Presentation is loading. Please wait.

Presentation is loading. Please wait.

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.

Published byGloria Warriner Modified over 9 years ago

Similar presentations

Presentation on theme: "SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2."— Presentation transcript:

1 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

2 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Summary The CAST-128 and CAST-256 Block Ciphers Linear Cryptanalysis: brief overview Linear Analysis of CAST-128 and CAST-256 Attack Details Conclusions and Open Problems

3 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 64-bit iterated block cipher key: 40 bits up to 128 bits (increments of 8 bits) 12 up to 16 rounds Feistel Network structure designed by C. Adams and S.Tavares (1996) S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

4 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5) CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S 1, S 2, S 3, S 4 ) and for the key schedule (S 5, S 6, S 7, S 8 ) round operations: +, -, <<<,  three round functions: f 1, f 2 and f 3 An official algorithm for use with the Canadian Government: http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html

5 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 f1f1 f2f2 f3f3 Round functions

6 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 a former candidate to the Advanced Encryption Standard (AES) Development Process (1997) 128-bit iterated block cipher 128-, 192- and 256-bit key 48 rounds for all key sizes generalized Feistel Network structure S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

7 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 one quad-round f1f1 f1f1 f2f2 f3f3

8 SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 full CAST-256: six quad-rounds + six inverse quad-rounds one inverse quad-round = one quad-round upside down f1f1 f2f2 f1f1 f3f3

9 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis developed by Mitsuru Matsui (Mitsubishi Corp) first ideas: Adi Shamir (DES S-boxes’ parity), 1994 applied to FEAL-4 cipher (Sean Murphy, 1989), then to FEAL-8, DES (Matsui, 1991-1993) known-plaintext (KP) attack (sometimes, can also work in a ciphertext-only setting) general cryptanalytic technique: used against block ciphers, stream ciphers, and other crypto algorithms

10 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis basic tool: (some notions) linear relation, a linear combination of bits of plaintext, ciphertext and key linear approximation: Boolean function holding with non-uniform parity (away from ½) bias: difference between 0-parity and ½ the higher the bias, the more effective the linear approximation number of KP for a high success attack:  bias -2

11 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis strategy: derive linear approximations for each individual cipher components non-linear components are the main targets combine linear approximations of consecutive components, until reach a full round for multiple rounds, use Matsui’s Piling-Up Lemma this Lemma assumes all round approximations are independent, which is not always true (but is usually good enough for practical purposes, e.g. DES)

12 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 8x32-bit S-boxes are always non-surjective mappings Modular addition and substraction in round function F motivation for linear approximations of the form 0 8   32, across the S-box, where  32 is a nonzero bit mask bias for all S-boxes S 1,...,S 4 with mask  32 =1 is 2 -5 we use  32 =1 (least significant bit) to bypass the modular addition and subtraction after the S- boxes in the round function

13 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 f1f1

14 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

15 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

16 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 CAST-256 S-boxes are the same as for CAST- 128 thus, the same bit masks are used: 0  1 similarly, we look for iterative linear relations result: 4-round iterative linear relations, or one quad-round iterative linear relations.

17 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256

18 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 1 active F per quad-round

19 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Other combinations

20 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Bit mask controls active F

21 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-128 #RoundsData/MemoryTimeComments 22 37 distinguishing attack 32 37 distinguishing attack 42 37 2 72.5 key-recovery attack

22 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-256 #RoundsData/MemoryTimeComments 42 37 distinguishing attack 52 37 2 71.7 key-recovery attack 82 69 distinguishing attack 92 69 2 103 key-recovery attack 122 101 distinguishing attack

23 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Conclusions first known-plaintext attack reported on (reduced-round) CAST-128 and CAST-256 attacks exploit non-surjectivity of 8x32-bit S- boxes (happens for any such mappings)

24 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Open Problems we found quadratic equations for all four S- boxes S 1,...,S 4 of CAST-128/CAST-256. The question is: can we use them in a (pure) algebraic attack? what about combining linear and quadratic equations??

25 SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

Download ppt "SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2."

Similar presentations

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Web Security for Network and System Administrators1 Chapter 4 Encryption.

Web Security for Network and System Administrators1 Chapter 4 Encryption.
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.

Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
ICS 454: Principles of Cryptography

ICS 454: Principles of Cryptography
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Network Security Chapter

Network Security Chapter
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.

CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
CSE 651: Introduction to Network Security

CSE 651: Introduction to Network Security

Similar presentations

Ads by Google