Download presentation

Presentation is loading. Please wait.

Published byIsaiah Reaney Modified over 2 years ago

1
Lee Jae-song 1

2
How to cryptanalysis DES? C = E K (P) E is DES encryption funtion K is a key, 56-bit. P is a plaintext, C is a ciphertext, both 64-bit Chosen-plaintext attack: For a chosen plaintext P and a related ciphertext C, find the value of K among N=2 56 possible values. 2

3
Method 1. Exhaustive search Calculates C for all possible keys Requires 2 56 time, small memory Method 2. Table lookup Find C from prepared table Requires 2 56 memory, small time Both requires huge cost How to use reasonable time and memory? For example, N 2/3 time and N 2/3 space? 3

4
Idea: make “chains” of key K and ciphertext C. K 0 → K 1 → K 2 → … → K t C 0 → C 1 → C 2 → … → C t where C i = E Ki (P) and K i+1 = f(K i ). Save only both ends of chain (K 0, K t ) We can “recover” keys and ciphertexts again, if f is well-designed. Actually what is f? Hash function related to encryption function 4

5
P is 64-bit, so E K (P) is also 64-bit K is 56-bit Some reduction function R: 64-bit to 56-bit Ex) drop lower 8 bits of input, or higher 8 bits,... f(K) = R(E K (P)) K 1 = R(E K0 (P)), K 2 = R(E K1 (P)),... 5

6
Once we get some ciphertext C = E K (P) We remember K 0, K t Y 1 = R(C) = R(E K (P)) = f(K) ∴ K → Y 1 Check: Y 1 = K t ? If true, f(K) = f(K t-1 ) so maybe K = K t-1, or just a false alarm. ▪ Compute K t-1 from K 0, and check if E Kt-1 (P) = C. If false, always K ≠ K t-1. 6 K →K → Y1Y1 K 0 → … → K t-1 → KtKt

7
If failed, compute Y 2 = f(Y 1 ) = f(f(K)), Check: Y 2 = K t ? If true, f(f(K)) = f(f(K t-2 )) so maybe K = K t-2. Compute Y 1, Y 2, Y 3,..., Y t until we find the key. O(t) time, with 2 memory space. 7 K →K → Y1 →Y1 → Y2Y2 K t-2 → K t-1 → KtKt

8
Extend: make m chains! Choose some initial values randomly (SP i ) (1<=i<=m) X i0 = SP i, X ij = f(X i,j-1 ) = f j (SP i ), EP i = X it Save (SP i, EP i ) only X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2... X m0 = SP m X m1 X m2 X m3 X m4...X mt = EP m 8

9
But, what if X ij = X i’j’ for some values? X 11 = X 23, f(X 11 ) = f(X 23 ), X 12 = X 24, X 13 = X 25,... “collide and merge” We may ignore the defect for small overlaps 9 X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2... X m0 = SP m X m1 X m2 X m3 X m4...X mt = EP m

10
Extend more! Generate many tables, with different hashes 10 SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m

11
It is a probabilistic method! Probability of success for each table is If mt 2 << N, it is approximized to P(S) >= mt/N P >= 1 – (1 – mt/N) l, l is the number of tables So we need to generate l = (N/mt) tables to achieve P ≒ 1. 11

12
Pf) Since P(S) = E(# of keys)/N, P(S) = sum P( X ij is newly appeared ) ▪ “new”: not appeared in previous rows or in this row yet P(X ij is new) >= P(X i0, X i1,..., X ij are new) = P(X i0 is new) * P(X i1 is new | X i0 is new) *... * P(X ij is new | X i0, X i1,..., X i,j-1 are new) P(X ik is new|...) = (N - # of keys until now )/N >= (N-it)/N ∴ P(Xij is new) >= 12

13
The expected value of false alarm per table is not so high: If mt 2 = N, E(F) <= ½ One false alarm: at most t operations required the computation is increased at most 50% 13

14
DES: 2 56 ( ≒ 7*10 16 ) keys Let N = 10 17, ignoring overlap What values for m, t and l? [1] chooses m = 10 5, t = 10 6 after some trial&error P(S) = 10 -6, so l=10 6 tables are needed ml = 10 13 memory required Compared to table lookup: 7*10 16 memory tl = 10 12 computation required Compared to exhaustive search: 7*10 16 time 14

15
Performance graph of RainbowCrack [4] 15

16
It is basically for chosen-plaintext attack, but also applicable to: Synchronous stream cipher (known-plaintext) ▪ C[t] = P[t] ⊕ E K [t], no need to choose plaintext Partially known-plaintext attack ▪ Generate each table for possible plaintext hash functions Further improvements? 16

17
Rainbow Table: P. Oechslin. [2] Avoids collide-merge problems Different hash function per each iteration, not per each table. May collide with same probability, but not merge ▪ X 11 = X 23, f 2 (X 11 ) ≠ f 3 (X 23 ) 17 X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2 f1f2f3f4

18
[1] M. Hellman. A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory, vol. 26, no. 4, 1980. [2] P. Oechslin. Making a faster cryptanalytic time-memory trade-off. CRYPTO 03.Making a faster cryptanalytic time-memory trade-off [3] Rainbow table, Wikipedia. (last visited Feb. 21, 2010)Rainbow table [4] Project RainbowCrack. (last visited Feb. 21, 2010)Project RainbowCrack 18

19
Q? 19

Similar presentations

OK

Look-up problem IP address did we see the IP address before?

Look-up problem IP address did we see the IP address before?

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on hr practices of wipro Ppt on australian continent Ppt on dispersal by water Ppt on weapons of mass destruction iraq Ppt on water pollution in india Dentist appt on saturday Ppt on natural resources of earth Ppt on db2 introduction to statistics Ppt on history and sport the story of cricket Ppt on object-oriented programming for dummies