Lee Jae-song 1

 How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both 64-bit  Chosen-plaintext attack:  For a chosen plaintext P and a related ciphertext C, find the value of K among N=2 56 possible values. 2

 Method 1. Exhaustive search  Calculates C for all possible keys  Requires 2 56 time, small memory  Method 2. Table lookup  Find C from prepared table  Requires 2 56 memory, small time  Both requires huge cost  How to use reasonable time and memory?  For example, N 2/3 time and N 2/3 space? 3

 Idea: make “chains” of key K and ciphertext C.  K 0 → K 1 → K 2 → … → K t C 0 → C 1 → C 2 → … → C t where C i = E Ki (P) and K i+1 = f(K i ).  Save only both ends of chain (K 0, K t )  We can “recover” keys and ciphertexts again, if f is well-designed.  Actually what is f?  Hash function related to encryption function 4

 P is 64-bit, so E K (P) is also 64-bit  K is 56-bit  Some reduction function R: 64-bit to 56-bit  Ex) drop lower 8 bits of input, or higher 8 bits,...  f(K) = R(E K (P))  K 1 = R(E K0 (P)), K 2 = R(E K1 (P)),... 5

 Once we get some ciphertext C = E K (P)  We remember K 0, K t  Y 1 = R(C) = R(E K (P)) = f(K) ∴ K → Y 1  Check: Y 1 = K t ?  If true, f(K) = f(K t-1 ) so maybe K = K t-1, or just a false alarm. ▪ Compute K t-1 from K 0, and check if E Kt-1 (P) = C.  If false, always K ≠ K t-1. 6 K →K → Y1Y1 K 0 → … → K t-1 → KtKt

 If failed, compute Y 2 = f(Y 1 ) = f(f(K)),  Check: Y 2 = K t ?  If true, f(f(K)) = f(f(K t-2 )) so maybe K = K t-2.  Compute Y 1, Y 2, Y 3,..., Y t until we find the key.  O(t) time, with 2 memory space. 7 K →K → Y1 →Y1 → Y2Y2 K t-2 → K t-1 → KtKt

 Extend: make m chains!  Choose some initial values randomly (SP i ) (1<=i<=m)  X i0 = SP i, X ij = f(X i,j-1 ) = f j (SP i ), EP i = X it  Save (SP i, EP i ) only X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2... X m0 = SP m X m1 X m2 X m3 X m4...X mt = EP m 8

 But, what if X ij = X i’j’ for some values?  X 11 = X 23, f(X 11 ) = f(X 23 ), X 12 = X 24, X 13 = X 25,...  “collide and merge”  We may ignore the defect for small overlaps 9 X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2... X m0 = SP m X m1 X m2 X m3 X m4...X mt = EP m

 Extend more! Generate many tables, with different hashes 10 SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m

 It is a probabilistic method!  Probability of success for each table is  If mt 2 << N, it is approximized to  P(S) >= mt/N  P >= 1 – (1 – mt/N) l, l is the number of tables  So we need to generate l = (N/mt) tables to achieve P ≒ 1. 11

 Pf) Since P(S) = E(# of keys)/N,  P(S) = sum P( X ij is newly appeared ) ▪ “new”: not appeared in previous rows or in this row yet  P(X ij is new) >= P(X i0, X i1,..., X ij are new)  = P(X i0 is new) * P(X i1 is new | X i0 is new) *... * P(X ij is new | X i0, X i1,..., X i,j-1 are new)  P(X ik is new|...) = (N - # of keys until now )/N >= (N-it)/N  ∴ P(Xij is new) >= 12

 The expected value of false alarm per table is not so high:  If mt 2 = N, E(F) <= ½  One false alarm: at most t operations required the computation is increased at most 50% 13

 DES: 2 56 ( ≒ 7*10 16 ) keys  Let N = 10 17, ignoring overlap  What values for m, t and l?  [1] chooses m = 10 5, t = 10 6 after some trial&error  P(S) = 10 -6, so l=10 6 tables are needed  ml = memory required  Compared to table lookup: 7*10 16 memory  tl = computation required  Compared to exhaustive search: 7*10 16 time 14

 Performance graph of RainbowCrack [4] 15

 It is basically for chosen-plaintext attack, but also applicable to:  Synchronous stream cipher (known-plaintext) ▪ C[t] = P[t] ⊕ E K [t], no need to choose plaintext  Partially known-plaintext attack ▪ Generate each table for possible plaintext  hash functions  Further improvements? 16

 Rainbow Table: P. Oechslin. [2]  Avoids collide-merge problems  Different hash function per each iteration, not per each table.  May collide with same probability, but not merge ▪ X 11 = X 23, f 2 (X 11 ) ≠ f 3 (X 23 ) 17 X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2 f1f2f3f4

 [1] M. Hellman. A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory, vol. 26, no. 4,  [2] P. Oechslin. Making a faster cryptanalytic time-memory trade-off. CRYPTO 03.Making a faster cryptanalytic time-memory trade-off  [3] Rainbow table, Wikipedia. (last visited Feb. 21, 2010)Rainbow table  [4] Project RainbowCrack. (last visited Feb. 21, 2010)Project RainbowCrack 18

 Q? 19