Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Slides:



Advertisements
Similar presentations
6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Advertisements

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
CmpE 104 SOFTWARE STATISTICAL TOOLS & METHODS MEASURING & ESTIMATING SOFTWARE SIZE AND RESOURCE & SCHEDULE ESTIMATING.
Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard
Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Session 4 Asymmetric ciphers.
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.
FEAL FEAL 1.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Lecture 23 Symmetric Encryption
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
Session 2: Secret key cryptography – stream ciphers – part 1.
CS Bayesian Learning1 Bayesian Learning. CS Bayesian Learning2 States, causes, hypotheses. Observations, effect, data. We need to reconcile.
Computer Security CS 426 Lecture 3
Cryptanalysis. The Speaker  Chuck Easttom  
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Section 2.2: Affine Ciphers; More Modular Arithmetic Practice HW (not to hand in) From Barr Textbook p. 80 # 2a, 3e, 3f, 4, 5a, 7, 8 9, 10 (Use affinecipherbreaker.
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.
Based on Bruce Schneier Chapter 7: Key Length Dulal C. Kar.
National Institute of Science & Technology Cryptology and Its Applications Akshat Mathur [1] Cryptology and Its Applications Presented By AKSHAT MATHUR.
Cryptographic Attacks on Scrambled LZ-Compression and Arithmetic Coding By: RAJBIR SINGH BIKRAM KAHLON.
Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012,
Session 1 Stream ciphers 1.
Cryptography Team Presentation 2
Traditional Symmetric-Key Ciphers
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.
Introduction to Modern Symmetric-key Ciphers
Le Trong Ngoc Security Fundamentals (2) Encryption mechanisms 4/2011.
Alternative Wide Block Encryption For Discussion Only.
NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Lecture 23 Symmetric Encryption
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
Block Ciphers and the Advanced Encryption Standard
© Information Security Group, ICU1 Block Cipher- introduction  DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation  AES Description:
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Block Cipher- introduction
Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
CS548_ ADVANCED INFORMATION SECURITY Jong Heon, Park / Hyun Woo, Cho Paper Presentation #1 Improved version of LC in attacking DES.
Topics 1 Specific topics to be covered are: Discrete-time signals Z-transforms Sampling and reconstruction Aliasing and anti-aliasing filters Sampled-data.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.
Introduction to Modern Symmetric-key Ciphers
Presentation transcript:

Session 6: Introduction to cryptanalysis part 1

Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis Asymmetric systems cryptanalysis

Problem definition A Plaintext KEY decipher decrypt Cryptanalysis Ciphertext encipher Plaintext KEY B

Problem definition The problem of cryptanalysis: Given some information related to the cryptosystem (at least the ciphertext), determine plaintext and/or the key. The goal of the designer is to make this problem as difficult as possible for the cryptanalyst.

Problem definition General assumption – all the details of the cryptosystem are known to the cryptanalyst. The only unknown is the key.

Problem definition Types of attack: Ciphertext-only attack Known plaintext attack Chosen plaintext attack Chosen ciphertext attack. The ciphertext-only attack is the most difficult one for the cryptanalyst (in general). The more information known to the cryptanalyst, the easier the attack.

Problem definition The “brute force attack” Elementary attack – no knowledge about cryptanalysis is necessary. Assumptions: The cryptosystem is known. The ciphertext is known. The goal: Determine the key/plaintext. The means: Trying all the possible keys.

Problem definition Complexity of the brute force attack: Extremely high, if there are many possible keys – impractical. Key space – the total number of keys possible in a cryptosystem.

Problem definition Examples of key space size: Key space – 40 bits 1  Key space – 56 bits (DES) 7  Key space – 128 bits 3  Key space – 256 bits 1  Number of 256-bit primes 1  Age of the Sun in seconds 1  Number of clock pulses of a 3GHz computer clock through the Sun’s age 5.4  10 26

Problem definition A cryptosystem’s security is ultimately determined by the size of its key space. However, this is the upper limit of this security measure. There may be a problem in the system design that may cause a significant reduction of the effective key space. The task of the cryptanalyst – to find this pitfall and to use it to attack the system.

Symmetric systems Basic attack methods against stream and block ciphers: Algebraic Statistical Algebraic attack: The key symbols (e.g. bits) are the unknowns in the system of equations assigned to the PRNG.

Symmetric systems Algebraic attack (cont.): Given all the details of the PRNG to be cryptanalyzed (except the key bits), determine the system of equations that relates the bits of the output sequence with the bits of the key. The designer’s goal: To make this system as non-linear as possible. The reason: non-linear systems are difficult to solve – there is no general method other than trying all the possible values of the variables: 2 n possibilities for a system with n variables.

Symmetric systems The problem of solving a non-linear system in GF(2) – the satisfiability problem (SAT). Cook’s theorem (1971): SAT is NP-complete However, some instances of the SAT problem may be easier to solve. The designer should check the system assigned to the PRNG.

