Presentation on theme: "Exhaustive Key Search for DES: Updates and refinements Jean-Jacques Quisquater UCL Crypto Group Louvain-la-Neuve Belgium François-Xavier Standaert (UCL,"— Presentation transcript:
Exhaustive Key Search for DES: Updates and refinements Jean-Jacques Quisquater UCL Crypto Group Louvain-la-Neuve Belgium François-Xavier Standaert (UCL, Columbia, MIT)
keylength.com announcement cryptosavvy.com is down A new active web site run by UCL Crypto Group Gives length of keys for the future (till 2050) based on (adjustable by you) criteria Secret key, public key (RSA, ECC), hash functions Based on papers by Lenstra and Verheul Approved and reviewed by Arjen Lenstra Your comments?
The beginning of the story Brute force attack: try all keys (possibilities) Brute force people: Yahoo (see Jonathan Swift) What is it possible today?
Jonathan Swift (Gulliver’s travels) Power and Sieving By Monks (Monkeys?)
Introduction -Brute-force attacks : often the most realistic -Basic scenarios : exhaustive search or precomputation tables -Hellman (1980) : trade time for memory time, memory, precomputation -Rivest (1982) : use of distinguished points (Denning’s book) More realistic attacks
Exhaustive search: Basic algorithm Given m and c, try all keys k in K, –Test if E(m, k) = c If yes, output k k is the key with high probability
Basic algorithm (in //) Split K in K1, K2, K3, … Distribute m, c and Ki to node i Each node i do –Given m and c, try all keys k in Ki, –Test if E(m, k) = c –If yes, output k k is the key with high probability
RFC 3607 Network Working Group M. Leech Request for Comments: 3607 Nortel Networks Category: Informational September 2003 Chinese Lottery Cryptanalysis Revisited: The Internet as a Codebreaking Tool Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document revisits the so-called Chinese Lottery massively-parallel cryptanalytic attack. It explores Internet-based analogues to the Chinese Lottery, and their potentially-serious consequences. 1. Introduction In 1991, Quisquater and Desmedt proposed an esoteric, but technically sound, attack against DES or similar ciphers. They termed this attack the Chinese Lottery. It was based on a …
Other paradigm (Chinese Lotto) Broadcast (download) m and c Each computing node is doing when possible: –Choose a random key r in K –Given m and c, try r, Test if E(m, r) = c –If yes, output k (low communication) k is the key with high probability
Other Paradigm (the Chinese Lotto) Advantages (Daniel Bernstein :-): –Low cost –No control –No communication –No wire –Efficient (the price of anarchy – see Papadimitriou – is only 2) –Automatic redundancy at low cost –Trade-offs are possible –Not used? –See also book by Tanenbaum
DES and exhaustive key search machines : Diffie & Hellman, US$ 20M, (predicted DES totally insecure by the 1990s) : DES / second in one chip : Wiener, US$ 1M, success in 3.5 hours (prediction) -1997, 1998, RSA : DES cryptograms broken by computer consortiums in resp. 5 months and 39 days : EFF DES cracker hardware, US$ , 3 days -Recent FPGAs ???
EFF DES Cracker:Paul Kocher
-Spartan 3S1000 : US$ 12 -Optimized FPGA implementations of the DES : XC2V8000: LUT (22 DES in //): 2 33 DES/sec/chip 3S1000: LUT (4 DES in //): 2 29 DES/sec/chip US$ to crack a DES key in about 3 days
First conclusions Pure exhaustive search: 2 55 keys Using existing implementations (UCL) with today technology (Xilinx): –Simplest attack: one chip in 2 22 sec (2 months)
Long keys today? One year (2 25 seconds) One million of Xilinx8000 (better?) That is –2 25 sec x 2 20 chips x 2 33 DES/sec = 2 78 keys Conclusion: 80 bits is NOT enough at all for long term security ( bits?).
Hellman’s time-memory tradeoff -Let P be a fixed chosen plaintext -Let g be a function that maps ciphertexts to keys we define => ~ encryption, <= cryptanalysis a)Precomputation : (r tables) (store extreme points)
b) Online attack : - Let C be the intercepted ciphertext : Compute g(C)=f(K) Start chaining and check for every point if it is the table ?
Lots of memory accesses (t for each table) Fixed chain length Simple analysis
Time-memory tradeoffs using distinguished points -Variable chain length but detectable extreme points -Distinguished points have d bits fixed to zero a) Precomputation :
b) Online attack : => Table lookups reduced from t to 1
Problems: -Chains can merge (=> use different g functions) -Chains can collide The probability of success depends of how well the computed chains cover the key space
FPGA Designs - Nearly as simple as exhaustive key search - If n pipeline stages, deal with n start points in parallel
Theoretical analysis keys DP condition of order d. m start points. r mask functions. : the minimum chain length. : the maximum chain length.
a) Average chain length: b) Cover g : percentage of chains included in the region [ ; ] = P( ) – P( -1). 1. Probability to reach a DP in less than l iterations:
2. Previous proposals for the success rate SR: OK for Hellman’s tradeoff Suggest to stop precomputations at mt²= number of chains – mean length of a chain Not for the DP variant: we store chains, not keys.
3. A prediction of the mergers using a storage function s(j) and the probability to find a new chain after storage s(j): p(j). j = g m = number of chains in region [ ; ]
Linear approximation Euler methods Conclusions: Precedent evaluations of the success rate are not directly applicable to the DP variant. We propose:
Linear approximation: too conservative. The condition mt²= is not always optimal linear approximation (too conservative) similar to mt² = p(j)
4. Average chain length after sort : Let be the number of chains of length l, evaluated using the storage function with non-zero initial conditions: Practically evaluated with length intervals.
5. Final probability of success and complexities:
Practical experiments Against DES-40: mt²= is not optimal and we optimize the online attack. Against DES-56: critical precomputation. Both confirmed our theoretical predictions
DES-40 : precomputation task Note that mt²= would mean to stop precomputations at m=.
DES-40 : online attack -Presented at the rump session of CRYPTO Performed on a single PC (256MbRAM, 350Mhz) -Breaks a 40-bit key in ~10 sec -An exhaustive key search on the same PC would have taken ~50 days. -PS = 72% (theory predicted 73.7%). -HW useful for larger keys.
DES-56 : precomputation task
DES-56 : online attack predictions => With a reasonable encryption rate ( enc/sec) and 4096 CDROM’s, we could break DES-56 in about: seconds = 4.2 min. with PS = 75%. A lot of other parameters are possible…
Other example (in the paper): Hellman’s parameters: ~ 2048 CDROMS of memory Attack in ~ 20 minutes (< half an hour)
Prospects -Practical attacks against « real » systems: - Bond 2002, attack against IBM 4758 CCA (used in retail banking to protect the ATM infrastructure) - Oechslin 2003, MS-Windows instant crack - KULeuven paper of this morning Both based on time-memory tradeoff techniques - Rainbow tables (better for the precomputations), see Philippe Oechslin
Conclusions -Time-memory tradeoff using distinguished points revisited -Practical consequences (by far) more dramatic than exhaustive key search -Practical implementations are possible up to 56 bits -Rainbow tables are simpler to build and analyze -Distinguished points have a more theoretical interest and can be used to detect collisions (e.g. hash functions) (see Q. and Delescaille, at Eurocrypt and Crypto).