Download presentation

Presentation is loading. Please wait.

Published byGloria Warriner Modified about 1 year ago

1
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

2
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Summary The CAST-128 and CAST-256 Block Ciphers Linear Cryptanalysis: brief overview Linear Analysis of CAST-128 and CAST-256 Attack Details Conclusions and Open Problems

3
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 64-bit iterated block cipher key: 40 bits up to 128 bits (increments of 8 bits) 12 up to 16 rounds Feistel Network structure designed by C. Adams and S.Tavares (1996) S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

4
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5) CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S 1, S 2, S 3, S 4 ) and for the key schedule (S 5, S 6, S 7, S 8 ) round operations: +, -, <<<, three round functions: f 1, f 2 and f 3 An official algorithm for use with the Canadian Government: http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html

5
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 f1f1 f2f2 f3f3 Round functions

6
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 a former candidate to the Advanced Encryption Standard (AES) Development Process (1997) 128-bit iterated block cipher 128-, 192- and 256-bit key 48 rounds for all key sizes generalized Feistel Network structure S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

7
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 one quad-round f1f1 f1f1 f2f2 f3f3

8
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 full CAST-256: six quad-rounds + six inverse quad-rounds one inverse quad-round = one quad-round upside down f1f1 f2f2 f1f1 f3f3

9
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis developed by Mitsuru Matsui (Mitsubishi Corp) first ideas: Adi Shamir (DES S-boxes’ parity), 1994 applied to FEAL-4 cipher (Sean Murphy, 1989), then to FEAL-8, DES (Matsui, 1991-1993) known-plaintext (KP) attack (sometimes, can also work in a ciphertext-only setting) general cryptanalytic technique: used against block ciphers, stream ciphers, and other crypto algorithms

10
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis basic tool: (some notions) linear relation, a linear combination of bits of plaintext, ciphertext and key linear approximation: Boolean function holding with non-uniform parity (away from ½) bias: difference between 0-parity and ½ the higher the bias, the more effective the linear approximation number of KP for a high success attack: bias -2

11
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis strategy: derive linear approximations for each individual cipher components non-linear components are the main targets combine linear approximations of consecutive components, until reach a full round for multiple rounds, use Matsui’s Piling-Up Lemma this Lemma assumes all round approximations are independent, which is not always true (but is usually good enough for practical purposes, e.g. DES)

12
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 8x32-bit S-boxes are always non-surjective mappings Modular addition and substraction in round function F motivation for linear approximations of the form 0 8 32, across the S-box, where 32 is a nonzero bit mask bias for all S-boxes S 1,...,S 4 with mask 32 =1 is 2 -5 we use 32 =1 (least significant bit) to bypass the modular addition and subtraction after the S- boxes in the round function

13
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 f1f1

14
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

15
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

16
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 CAST-256 S-boxes are the same as for CAST- 128 thus, the same bit masks are used: 0 1 similarly, we look for iterative linear relations result: 4-round iterative linear relations, or one quad-round iterative linear relations.

17
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256

18
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 1 active F per quad-round

19
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Other combinations

20
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Bit mask controls active F

21
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-128 #RoundsData/MemoryTimeComments 22 37 distinguishing attack 32 37 distinguishing attack 42 37 2 72.5 key-recovery attack

22
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-256 #RoundsData/MemoryTimeComments 42 37 distinguishing attack 52 37 2 71.7 key-recovery attack 82 69 distinguishing attack 92 69 2 103 key-recovery attack 122 101 distinguishing attack

23
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Conclusions first known-plaintext attack reported on (reduced-round) CAST-128 and CAST-256 attacks exploit non-surjectivity of 8x32-bit S- boxes (happens for any such mappings)

24
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Open Problems we found quadratic equations for all four S- boxes S 1,...,S 4 of CAST-128/CAST-256. The question is: can we use them in a (pure) algebraic attack? what about combining linear and quadratic equations??

25
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google