Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.

Published byIsaiah Reaney Modified over 9 years ago

Similar presentations

Presentation on theme: "Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both."— Presentation transcript:

1 Lee Jae-song 1

2  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both 64-bit  Chosen-plaintext attack:  For a chosen plaintext P and a related ciphertext C, find the value of K among N=2 56 possible values. 2

3  Method 1. Exhaustive search  Calculates C for all possible keys  Requires 2 56 time, small memory  Method 2. Table lookup  Find C from prepared table  Requires 2 56 memory, small time  Both requires huge cost  How to use reasonable time and memory?  For example, N 2/3 time and N 2/3 space? 3

4  Idea: make “chains” of key K and ciphertext C.  K 0 → K 1 → K 2 → … → K t C 0 → C 1 → C 2 → … → C t where C i = E Ki (P) and K i+1 = f(K i ).  Save only both ends of chain (K 0, K t )  We can “recover” keys and ciphertexts again, if f is well-designed.  Actually what is f?  Hash function related to encryption function 4

5  P is 64-bit, so E K (P) is also 64-bit  K is 56-bit  Some reduction function R: 64-bit to 56-bit  Ex) drop lower 8 bits of input, or higher 8 bits,...  f(K) = R(E K (P))  K 1 = R(E K0 (P)), K 2 = R(E K1 (P)),... 5

6  Once we get some ciphertext C = E K (P)  We remember K 0, K t  Y 1 = R(C) = R(E K (P)) = f(K) ∴ K → Y 1  Check: Y 1 = K t ?  If true, f(K) = f(K t-1 ) so maybe K = K t-1, or just a false alarm. ▪ Compute K t-1 from K 0, and check if E Kt-1 (P) = C.  If false, always K ≠ K t-1. 6 K →K → Y1Y1 K 0 → … → K t-1 → KtKt

7  If failed, compute Y 2 = f(Y 1 ) = f(f(K)),  Check: Y 2 = K t ?  If true, f(f(K)) = f(f(K t-2 )) so maybe K = K t-2.  Compute Y 1, Y 2, Y 3,..., Y t until we find the key.  O(t) time, with 2 memory space. 7 K →K → Y1 →Y1 → Y2Y2 K t-2 → K t-1 → KtKt

8  Extend: make m chains!  Choose some initial values randomly (SP i ) (1<=i<=m)  X i0 = SP i, X ij = f(X i,j-1 ) = f j (SP i ), EP i = X it  Save (SP i, EP i ) only X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2... X m0 = SP m X m1 X m2 X m3 X m4...X mt = EP m 8

9  But, what if X ij = X i’j’ for some values?  X 11 = X 23, f(X 11 ) = f(X 23 ), X 12 = X 24, X 13 = X 25,...  “collide and merge”  We may ignore the defect for small overlaps 9 X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2... X m0 = SP m X m1 X m2 X m3 X m4...X mt = EP m

10  Extend more! Generate many tables, with different hashes 10 SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m SP 1 X 11 X 12 X 13 X 14...EP 1 SP 2 X 21 X 22 X 23 X 24...EP 2... SP m X m1 X m2 X m3 X m4...EP m

11  It is a probabilistic method!  Probability of success for each table is  If mt 2 << N, it is approximized to  P(S) >= mt/N  P >= 1 – (1 – mt/N) l, l is the number of tables  So we need to generate l = (N/mt) tables to achieve P ≒ 1. 11

12  Pf) Since P(S) = E(# of keys)/N,  P(S) = sum P( X ij is newly appeared ) ▪ “new”: not appeared in previous rows or in this row yet  P(X ij is new) >= P(X i0, X i1,..., X ij are new)  = P(X i0 is new) * P(X i1 is new | X i0 is new) *... * P(X ij is new | X i0, X i1,..., X i,j-1 are new)  P(X ik is new|...) = (N - # of keys until now )/N >= (N-it)/N  ∴ P(Xij is new) >= 12

13  The expected value of false alarm per table is not so high:  If mt 2 = N, E(F) <= ½  One false alarm: at most t operations required the computation is increased at most 50% 13

14  DES: 2 56 ( ≒ 7*10 16 ) keys  Let N = 10 17, ignoring overlap  What values for m, t and l?  [1] chooses m = 10 5, t = 10 6 after some trial&error  P(S) = 10 -6, so l=10 6 tables are needed  ml = 10 13 memory required  Compared to table lookup: 7*10 16 memory  tl = 10 12 computation required  Compared to exhaustive search: 7*10 16 time 14

15  Performance graph of RainbowCrack [4] 15

16  It is basically for chosen-plaintext attack, but also applicable to:  Synchronous stream cipher (known-plaintext) ▪ C[t] = P[t] ⊕ E K [t], no need to choose plaintext  Partially known-plaintext attack ▪ Generate each table for possible plaintext  hash functions  Further improvements? 16

17  Rainbow Table: P. Oechslin. [2]  Avoids collide-merge problems  Different hash function per each iteration, not per each table.  May collide with same probability, but not merge ▪ X 11 = X 23, f 2 (X 11 ) ≠ f 3 (X 23 ) 17 X 10 = SP 1 X 11 X 12 X 13 X 14...X 1t = EP 1 X 20 = SP 2 X 21 X 22 X 23 X 24...X 2t = EP 2 f1f2f3f4

18  [1] M. Hellman. A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory, vol. 26, no. 4, 1980.  [2] P. Oechslin. Making a faster cryptanalytic time-memory trade-off. CRYPTO 03.Making a faster cryptanalytic time-memory trade-off  [3] Rainbow table, Wikipedia. (last visited Feb. 21, 2010)Rainbow table  [4] Project RainbowCrack. (last visited Feb. 21, 2010)Project RainbowCrack 18

19  Q? 19

Download ppt "Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both."

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Password Cracking With Rainbow Tables

Password Cracking With Rainbow Tables
Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.

Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Stream Ciphers.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Stream Ciphers.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
FEAL FEAL 1.

FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.
Announcements: Quizzes returned at end of class Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Mon-Thurs: Data Encryption.

Announcements: Quizzes returned at end of class Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Mon-Thurs: Data Encryption.
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Similar presentations

Ads by Google