Download presentation

Presentation is loading. Please wait.

Published byIsaiah Reaney Modified about 1 year ago

1
Lee Jae-song 1

2
How to cryptanalysis DES? C = E K (P) E is DES encryption funtion K is a key, 56-bit. P is a plaintext, C is a ciphertext, both 64-bit Chosen-plaintext attack: For a chosen plaintext P and a related ciphertext C, find the value of K among N=2 56 possible values. 2

3
Method 1. Exhaustive search Calculates C for all possible keys Requires 2 56 time, small memory Method 2. Table lookup Find C from prepared table Requires 2 56 memory, small time Both requires huge cost How to use reasonable time and memory? For example, N 2/3 time and N 2/3 space? 3

4
Idea: make “chains” of key K and ciphertext C. K 0 → K 1 → K 2 → … → K t C 0 → C 1 → C 2 → … → C t where C i = E Ki (P) and K i+1 = f(K i ). Save only both ends of chain (K 0, K t ) We can “recover” keys and ciphertexts again, if f is well-designed. Actually what is f? Hash function related to encryption function 4

5
P is 64-bit, so E K (P) is also 64-bit K is 56-bit Some reduction function R: 64-bit to 56-bit Ex) drop lower 8 bits of input, or higher 8 bits,... f(K) = R(E K (P)) K 1 = R(E K0 (P)), K 2 = R(E K1 (P)),... 5

6
Once we get some ciphertext C = E K (P) We remember K 0, K t Y 1 = R(C) = R(E K (P)) = f(K) ∴ K → Y 1 Check: Y 1 = K t ? If true, f(K) = f(K t-1 ) so maybe K = K t-1, or just a false alarm. ▪ Compute K t-1 from K 0, and check if E Kt-1 (P) = C. If false, always K ≠ K t-1. 6 K →K → Y1Y1 K 0 → … → K t-1 → KtKt

7
If failed, compute Y 2 = f(Y 1 ) = f(f(K)), Check: Y 2 = K t ? If true, f(f(K)) = f(f(K t-2 )) so maybe K = K t-2. Compute Y 1, Y 2, Y 3,..., Y t until we find the key. O(t) time, with 2 memory space. 7 K →K → Y1 →Y1 → Y2Y2 K t-2 → K t-1 → KtKt

8
Extend: make m chains! Choose some initial values randomly (SP i ) (1<=i<=m) X i0 = SP i, X ij = f(X i,j-1 ) = f j (SP i ), EP i = X it Save (SP i, EP i ) only X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2... X m0 = SP m X m1 X m2 X m3 X m4...X mt = EP m 8

9
But, what if X ij = X i’j’ for some values? X 11 = X 23, f(X 11 ) = f(X 23 ), X 12 = X 24, X 13 = X 25,... “collide and merge” We may ignore the defect for small overlaps 9 X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2... X m0 = SP m X m1 X m2 X m3 X m4...X mt = EP m

10
Extend more! Generate many tables, with different hashes 10 SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m

11
It is a probabilistic method! Probability of success for each table is If mt 2 << N, it is approximized to P(S) >= mt/N P >= 1 – (1 – mt/N) l, l is the number of tables So we need to generate l = (N/mt) tables to achieve P ≒ 1. 11

12
Pf) Since P(S) = E(# of keys)/N, P(S) = sum P( X ij is newly appeared ) ▪ “new”: not appeared in previous rows or in this row yet P(X ij is new) >= P(X i0, X i1,..., X ij are new) = P(X i0 is new) * P(X i1 is new | X i0 is new) *... * P(X ij is new | X i0, X i1,..., X i,j-1 are new) P(X ik is new|...) = (N - # of keys until now )/N >= (N-it)/N ∴ P(Xij is new) >= 12

13
The expected value of false alarm per table is not so high: If mt 2 = N, E(F) <= ½ One false alarm: at most t operations required the computation is increased at most 50% 13

14
DES: 2 56 ( ≒ 7*10 16 ) keys Let N = 10 17, ignoring overlap What values for m, t and l? [1] chooses m = 10 5, t = 10 6 after some trial&error P(S) = 10 -6, so l=10 6 tables are needed ml = memory required Compared to table lookup: 7*10 16 memory tl = computation required Compared to exhaustive search: 7*10 16 time 14

15
Performance graph of RainbowCrack [4] 15

16
It is basically for chosen-plaintext attack, but also applicable to: Synchronous stream cipher (known-plaintext) ▪ C[t] = P[t] ⊕ E K [t], no need to choose plaintext Partially known-plaintext attack ▪ Generate each table for possible plaintext hash functions Further improvements? 16

17
Rainbow Table: P. Oechslin. [2] Avoids collide-merge problems Different hash function per each iteration, not per each table. May collide with same probability, but not merge ▪ X 11 = X 23, f 2 (X 11 ) ≠ f 3 (X 23 ) 17 X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2 f1f2f3f4

18
[1] M. Hellman. A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory, vol. 26, no. 4, [2] P. Oechslin. Making a faster cryptanalytic time-memory trade-off. CRYPTO 03.Making a faster cryptanalytic time-memory trade-off [3] Rainbow table, Wikipedia. (last visited Feb. 21, 2010)Rainbow table [4] Project RainbowCrack. (last visited Feb. 21, 2010)Project RainbowCrack 18

19
Q? 19

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google