Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For."— Presentation transcript:

1 CMEA 1 CMEA

2 CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For “control channel”, not the “data channel” o Data channel encrypted with ORYX  Part of a standard developed by TIA o Flaw in cipher discovered in 1997  Cipher design process not open o In violation of Kerckoffs Principle

3 CMEA 3 CMEA  Block cipher o 64 bit key o Variable block size, typically 2 to 6 bytes  CMEA is its own inverse o Recall that Enigma is its own inverse o Not clear that this is useful for CMEA  CMEA uses “Cave Table” o A fixed 256-byte lookup table o Not a permutation

4 CMEA 4 Cave Table  Table has 256 bytes: o 164 distinct values o 97 appear just once o 44 occur twice o 21 occur three times o 2 occur four times o Highly non-uniform!  For example C[0x6a] = 0xf3

5 CMEA 5 CMEA  Let K 0,K 1,…,K 7 be bytes of 64-bit key  Let C be Cave Table  For byte x, define (all “ + ” are mod 256) Q(x) = C[(x  K 0 ) + K 1 ] + x R(x) = C[(Q(x)  K 2 ) + K 3 ] + x S(x) = C[(R(x)  K 4 ) + K 5 ] + x T(x) = C[(S(x)  K 6 ) + K 7 ] + x  Table defined by T(x) used in CMEA

6 CMEA 6 CMEA  We have Q(x) = C[(x  K 0 ) + K 1 ] + x R(x) = C[(Q(x)  K 2 ) + K 3 ] + x S(x) = C[(R(x)  K 4 ) + K 5 ] + x T(x) = C[(S(x)  K 6 ) + K 7 ] + x  Note that T(x)  x is in C o Same is true of S(x)  x, R(x)  x, and Q(x)  x  Implies these values are biased o These facts used heavily in attacks

7 CMEA 7 CMEA Algorithm  Encrypt block of n bytes  Uses T table o Which uses Cave Table  Cipher is its own inverse o Same algorithm used for decryption

8 CMEA 8 SCMEA  The “  1 ” in line 10 of CMEA complicates attack  We define Simplified CMEA (SCMEA) to be same as CMEA, without “  1 ”  That is, replace line 10 of CMEA with:

9 CMEA 9 SCMEA Chosen Plaintext Attack  Consider plaintext block of the form  Corresponding 1st ciphertext byte is  The plan of attack o Use chosen plaintext to find putative T(0) o With more chosen plaintext, can then find putative T(j) for j=1,2,…,255  Note: Recover T table, and key is “broken” ()()

10 CMEA 10 SCMEA Chosen Plaintext  Choose plaintext blocks of the form (p 0,p 1,p 2 ) = (1  x 0, 1  x 0, 0) where x 0 is in the Cave Table  Suppose we obtain  Setting l = j = 0 in (  ) and we see that such an x 0 is consistent with T(0) = x 0  Then we have found a candidate for T(0)

11 CMEA 11 SCMEA Chosen Plaintext  Given candidate x 0 = T(0), choose plaintext (p 0,p 1,p 2 ) = (1  x 0, (j  2)  x 0, 0) for each j = 1,2,…,255  Then from (  ) with l = 0, we have c 0 = (1  x j )  x 0 and we can solve for x j  If it is true that x 0 = T(0) then x j = T(j)

12 CMEA 12 SCMEA Chosen Plaintext  We can obtain putative T(0) and putative T(j), for j=0,1,…,255  How can we know whether this is correct T table?  Recall, T(j)  j is in Cave Table for all j  Check whether x j  j is in Cave Table o If it fails for any j, then T(0) incorrect

13 CMEA 13 SCMEA Chosen Plaintext Attack Algorithm  Use l = j = 0 in (  ) to find putative T(0)  Set l = 0 in (  ) and j = 1,2,…,255 to find putative T(j)  For each putative T(j), check if T(j)  j is in the Cave Table o If this fails for any j, then start over o If holds for all j, then have found T table

