Presentation is loading. Please wait.

Presentation is loading. Please wait.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations."— Presentation transcript:

1

2 Akelarre 1 Akelarre

3 Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations  Goal is a more efficient strong cipher  Proposed in 1996, broken within a year o “Two rights sometimes make a wrong”

4 Akelarre 3 Akelarre Cipher  Variable number of rounds o Authors conjecture 4 rounds is secure o Actually, insecure for any number of rounds!  Block length is 128 bits  Key length can be any multiple of 64 bits o We assume 128-bit key o No more secure for larger key  Algorithm based on 32-bit words

5 Akelarre 4 Akelarre Cipher  To encrypt o Input transformation o Round 0,1,2,…,R  1 o Output transformation  Lots of subkey blocks: 13R + 8 o Each is a 32-bit word  Employs addition mod 2 32 and XOR  Addition-rotation (AR) structure

6 Akelarre 5 Akelarre A0A0 A1A1 A2A2 A3A3 B0B0 B1B1 B2B2 B3B3 T0T0 T1T1 D0D0 D1D1 D2D2 D3D3

7 Akelarre 6 Akelarre Round  Let (A 0,A 1,A 2,A 3 ) be input to round r  And (B 0,B 1,B 2,B 3 ) is the output  Then (B 0,B 1,B 2,B 3 ) = (A 0,A 1,A 2,A 3 ) <<<  K 13r+4  25…31  Where “ <<< ” is left rotation and  X  i…j means bits i thru j (inclusive) of X o Recall, bits numbered left-to-right, from 0

8 Akelarre 7 Akelarre Round  Let (T 0,T 1 ) be output of AR structure  Then (T 0,T 1 ) = AR(B 0  B 2, B 1  B 3 ) o We ignore dependence of AR on subkey  Let (D 0,D 1,D 2,D 3 ) be output of round r  Then (D 0,D 1,D 2,D 3 ) = (B 0  T 1,B 1  T 0,B 2  T 1,B 3  T 0 )  Block (D 0,D 1,D 2,D 3 ) is input to next round o Except for final round

9 Akelarre 8 AR Structure  Note: W 1 processed first  Rotate 31 bits, with 1 bit fixed

10 Akelarre 9 AR Structure  For example, first step is ((  W 1  0…30 <<<  W 0  27…31 ),  W 1  31…31 )  One pass thru AR is 14 half-rounds o Like 7 rounds of typical block cipher o But each Akalarre “round” is very simple  AR structure is heart of Akelarre  How to attack AR structure?

11 Akelarre 10 Key Schedule  Assuming 128-bit key  See textbook for details

12 Akelarre 11 Subkeys  Encryption and decryption subkeys

13 Akelarre 12 Akelarre Attack  AR structure is heart of Akelarre  Incredibly, can “bypass” AR structure  Idea of attack is simple  Details not quite so simple  Recovering plaintext is not easy o But it can be done

14 Akelarre 13 Akelarre  Consider round r of Akelarre

15 Akelarre 14 Akelarre Attack  Let A = (A 0,A 1,A 2,A 3 ) be input to round r U = (U 0,U 1,U 2,U 3 ) be result of rotation T = (T 0,T 1 ) be output of AR structure B = (B 0,B 1,B 2,B 3 ) be output of round r  Denote A = (a 0,a 1,…,a 127 ) o And similarly for U,T,B

16 Akelarre 15 Akelarre Attack  Let l be size of keyed rotation  Then U = (A <<< l ) and (B 0,B 1,B 2,B 3 ) = (U 0  T 1,U 1  T 0,U 2  T 1,U 3  T 0 )  It follows that B 0  B 2 = U 0  U 2 and B 1  B 3 = U 1  U 3  AR structure has vanished! o The crucial observation for attack

17 Akelarre 16 Akalarre Attack  We have (U 0  U 2,U 1  U 3 ) = (A 0  A 2,A 1  A 3 ) <<< l (mod 64) where subscripts are taken mod 128  Then input to round related to output: (B 0  B 2,B 1  B 3 ) = (A 0  A 2,A 1  A 3 ) <<< l (mod 64)  Neither key nor AR structure appears!

18 Akelarre 17 Akalarre Attack  But this is only one round  Must extend thru multiple rounds o Only changes the rotation amount  And input/output transformations o Rotation and addition/XOR of subkey  Let (X 0,X 1,X 2,X 3 ) be plaintext and (Y 0,Y 1,Y 2,Y 3 ) corresponding ciphertext

19 Akelarre 18 Akelarre Attack  Not difficult to show that ((Y 0  K 13R+5 )  Y 2  K 13R+7, Y 1 + K 13R+6  (Y 2  K 13R+8 )) = ((X 0 + K 0 )  X 2  K 2, X 1  K 1  (X 3 + K 3 )) <<< L (mod 64) where L is sum of all rotations  See textbook for details…

20 Akelarre 19 Akelarre Attack  Assuming known plaintext, we have ((Y 0  K 13R+5 )  Y 2  K 13R+7, Y 1 + K 13R+6  (Y 2  K 13R+8 )) = ((X 0 + K 0 )  X 2  K 2, X 1  K 1  (X 3 + K 3 )) <<< L (mod 64) with unknown L and 8 unknown subkeys  Provided sufficient known plaintext o We can then solve for all of the unknowns o Just 5 known plaintext blocks is enough

21 Akelarre 20 Akelarre Attack  After solving, we obtain equations ((Y 0  K 13R+5 )  Y 2  K 13R+7, Y 1 + K 13R+6  (Y 2  K 13R+8 )) = ((X 0 + K 0 )  X 2  K 2, X 1  K 1  (X 3 + K 3 )) <<< L (mod 64) where plaintext X is the only unknown  Reduces number of possible plaintexts  Can then solve for plaintext X in many cases o For example, if X is known to be English o Or if X is known to be (random) ASCII

22 Akelarre 21 Akelarre Attack  Only a small part of key is recovered  But we can recover plaintext directly from ciphertext  Recovering plaintext in this way is not trivial o Homework problems give simplified examples  But, much better than exhaustive key search  Attack is practical in many cases!

23 Akelarre 22 Improved Akelarre  Attack bypasses virtually all of the complexity of the algorithm o That is, the AR structure  Must force attacker to deal with the AR structure  There is an “improved” Akelarre o Ake98 — also weak

24 Akelarre 23 Akelarre Conclusions  A seriously bad cipher!  Conceptually easy attack o Details not quite so straightforward  Akelarre shows cipher design is tricky  Aside: Knuth analyzed a “super-random” number generator and found it was bad o Concluded that “random number should not be generated with a method chosen at random” o Similar rule applies to ciphers!

Download ppt "Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations."

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.

PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
FEAL FEAL 1.

FEAL FEAL 1.
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.

Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google