Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exhaustive Key Search for DES: Updates and refinements Jean-Jacques Quisquater UCL Crypto Group Louvain-la-Neuve Belgium François-Xavier Standaert (UCL,

Published byElissa Simper Modified over 9 years ago

Similar presentations

Presentation on theme: "Exhaustive Key Search for DES: Updates and refinements Jean-Jacques Quisquater UCL Crypto Group Louvain-la-Neuve Belgium François-Xavier Standaert (UCL,"— Presentation transcript:

1 Exhaustive Key Search for DES: Updates and refinements Jean-Jacques Quisquater UCL Crypto Group Louvain-la-Neuve Belgium François-Xavier Standaert (UCL, Columbia, MIT) jjq@dice.ucl.ac.be http://uclcrypto.org

2 keylength.com announcement cryptosavvy.com is down A new active web site run by UCL Crypto Group Gives length of keys for the future (till 2050) based on (adjustable by you) criteria Secret key, public key (RSA, ECC), hash functions Based on papers by Lenstra and Verheul Approved and reviewed by Arjen Lenstra Your comments?

3 The beginning of the story Brute force attack: try all keys (possibilities) Brute force people: Yahoo (see Jonathan Swift) What is it possible today?

4 Jonathan Swift (Gulliver’s travels) Power and Sieving By Monks (Monkeys?)

5 Introduction -Brute-force attacks : often the most realistic -Basic scenarios : exhaustive search or precomputation tables -Hellman (1980) : trade time for memory  time, memory, precomputation -Rivest (1982) : use of distinguished points (Denning’s book)  More realistic attacks

6 Exhaustive search: Basic algorithm Given m and c, try all keys k in K, –Test if E(m, k) = c If yes, output k k is the key with high probability

7 Basic algorithm (in //) Split K in K1, K2, K3, … Distribute m, c and Ki to node i Each node i do –Given m and c, try all keys k in Ki, –Test if E(m, k) = c –If yes, output k k is the key with high probability

8 Key search: Bombe

9 IEEE Computer - November 1991 Crypto 87 - rump session

10 RFC 3607 Network Working Group M. Leech Request for Comments: 3607 Nortel Networks Category: Informational September 2003 Chinese Lottery Cryptanalysis Revisited: The Internet as a Codebreaking Tool Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document revisits the so-called Chinese Lottery massively-parallel cryptanalytic attack. It explores Internet-based analogues to the Chinese Lottery, and their potentially-serious consequences. 1. Introduction In 1991, Quisquater and Desmedt proposed an esoteric, but technically sound, attack against DES or similar ciphers. They termed this attack the Chinese Lottery. It was based on a …

11 Other paradigm (Chinese Lotto) Broadcast (download) m and c Each computing node is doing when possible: –Choose a random key r in K –Given m and c, try r, Test if E(m, r) = c –If yes, output k (low communication) k is the key with high probability

12 Other Paradigm (the Chinese Lotto) Advantages (Daniel Bernstein :-): –Low cost –No control –No communication –No wire –Efficient (the price of anarchy – see Papadimitriou – is only 2) –Automatic redundancy at low cost –Trade-offs are possible –Not used? –See also book by Tanenbaum

13 DES and exhaustive key search machines -1977 : Diffie & Hellman, US$ 20M, (predicted DES totally insecure by the 1990s) -1987 : 512 000 DES / second in one chip -1993 : Wiener, US$ 1M, success in 3.5 hours (prediction) -1997, 1998, RSA : DES cryptograms broken by computer consortiums in resp. 5 months and 39 days -1998 : EFF DES cracker hardware, US$ 200 000, 3 days -Recent FPGAs ???

14 EFF DES Cracker:Paul Kocher

15 TODAY?

16 -Spartan 3S1000 : US$ 12 -Optimized FPGA implementations of the DES :  XC2V8000: 93184 LUT (22 DES in //): 2 33 DES/sec/chip  3S1000: 15360 LUT (4 DES in //): 2 29 DES/sec/chip US$ 12 000 to crack a DES key in about 3 days

17 First conclusions Pure exhaustive search: 2 55 keys Using existing implementations (UCL) with today technology (Xilinx): –Simplest attack: one chip in 2 22 sec (2 months)

18 NSA?

19 Long keys today? One year (2 25 seconds) One million of Xilinx8000 (better?) That is –2 25 sec x 2 20 chips x 2 33 DES/sec = 2 78 keys Conclusion: 80 bits is NOT enough at all for long term security (112-128-256 bits?).