14 CMEA 14 SCMEA Chosen Plaintext  How much chosen plaintext needed?  Recall: 164 distinct elements in Cave Table  Ignoring false alarms… o Since T(0) is in Cave Table, need 82 chosen plaintext blocks to find T(0) o Then 255 more blocks to find T table o Total of 337 chosen plaintext blocks  Consider false alarms for CMEA attack…

15 CMEA 15 CMEA Chosen Plaintext Attack  Similar to SCMEA, if then and  A more complex expression for c 2 o Homework problem  As in SCMEA attack, let l = j = 0 (  )

16 CMEA 16 CMEA Chosen Plaintext  Letting l = j = 0, we have that plaintext (p 0,p 1,p 2 ) = (1  T(0), 1  T(0), 0) yields ciphertext  Again, choose plaintext of the form (p 0,p 1,p 2 ) = (1  x 0, 1  x 0, 0)

17 CMEA 17 CMEA Chosen Plaintext  Choose plaintext of the form (p 0,p 1,p 2 ) = (1  x 0, 1  x 0, 0)  Any of these that satisfy are consistent with x 0 = T(0)  Can reduce false alarms by using Cave Table conditions on both c 1 and c 2

18 CMEA 18 CMEA Chosen Plaintext  Given candidate x 0 = T(0), choose (p 0,p 1,p 2 ) = (1  x 0, (j  2)  x 0, 0) for each j = 1,2,…,255  Then from (  ), with l = 0, we have c 0 = (1  (T(j)  1))  T(0) and we can solve for T(j)  1  Note: low-order bit of T(j) is unknown

19 CMEA 19 CMEA Chosen Plaintext  Attack algorithm  Use l = j = 0 in (  ) to find x 0, putative T(0)  Set l = 0 in (  ) and j = 1,2,…,255 to find x j which is putative T(j)  1  For each x j, check if x j  j is in the Cave Table and/or ( x j  1)  j is in the Cave Table o If both fail for any j, then x 0 incorrect o If one fails,, then have unique putative T(j) o If neither fails, then 2 choices for T(j)

20 CMEA 20 CMEA Chosen Plaintext  How to resolve ambiguous x j = T(j) ? o Both x j  j and (x j  1)  j in Cave Table  Create array A of size 256  Set A i = 0 if low-order bit of x i is known o And A i = 1 if low-order bit of x i is ambiguous  We can use this array to resolve ambiguous low-order bits

21 CMEA 21 CMEA Chosen Plaintext  Suppose putative T(k) is ambiguous  Find t and j with k = t  (T(j)  1) where A t = 0  Let (p 0,p 1,p 2 ) = ((t  1)  T(0), (j  2)  (t  1)  T(t), 0)  Encrypting this chosen plaintext yields T(t  (T(j)  1)) = (j  2)  (t  1)  c 1  Which implies T(k) = (j  2)  (t  1)  c 1  We have resolved ambiguity in T(k)

22 CMEA 22 CMEA Chosen Plaintext  How much chosen plaintext is required?  82 blocks to find T(0), on average  255 more to recover T table  0.6  255 = 153 to resolve ambiguous o 0.6 probability that both are in Cave Table  0.258  9 = 2.3 for incorrect T(0) s o 0.258 prob, each takes 9 blocks to resolve  Total chosen plaintext blocks: 492.3

23 CMEA 23 CMEA Chosen Plaintext  Analytically, have shown that 492.3 chosen plaintexts required  Empirical results from 10 6 trials very close to predicted results:

24 CMEA 24 CMEA Chosen Plaintext Attack: Bottom Line  Recover T table, not the actual key  Relies on relationship between plaintext and ciphertext o And the special role of T(0)  Generally not practical o Since requires chosen plaintext  Attack clearly shows CMEA is weak  Next, known plaintext attack

25 CMEA 25 SCMEA Known Plaintext Attack  Similar to chosen plaintext attack  Relatively complex attack, 2 phases  Primary phase o Find T(0) or small number of candidates  Secondary phase o Determine key o Backtracking and meet-in-the-middle

