SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.

Slides:



Advertisements
Similar presentations
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
Advertisements

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard
Web Security for Network and System Administrators1 Chapter 4 Encryption.
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
ICS 454: Principles of Cryptography
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Network Security Chapter
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
CSE 651: Introduction to Network Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Data Encryption Standard (DES). Symmetric Cryptography  C = E(P,K)  P = D(C,K)  Requirements  Given C, the only way to obtain P should be with  the.
1 Chapter 4 Encryption. 2 Objectives In this chapter, you will: Learn the basics of encryption technology Recognize popular symmetric encryption algorithms.
Cryptanalysis. The Speaker  Chuck Easttom  
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
Cryptography and Network Security
5.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 5 Introduction to Modern Symmetric-key Ciphers.
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
Blowfish A widely used block cipher. Blowfish Designed by Bruce Schneier (1993) A variant of it (Twofish) was an AES finalist candidate 64-bit block size,
Chapter 20 Symmetric Encryption and Message Confidentiality.
1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.
Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.
TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Block ciphers Structure of a multiround block cipher
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Security.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Le Trong Ngoc Security Fundamentals (2) Encryption mechanisms 4/2011.
Introduction to Information Security Lect. 6: Block Ciphers.
Lecture 23 Symmetric Encryption
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
Block Ciphers and the Advanced Encryption Standard
Data Encryption Standard (DES)
© Information Security Group, ICU1 Block Cipher- introduction  DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation  AES Description:
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Linear Cryptanalysis of DES
Block Cipher- introduction
1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks.
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.
1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.
@Yuan Xue Announcement Project Release Team forming Homework 1 will be released next Tuesday.
Computer and Information Security Chapter 6 Advanced Cryptanalysis 1.
Chapter3: Block Ciphers and the Data Encryption Standard
Introduction to Modern Symmetric-key Ciphers
December 4--8, Nonlinear Invariant Attack Practical Attack on Full SCREAM, iSCREAM, and Midori64 Name: Position: My research topics.
Block cipher & Fiestel Structure
Introduction to Modern Symmetric-key Ciphers
SYMMETRIC ENCRYPTION.
Cryptanalysis of Block Ciphers
Florida State University
ICS 555: Block Ciphers & DES Sultan Almuhammadi.
Presentation transcript:

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Summary The CAST-128 and CAST-256 Block Ciphers Linear Cryptanalysis: brief overview Linear Analysis of CAST-128 and CAST-256 Attack Details Conclusions and Open Problems

SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST bit iterated block cipher key: 40 bits up to 128 bits (increments of 8 bits) 12 up to 16 rounds Feistel Network structure designed by C. Adams and S.Tavares (1996) S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 CAST-128 is part of the GnuPG suite of cryptographic algorithms (nicknamed CAST-5) CAST-128 uses fixed 8x32-bit S-boxes: for encryption and decryption (S 1, S 2, S 3, S 4 ) and for the key schedule (S 5, S 6, S 7, S 8 ) round operations: +, -, <<<,  three round functions: f 1, f 2 and f 3 An official algorithm for use with the Canadian Government:

SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-128 f1f1 f2f2 f3f3 Round functions

SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 a former candidate to the Advanced Encryption Standard (AES) Development Process (1997) 128-bit iterated block cipher 128-, 192- and 256-bit key 48 rounds for all key sizes generalized Feistel Network structure S-box design procedure patented by Entrust Technologies Inc: U.S. patent 5,511,123, filed Aug. 4, 1994, issued Apr. 3, 1996

SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 one quad-round f1f1 f1f1 f2f2 f3f3

SBSeg 2007, NCE/UFRJ, Rio de Janeiro CAST-256 full CAST-256: six quad-rounds + six inverse quad-rounds one inverse quad-round = one quad-round upside down f1f1 f2f2 f1f1 f3f3

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis developed by Mitsuru Matsui (Mitsubishi Corp) first ideas: Adi Shamir (DES S-boxes’ parity), 1994 applied to FEAL-4 cipher (Sean Murphy, 1989), then to FEAL-8, DES (Matsui, ) known-plaintext (KP) attack (sometimes, can also work in a ciphertext-only setting) general cryptanalytic technique: used against block ciphers, stream ciphers, and other crypto algorithms

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis basic tool: (some notions) linear relation, a linear combination of bits of plaintext, ciphertext and key linear approximation: Boolean function holding with non-uniform parity (away from ½) bias: difference between 0-parity and ½ the higher the bias, the more effective the linear approximation number of KP for a high success attack:  bias -2

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Cryptanalysis strategy: derive linear approximations for each individual cipher components non-linear components are the main targets combine linear approximations of consecutive components, until reach a full round for multiple rounds, use Matsui’s Piling-Up Lemma this Lemma assumes all round approximations are independent, which is not always true (but is usually good enough for practical purposes, e.g. DES)

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 8x32-bit S-boxes are always non-surjective mappings Modular addition and substraction in round function F motivation for linear approximations of the form 0 8   32, across the S-box, where  32 is a nonzero bit mask bias for all S-boxes S 1,...,S 4 with mask  32 =1 is 2 -5 we use  32 =1 (least significant bit) to bypass the modular addition and subtraction after the S- boxes in the round function

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 f1f1

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-128 iterative linear relations: input and output bit masks are identical, so that it can be concatenated to itself, with a fixed decrease in the bias for CAST-128: 2-round iterative linear relations w 1 active F

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 CAST-256 S-boxes are the same as for CAST- 128 thus, the same bit masks are used: 0  1 similarly, we look for iterative linear relations result: 4-round iterative linear relations, or one quad-round iterative linear relations.

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST active F per quad-round

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Other combinations

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of CAST-256 Bit mask controls active F

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-128 #RoundsData/MemoryTimeComments distinguishing attack distinguishing attack key-recovery attack

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Attack Results on reduced-round CAST-256 #RoundsData/MemoryTimeComments distinguishing attack key-recovery attack distinguishing attack key-recovery attack distinguishing attack

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Conclusions first known-plaintext attack reported on (reduced-round) CAST-128 and CAST-256 attacks exploit non-surjectivity of 8x32-bit S- boxes (happens for any such mappings)

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Open Problems we found quadratic equations for all four S- boxes S 1,...,S 4 of CAST-128/CAST-256. The question is: can we use them in a (pure) algebraic attack? what about combining linear and quadratic equations??

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2 LSI-TEC, PKI Certification department

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.