Download presentation

Presentation is loading. Please wait.

Published byGloria Warriner Modified over 2 years ago

1
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

2
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Summary The CAST-128 and CAST-256 Block Ciphers Linear Cryptanalysis: brief overview Linear Analysis of CAST-128 and CAST-256 Attack Details Conclusions and Open Problems

3
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 64-bit iterated block cipher key: 40 bits up to 128 bits (increments of 8 bits) 12 up to 16 rounds Feistel Network structure designed by C. Adams and S.Tavares (1996) S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

4
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5) CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S 1, S 2, S 3, S 4 ) and for the key schedule (S 5, S 6, S 7, S 8 ) round operations: +, -, <<<, three round functions: f 1, f 2 and f 3 An official algorithm for use with the Canadian Government: http://www.cse-cst.gc.ca/services/crypto-services/crypto-algorithms-e.html

5
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 f1f1 f2f2 f3f3 Round functions

6
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 a former candidate to the Advanced Encryption Standard (AES) Development Process (1997) 128-bit iterated block cipher 128-, 192- and 256-bit key 48 rounds for all key sizes generalized Feistel Network structure S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

7
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 one quad-round f1f1 f1f1 f2f2 f3f3

8
SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 full CAST-256: six quad-rounds + six inverse quad-rounds one inverse quad-round = one quad-round upside down f1f1 f2f2 f1f1 f3f3

9
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis developed by Mitsuru Matsui (Mitsubishi Corp) first ideas: Adi Shamir (DES S-boxes’ parity), 1994 applied to FEAL-4 cipher (Sean Murphy, 1989), then to FEAL-8, DES (Matsui, 1991-1993) known-plaintext (KP) attack (sometimes, can also work in a ciphertext-only setting) general cryptanalytic technique: used against block ciphers, stream ciphers, and other crypto algorithms

10
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis basic tool: (some notions) linear relation, a linear combination of bits of plaintext, ciphertext and key linear approximation: Boolean function holding with non-uniform parity (away from ½) bias: difference between 0-parity and ½ the higher the bias, the more effective the linear approximation number of KP for a high success attack: bias -2

11
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis strategy: derive linear approximations for each individual cipher components non-linear components are the main targets combine linear approximations of consecutive components, until reach a full round for multiple rounds, use Matsui’s Piling-Up Lemma this Lemma assumes all round approximations are independent, which is not always true (but is usually good enough for practical purposes, e.g. DES)

12
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 8x32-bit S-boxes are always non-surjective mappings Modular addition and substraction in round function F motivation for linear approximations of the form 0 8 32, across the S-box, where 32 is a nonzero bit mask bias for all S-boxes S 1,...,S 4 with mask 32 =1 is 2 -5 we use 32 =1 (least significant bit) to bypass the modular addition and subtraction after the S- boxes in the round function

13
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 f1f1

14
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

15
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

16
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 CAST-256 S-boxes are the same as for CAST- 128 thus, the same bit masks are used: 0 1 similarly, we look for iterative linear relations result: 4-round iterative linear relations, or one quad-round iterative linear relations.

17
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256

18
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 1 active F per quad-round

19
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Other combinations

20
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Bit mask controls active F

21
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-128 #RoundsData/MemoryTimeComments 22 37 distinguishing attack 32 37 distinguishing attack 42 37 2 72.5 key-recovery attack

22
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-256 #RoundsData/MemoryTimeComments 42 37 distinguishing attack 52 37 2 71.7 key-recovery attack 82 69 distinguishing attack 92 69 2 103 key-recovery attack 122 101 distinguishing attack

23
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Conclusions first known-plaintext attack reported on (reduced-round) CAST-128 and CAST-256 attacks exploit non-surjectivity of 8x32-bit S- boxes (happens for any such mappings)

24
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Open Problems we found quadratic equations for all four S- boxes S 1,...,S 4 of CAST-128/CAST-256. The question is: can we use them in a (pure) algebraic attack? what about combining linear and quadratic equations??

25
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

Similar presentations

OK

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on hindu religion map Ppt on electrical circuit breaker Ppt on boston consulting group Eyelid anatomy and physiology ppt on cells Ppt on social media marketing Ppt on power system operation and control Free download ppt on lost city of atlantis Ppt on art of war summary Ppt on csa of cylinder Ppt on marie curie's daughter