20 Hellman’s time-memory tradeoff -Let P be a fixed chosen plaintext -Let g be a function that maps ciphertexts to keys  we define => ~ encryption, <= cryptanalysis a)Precomputation : (r tables) (store extreme points)

21 b) Online attack : - Let C be the intercepted ciphertext :  Compute g(C)=f(K)  Start chaining and check for every point if it is the table ?

22  Lots of memory accesses (t for each table)  Fixed chain length  Simple analysis

23 Time-memory tradeoffs using distinguished points -Variable chain length but detectable extreme points -Distinguished points have d bits fixed to zero a) Precomputation :

24 b) Online attack : => Table lookups reduced from t to 1

25 Problems: -Chains can merge (=> use different g functions) -Chains can collide  The probability of success depends of how well the computed chains cover the key space

26 FPGA Designs - Nearly as simple as exhaustive key search - If n pipeline stages, deal with n start points in parallel

27 Theoretical analysis keys DP condition of order d. m start points. r mask functions. : the minimum chain length. : the maximum chain length.

28 a) Average chain length: b) Cover g : percentage of chains included in the region [ ; ] = P( ) – P( -1). 1. Probability to reach a DP in less than l iterations:

29 2. Previous proposals for the success rate SR: OK for Hellman’s tradeoff Suggest to stop precomputations at mt²= number of chains – mean length of a chain Not for the DP variant: we store chains, not keys.

30 3. A prediction of the mergers using a storage function s(j) and the probability to find a new chain after storage s(j): p(j). j = g m = number of chains in region [ ; ]

31 Linear approximation Euler methods Conclusions: Precedent evaluations of the success rate are not directly applicable to the DP variant. We propose:

32 Linear approximation: too conservative. The condition mt²= is not always optimal linear approximation (too conservative) similar to mt² = p(j)

33 4. Average chain length after sort : Let be the number of chains of length l, evaluated using the storage function with non-zero initial conditions:  Practically evaluated with length intervals.

34 5. Final probability of success and complexities:

35 Practical experiments Against DES-40: mt²= is not optimal and we optimize the online attack. Against DES-56: critical precomputation.  Both confirmed our theoretical predictions

36 DES-40 : precomputation task Note that mt²= would mean to stop precomputations at m=.

37 DES-40 : online attack -Presented at the rump session of CRYPTO 2001 -Performed on a single PC (256MbRAM, 350Mhz) -Breaks a 40-bit key in ~10 sec -An exhaustive key search on the same PC would have taken ~50 days. -PS = 72% (theory predicted 73.7%). -HW useful for larger keys.

38 DES-56 : precomputation task

39 DES-56 : online attack predictions => With a reasonable encryption rate ( enc/sec) and 4096 CDROM’s, we could break DES-56 in about: seconds = 4.2 min. with PS = 75%. A lot of other parameters are possible…

40 Other example (in the paper): Hellman’s parameters:  ~ 2048 CDROMS of memory  Attack in ~ 20 minutes (< half an hour)

41 Prospects -Practical attacks against « real » systems: - Bond 2002, attack against IBM 4758 CCA (used in retail banking to protect the ATM infrastructure) - Oechslin 2003, MS-Windows instant crack - KULeuven paper of this morning  Both based on time-memory tradeoff techniques - Rainbow tables (better for the precomputations), see Philippe Oechslin

42 Conclusions -Time-memory tradeoff using distinguished points revisited -Practical consequences (by far) more dramatic than exhaustive key search -Practical implementations are possible up to 56 bits -Rainbow tables are simpler to build and analyze -Distinguished points have a more theoretical interest and can be used to detect collisions (e.g. hash functions) (see Q. and Delescaille, at Eurocrypt and Crypto).

Download ppt "Exhaustive Key Search for DES: Updates and refinements Jean-Jacques Quisquater UCL Crypto Group Louvain-la-Neuve Belgium François-Xavier Standaert (UCL,"

Similar presentations

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.

Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
IP Routing Lookups Scalable High Speed IP Routing Lookups.

IP Routing Lookups Scalable High Speed IP Routing Lookups.
Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.

Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.
Cryptanalysis on FPGA Based Hardware

Cryptanalysis on FPGA Based Hardware
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.

Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.

Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
CS 682 - Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.

CS Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University.

Once Upon a Time-Memory Tradeoff Mark Stamp Department of Computer Science San Jose State University.

Similar presentations

Ads by Google