Cryptographic Attacks on Scrambled LZ-Compression and Arithmetic Coding By: RAJBIR SINGH BIKRAM KAHLON

Outline LZ Compression Arithmetic Coding Scrambled Input LZ Compression Scrambled Input Arithmetic Coding Attacks Conclusions References

LZ Compression Algorithm 1. Find the longest substring in the codebook. 2. Output its code. 3. Append the very next character from the input and create a new codebook entry for the resulting string. 4. Advance past the end of the substring just encoded. Until no more character.

LZ Compression Example abbaabbaababbaaaabaabba Dictionary IndexEntryIndexEntry a b ab bb ba aa abb baa aba abba aaa aab baab bba

Scrambled LZ Compression Algorithm Initialize the pseudo random number generator with encryption key. Add null characters in dictionary. Shuffle the initial values of dictionary. Perform LZ Compression

Arithmetic Coding It takes a stream of input symbols and replaces it with a single floating point output number greater than 0 & less than 1. Algorithm Set low to 0.0 Set high to 1.0 While there are still input symbols do Get an Input symbol Code_range = high - low. high = low + range*high_range(symbol) low = low + range*low_range(symbol) End of While Output low

Scrambled Arithmetic Coding Algorithm Initialize the pseudo random number with encryption key Shuffle the probability table Perform Arithmetic Coding

Ciphertext-Only Attack Attack model, in which access to a set of different ciphertexts is provided. Success If: Plaintext corresponding to the ciphertext being analyzed. The encryption key is revealed. Any information about the plaintext pattern.

Chosen-Ciphertext Attack In this case, cryptanalyst chooses ciphertext of his choice. One of the ciphertext(LZ) taken for analysis: ↕ Ö ↕ r ↕ æ ↕ ☼ ↕ Ç ↕ ↕ ↕ ↕ ↕ ¥ ↕ m ↕ O ↕ ≡ ↕ ∙ ↕ ═ ↕ & ↕ ► ↕ ▒ ↕ ⌡ ↕ ▲ ↕ x ‼

ADAPTIVE-CHOSEN-CIPHERTEXT ATTACK Attacker sends a number of cipher texts to be decrypted and use these decrypted cipher texts to select subsequent cipher texts. Most advanced version of cipher text attacks.

Linear Cryptanalysis A linear relation between bits of plaintext, the ciphertext and the bits of key is determined. The basic idea is to approximate the operation of the cipher with an expression that is linear. Xi1 + Xi2 +..Xiu + Yj1 + Yj2 +..Yjv = 0 where Xi represents the i-th bit of the input and Yj represents the j-th bit of the output and ‘+’ represents the exclusive-OR

Conclusions On LZ-Compression Null characters are part of cipher text, so its hard to distinguish between messages and null strings for traffic flow security. The same encoded strings even within same message bear no resemblance to each other i.e. output is completely random. A part of message can not be treated as separate and every part of message is completely dependant on what came prior to it.

Conclusions On LZ-Compression In case of linear attack on LZ compression, it involves big numbers for computation. For 1076 bytes or possible sequences will generate possible enciphering permutations. The number of possible permutations is huge and hides the plaintext.

Conclusions on Arithmetic Coding No two messages M & M` produce same ciphertext file. Arithmetic Coding does not use fixed codewords to represent symbols. A large keyspace i.e. around 2048 bit encryption key makes it difficult to attack the algorithms introduced by Dr. Wang. In case of linear attack, it requires 2 47 known- plaintext blocks and will result in one key bit.

Chosen-Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding cipher texts.

Adaptive Chosen-Plaintext Attacks This attack is similar to chosen-plaintext attack except that in this case, the cryptanalyst makes an nth query based on output of last (n-1) queries.

Differential Attacks In this kind of cryptanalysis, certain fixed differences between the plaintext and the cipher text are exploited till the last round of the cipher. Certain differences, called "characteristics," in plaintext pairs have a high probability of causing certain differences in the resulting cipher text pairs. To find the correct round key, simply collect enough guesses so that one sub key is suggested more often than all the others.

Conclusions Unicity Distance n = H(K)/[|M| - H(M)] H (K) = entropy of keys used in encryption |M| = maximum possible entropy for the plaintext H (M) = entropy of message

Conclusions Case1: Plaintext is ASCII characters Unicity Distance comes out to be characters (very large). Case2: Plaintext is English Language Unicity Distance is characters. H|M| is only value that changes.

Conclusions Large Keyspace – 2048 bit encryption key. Cipher text Randomness. Regularities Reduction. Increased Entropy. Differential Attacks Impractical. For m chosen-plaintext pairs, the corresponding known-plaintext will need about 2 w/2 (2m 1/2 ) known plaintexts (w is the block size (in bits)). With 64-bit block using only eight chosen-plaintext pairs (very small number practically),the corresponding known-plaintext attack will require 2 34 plaintext-cipher text pairs, a large number. On DES,1.5MB/Sec. data stream of plaintexts for three years to get the data. Less efficient than brute force in DES(2 55 v/s )

Conclusions According to sci.crypt FAQ strong encryption should have following characterstics: Large keyspace. Reasonably Large unicity distance. Randomness in cipher text. Resistant to all known attacks. Dr. Wang’s Algorithm is very strong and resistant to above defined attacks.

References Wang, Chung-E Research paper { Arithmetic Coding Source Code { accessed } Dr. Dobb’s Journal { accessed } Handbook of Applied Cryptography { RSA Laboratories { accessed } Sci.Crypt FAQ { accessed }

ANY QUESTIONS???