Download presentation
Presentation is loading. Please wait.
Published byMohammed Waugh Modified over 10 years ago
1
LOKI LOKI block ciphers family (LOKI89.LOKI91) Similar to DES(except : F function, initial and final permutation, key scheduling algorithm ) K1=K L,K2=K R K3~K16: K i = ROL12(K J ), where J=i-2 K 3 = ROL(K 1 ) ROL12 代表 Rotate to Left 12 bits
4
Chosen key attack Chosen key chosen plaintext Knows only the relationship between two key,not the keys themselves Independent of number of rounds LOKI89, LOKI91
5
LOKI89 Original 64bit key K=(K L, K R ) K 1 = K L, K 2 = K R K 3 ~K 16, K i = ROL12(K J ), where J=i-2 ex: K 3 =ROL12(K 1 ), K 4 =ROL12(K 2 ) ….. New key K* = (K 2, K 3 ) = ( K R, ROL12(K L ) ) K 1 *= K L * = K 2, K 2 * = K R * = K 3 K 3 * ~K 16 * K i * of K* = K(i+1) of K ex: K 3 *= ROL12(K 1 *) = ROL12(K 2 ) = K 4 K 4 * = K 5
6
LOKI89 Original 64bit key K=(K L, K R ) K 1 = K L, K 2 = K R K 3 ~K 16, K i = ROL12(K J ), where J=i-2 ex: K 3 =ROL12(K 1 ), K 4 =ROL12(K 2 ) ….. New key K* = (K 2, K 3 ) = ( K R, ROL12(K L ) ) K 1 *= K L * = K 2, K 2 * = K R * = K 3 K 3 * ~K 16 * K i * of K* = K(i+1) of K ex: K 3 *= ROL12(K 1 *) = ROL12(K 2 ) = K 4 K 4 * = K 5
7
KRKR KLKL KRKR ROL12(K L)
9
使用 related key K and K* If the data are the same in both executions shifted by one round EX: data before 2nd round (under key K) = data before 1st round (under key K*):
11
plaintext P encrypted under key K data before 2nd round (under key K): ( P R ⊕ K R, P L ⊕ K L ⊕ F ( P R ⊕ K R, K L ) ) -----(1) data before 1st round (under key K*): P* ⊕ K* = ( P L * ⊕ K L *, P R * ⊕ K R * ) = ( P L * ⊕ K R, P R * ⊕ ROL12 (K L ) )------(2)
12
P L ⊕ K L P R ⊕ K R F( P R ⊕ K R, K L )
13
由 (1) = (2) P R ⊕ K R = P L * ⊕ K R ∴ P R = P L * ---(3) P L ⊕ K L ⊕ F( P R ⊕ K R, K L ) = P R * ⊕ ROL12(K L ) ∴ P L ⊕ K L ⊕ F( P R ⊕ K R, K L ) ⊕ ROL12(K L ) = P R *---(4) P* = (P R, P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L )) ------(a) C* = (C R ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ), C L ) -------(b)
14
chosen key chosen plaintext P* = (P R, P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L )) ------(a) C* = (C R ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ), C L ) -------(b) 已知 2 16 個 chosen key P, 2 16 個 P *, P R = P L * 2 unknown related key K, K*, K* = (K2,K3) Exist two plaintext P i, P j* such that P R * = P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ) By checking C R * = C L
15
chosen key chosen plaintext PRPR Randomly chosen 32 bits 2 16 個 P 0 ~ P 65535 P * 0 ~ P * 65535 Chosen 32 bits value
16
由 equation (a),(b) 相作 XOR 再搬移 F( P R ⊕ K R, K L )) ⊕ F(C L ⊕ K R ⊕ K L ) = P R* ⊕ P L ⊕ C L* ⊕ C R only unknown part : K R ⊕ K L 帶回 (a),(b) 可求出 K L ⊕ ROL12(K L ), 可以推出 K 和 K*
17
LOKI91 A random plaintext P C=LOKI91(P,K) and C*=LOKI91(P*,K*) K* = ( K R,ROL25(K L ) ) K1,K2 share the same 32 bits 2 32 possible values of K1,K2 calculate 2 32 data before 3rd round, P* 找出 real K1,K2 by verifying the relationship between cipher texts
18
32bit K R 32bit K L
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.