Download presentation

Presentation is loading. Please wait.

Published byJamil Ludgate Modified over 3 years ago

1
Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh

2
Dan Boneh Exhaustive Search for block cipher key Goal: given a few input output pairs ( m i, c i = E(k, m i ) ) i=1,..,3 find key k. Lemma: Suppose DES is an ideal cipher ( 2 56 random invertible functions ) Then ∀ m, c there is at most one key k s.t. c = DES(k, m) Proof: with prob. ≥ 1 – 1/256 ≈ 99.5%

3
Dan Boneh Exhaustive Search for block cipher key For two DES pairs ( m 1, c 1 =DES(k, m 1 ) ), ( m 2, c 2 =DES(k, m 2 ) ) unicity prob. ≈ 1 - 1/2 71 For AES-128: given two inp/out pairs, unicity prob. ≈ 1 - 1/2 128 ⇒ two input/output pairs are enough for exhaustive key search.

4
Dan Boneh DES challenge msg = “The unknown messages is: XXXX … “ CT = c 1 c 2 c 3 c 4 Goal: find k ∈ {0,1} 56 s.t. DES(k, m i ) = c i for i=1,2,3 1997: Internet search -- 3 months 1998: EFF machine (deep crack) -- 3 days (250K $) 1999: combined search -- 22 hours 2006: COPACOBANA (120 FPGAs) -- 7 days (10K $) ⇒ 56-bit ciphers should not be used !! (128-bit key ⇒ 2 72 days)

5
Dan Boneh Strengthening DES against ex. search Method 1: Triple-DES Let E : K × M M be a block cipher Define 3E: K 3 × M M as For 3DES: key-size = 3×56 = 168 bits. 3×slower than DES. (simple attack in time ≈2 118 ) 3E ( (k 1,k 2,k 3 ), m ) =

6
Dan Boneh Why not double DES? Define 2E ( (k 1,k 2 ), m ) = E ( k 1, E(k 2, m) ) Attack: M = (m 1,…, m 10 ), C = (c 1,…,c 10 ). step 1: build table. sort on 2 nd column key-len = 112 bits for DES m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) 2 56 entries

7
Dan Boneh Meet in the middle attack Attack: M = (m 1,…, m 10 ), C = (c 1,…,c 10 ) step 1: build table. Step 2: for all k ∈ {0,1} 56 do: test if D(k, C) is in 2 nd column. if so then E(k i,M) = D(k,C) ⇒ (k i,k) = (k 2,k 1 ) m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M)

8
Dan Boneh Meet in the middle attack Time = 2 56 log(2 56 ) + 2 56 log(2 56 ) < 2 63 << 2 112, space ≈ 2 56 Same attack on 3DES: Time = 2 118, space ≈ 2 56 m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c E(k 3, ⋅ )

9
Dan Boneh Method 2: DESX E : K × {0,1} n {0,1} n a block cipher Define EX as EX ( (k 1,k 2,k 3 ), m ) = k 1 E(k 2, mk 3 ) For DESX: key-len = 64+56+64 = 184 bits … but easy attack in time 2 64+56 = 2 120 (homework) Note: k 1 E(k 2, m) and E(k 2, mk 1 ) does nothing !!

10
Dan Boneh End of Segment

Similar presentations

OK

Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google