ 2 56 m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c E(k 3, ⋅ )

9 Dan Boneh Method 2: DESX E : K × {0,1} n {0,1} n a block cipher Define EX as EX ( (k 1,k 2,k 3 ), m ) = k 1 E(k 2, mk 3 ) For DESX: key-len = 64+56+64 = 184 bits … but easy attack in time 2 64+56 = 2 120 (homework) Note: k 1 E(k 2, m) and E(k 2, mk 1 ) does nothing !!

10 Dan Boneh End of Segment

Download ppt "Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh."

Similar presentations

CLASSICAL ENCRYPTION TECHNIQUES

CLASSICAL ENCRYPTION TECHNIQUES
6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
AES Advanced Encryption Standard

AES Advanced Encryption Standard
Symmetric Encryption Prof. Ravi Sandhu.

Symmetric Encryption Prof. Ravi Sandhu.
Encryption.

Encryption.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Lect. 8 : Advanced Encryption Standard

Lect. 8 : Advanced Encryption Standard
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Computer Security Set of slides 3 Dr Alexei Vernitski.

Computer Security Set of slides 3 Dr Alexei Vernitski.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Avalanche Effect in DES key desirable property of encryption algo where a change of one input or key bit results in changing approx half output bits making.

Avalanche Effect in DES key desirable property of encryption algo where a change of one input or key bit results in changing approx half output bits making.
DATA ENCRYPTION STANDARD (DES). Outline History Encryption Key Generation Decryption Strength of DES Ultimate.

DATA ENCRYPTION STANDARD (DES). Outline History Encryption Key Generation Decryption Strength of DES Ultimate.
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Cryptography: Block Ciphers

Cryptography: Block Ciphers
Conventional Encryption: Algorithms

Conventional Encryption: Algorithms
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

Similar presentations

Ads by Google