Announcements: Quizzes returned at end of class Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Mon-Thurs: Data Encryption.

Presentation on theme: "Announcements: Quizzes returned at end of class Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Mon-Thurs: Data Encryption."— Presentation transcript:

Announcements: Quizzes returned at end of class Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Mon-Thurs: Data Encryption Standard (DES) Today: Differential Cryptanalysis on EDEN HW 4 (assigned Thurs) is to implement DES HW 4 (assigned Thurs) is to implement DES Friday: Computer quiz on breaking ciphers in ch 2 Friday: Computer quiz on breaking ciphers in ch 2 Next week: Rijndael, start RSA Rijndael, start RSAQuestions? DTTF/NB479: DszquphsbqizDay 14

Recall EDEN Input (12 bits) L 0 (6)R 0 (6) f L 1 (6)R 1 (6) K 1 (8) f L 2 (6)R 2 (6) K 2 (8) Round 1 Round 2 Repeat for 8 rounds … The key, K i for round i is derived from a 9-bit key K.

Differential Cryptanalysis A chosen plaintext attack to find the key We’ll work the process together for 3 rounds. Assume we can input L 1 R 1 and view output L 4 R 4. This can be extended to 4 rounds

Lots of calculations done on whiteboard…

Extension to 4 Rounds Exploits weaknesses in S-boxes. S 1 : 12/16 of input pairs with XOR = 0011 have output XOR 011 S 2 : 8/16 of input pairs with XOR = 1100 have output XOR 010 But we expect only 2/16 pairs in each case We choose R 0, R 0 * such that R 0 ’ = 001100 P(XOR of outputs = 011010) ~ 3/8. P(XOR of outputs = 011010) ~ 3/8. If we also choose L 0, L 0 * such that L 0 ’ = 011010, then 3/8 of time, L 1 ’R 1 ’ = 001100 000000. So we choose lots of pairs like this, and do the 3-round method with L 1 ’ = 001100 and the known outputs. We’ll get lots of garbage (random keys), since we aren’t sure that L 1 ’ = 001100, but since it shows up so often, K 4 will show up much more frequently than other keys! Example on p. 122 gives key frequencies using an attack with 100 such inputs. K 4 shows up ~50% more than others.

Extensions What about more than 4 rounds? What about stronger S-boxes? Can do both, just require more inputs to gather statistics to find key. Is this more efficient than brute forcing?

Summary Number of rounds # inputs needed for diffy crypt. # inputs required for brute force EDEN 3~2*(2-3) 29292929 4~2*100 29292929 DES <=15 < 2 56 2 56 16 > 2 56 (no longer efficient to use) 2 56 Could the DES designers have anticipated diffy crypt attacks?

HW4: DES Implementation I implemented EDEN in Java fairly quickly DES is obviously more complicated You’ll implement encryption and decryption. Correctness: Can use one to test the other. Can use one to test the other.Efficiency: In addition, it’d be nice to use a language that closer to the hardware for efficiency, like C. In addition, it’d be nice to use a language that closer to the hardware for efficiency, like C. I’m planning a competition to see whose implementation is quickest! I’m planning a competition to see whose implementation is quickest!

Download ppt "Announcements: Quizzes returned at end of class Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Mon-Thurs: Data Encryption."

Similar presentations