Symmetric systems Example: consider the PRNG below:

Symmetric systems The system of equations: (1) y 1 =(x 1 +x 4 )(x 5 +x 7 )= =x 1 x 5 +x 1 x 7 +x 4 x 5 +x 4 x 7 (2) y 2 =(x 1 +x 4 +x 3 )(x 5 +x 7 +x 6 )= =x 1 x 5 +x 1 x 7 +x 1 x 6 +x 4 x 5 +x 4 x 7 +x 4 x 6 + +x 3 x 5 +x 3 x 7 +x 3 x 6 … (we need 7 independent equations)

Symmetric systems Methods of solving the system: The brute force method: try all the possible solutions (all zeros are not permitted). The linearization method: Replace all the products by new variables Solve the obtained linear system (e.g. by Gaussian algorithm) Try to guess the variables that were included in the products, given the values of the new variables, in such a way that the overall system is consistent.

Symmetric systems Example (cont.) y 1 =z 1 +z 2 +z 3 +z 4 y 2 =z 1 +z 2 +z 5 +z 3 +z 4 +z 6 +z 7 +z 8 +z 9 …

Symmetric systems There are many other methods of solving systems assigned to PRNGs: Linear consistency test (LCT) Methods of computational commutative algebra (Groebner bases etc.) etc. Cryptanalysis of a seriously designed system always includes search.

Symmetric systems Statistical methods In the previous example, the majority of the output symbols will be zero, due to the AND combining function. The non-linearity of the assigned system of equations is the highest possible. However, it is possible to make use of bad statistical properties of the output sequence to determine the plaintext sequence.

Symmetric systems Example: With the AND output combiner, the probability of zero in the output sequence will be ¾. This means that, upon enciphering with this sequence as the keystream, the probability that the plaintext bit is equal to the ciphertext bit is ¾. Consequence – easy reconstruction of the plaintext.

Symmetric systems Correlation – The output sequence coincides too much with one or more internal sequences – this enables correlation attacks – a kind of statistical attack. Correlation attacks: It is possible to divide the task of the cryptanalyst into several less difficult tasks – “Divide and conquer”.

Symmetric systems F balanced – good statistical properties Typical example – the Geffe’s generator

Symmetric systems Problem: Correlation!

Symmetric systems Since the output sequence is correlated with both input sequences, we can independently guess the input sequences’ bits with high probability if the output sequence is known.

Two most important attacks against block ciphers: Linear cryptanalysis Differential cryptanalysis Modern block ciphers are designed in such a way that these attacks have no chance of success (Rijndael, Kasumi, etc.) Symmetric systems

Linear cryptanalysis Known plaintext attack the cryptanalyst has a set of plaintexts and the corresponding ciphertexts The cryptanalyst has no way of guessing which plaintext and the corresponding ciphertext were used.

Symmetric systems Linear cryptanalysis tries to take advantage of high probability occurrences of linear expressions involving plaintext bits, ciphertext bits (or round output bits) and subkey bits. The basic idea is to approximate the operation of a portion of the cipher with a linear expression. The approach is to determine such expressions with high or low probability of occurrence.

Symmetric systems Example: Here, i and j are the numbers of the rounds from which the bits of the input vector X and the output vector Y are taken, respectively. u bits from the vector X and v bits from the vector Y are taken.

Symmetric systems If a block cipher displays a tendency for such linear equations to hold with a probability much higher (or much lower) than ½, this is evidence of the cipher’s poor randomization abilities. The deviation (bias) from the probability of ½ for such an expression to hold is exploited in linear cryptanalysis. This deviation is denominated linear probability bias.

Symmetric systems Denominate the probability that the equation holds with p L. The higher the magnitude of the probability bias  p L -1/2 , the better the applicability of linear cryptanalysis with fewer known plaintexts required in the attack. p L =1 catastrophic weakness – there is always a linear relation in the cipher. p L =0 catastrophic weakness – there is an affine relationship in the cipher (a complement of a linear relationship).

Symmetric systems Consider two random variables, X 1 and X 2. X 1  X 2 =0 a linear expression – equivalent to X 1 =X 2. X 1  X 2 =1 an affine expression – equivalent to X 1  X 2. Assume the following probability distributions:

Symmetric systems If X 1 and X 2 are independent, then

Symmetric systems It can be shown that

Symmetric systems With probability bias introduced p 1 =1/2+  1 p 2 =1/2+  2 -1/2   1,  2  1/2 we have

Extension to n random binary variables – the piling-up lemma – Matsui, 1993 For n independent random binary variables, X 1, X 2, …, X n or equivalently Symmetric systems

If p i =0 or 1 for all i, then or 1. If only one p i =1/2, then In developing the linear approximation of a cipher, the X i values actually represent linear approximations of the S-boxes.

Symmetric systems Example: Four random binary variables, X 1, X 2, X 3 and X 4. Let and Let us derive the expression for the sum of X 1 and X 3 by adding

Symmetric ciphers Since we may consider X 1  X 2 and X 2  X 3 to be independent, we can use the piling-up lemma to determine and consequently

Symmetric systems The expressions X 1  X 2 =0 and X 2  X 3 =0 are analogous to linear approximations of S-boxes The expression X 1  X 3 =0 is analogous to a cipher approximation where the intermediate bit X 2 is eliminated. A real analysis is much more complex, involving many S-box approximations.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.