26 CMEA 26 SCMEA Known Plaintext Attack: Primary Phase  Since T(0) in Cave Table, 164 choices o Let v 0,v 1,…,v 163 be Cave Table elements  For each vi, make 256 x 256 table A o Initialize A i,j = 1 for all i and j  Assuming T(0) = v i, set A i,j = 0 if T(i) = j is “impossible”  Since T(j)  j is in Cave Table, T(j)  {v 0 + j, v 1 + j, …, v 163 + j}  This gives 92 zeros in each row of A i,j

27 CMEA 27 SCMEA Known Plaintext Attack: Primary Phase  Each each putative T(0) has A table with 92 zeros and 164 ones per row  Use known plaintext to insert more 0s  If T(0) is incorrect, given enough known plaintext, get a contradiction o For example, a row of A is all 0  Ideally, one T(0) survives

28 CMEA 28 SCMEA Known Plaintext Attack: Primary Phase  How to use known plaintext to insert more 0s into A tables?  Consider plaintext P = (p 0,p 1,p 2 )  SCMEA, ciphertext yields equation ((c 0 + T(0))  (p 0 + T(0)))  p 2 = T((p 0 + p 1 + T(0) + T((p 0 + T(0))  1))  2)  Given P, c 0, and putative T(0), we can add 0s to corresponding A table as follows…

29 CMEA 29 SCMEA Known Plaintext Attack: Primary Phase  We have ((c 0 + T(0))  (p 0 + T(0)))  p 2 = T((p 0 + p 1 + T(0) + T((p 0 + T(0))  1))  2)  Suppose P = (a1,95,71) and c 0 = 04, in hex  Consider A table for T(0) = 34  Equation becomes 7c = T((6a + T(d4))  2) o Guess x = T(d4) and let y = (6a + x)  2 o If A y,7c = 0, then x impossible, set A d4,x = 0 o Repeat for all choices of T(d4)  Repeat for all known plaintext and iterate

30 CMEA 30 SCMEA Known Plaintext Attack: Primary Phase  Known plaintext requirement is large o About 300 blocks  But we are not using all available info  Possible to also use c 1 and c 2 o See homework problems!

31 CMEA 31 SCMEA Known Plaintext Attack: Primary Phase  With enough known plaintext, primary phase yields one (correct) T(0) o Also uniquely determine some T(j) o Can use this in secondary phase  Secondary phase recovers the key o Use backtracking or meet-in-the-middle

32 CMEA 32 SCMEA Known Plaintext Attack: Secondary Phase  Assume we have correct T(0)  Want to determine the key o Recall, 64-bits key K 0,K 1,…,K 7 where Q(x) = C[(x  K 0 ) + K 1 ] + x R(x) = C[(Q(x)  K 2 ) + K 3 ] + x S(x) = C[(R(x)  K 4 ) + K 5 ] + x T(x) = C[(S(x)  K 6 ) + K 7 ] + x o Here, C is the Cave Table

33 CMEA 33 SCMEA Secondary Phase: Backtracking  Have T(x) = C[(S(x)  K 6 ) + K 7 ] + x  Since S(x)  x is in Cave Table, T(x) = C[((v + x)  K 6 ) + K 7 ] + x for some v in Cave Table  Guess (K 6,K 7 ) and choose some x  For each v  C, compute y = C[((v + x)  K 6 ) + K 7 ] + x

34 CMEA 34 SCMEA Secondary Phase: Backtracking  Guess (K 6,K 7 ) and choose x  For each v  C, compute y = C[((v + x)  K 6 ) + K 7 ] + x  If every choice of v gives A x,y = 0, then putative key (K 6,K 7 ) is incorrect o Putative key is not consistent with T(0)  Repeat for each choice of x

35 CMEA 35 SCMEA Secondary Phase: Backtracking  Repeat for each choice of x  Reduces number of possible (K 6,K 7 ) o Number of survivors depends on A table o The A table depends on known plaintext  Empirical results:

36 CMEA 36 SCMEA Secondary Phase: Backtracking  For each putative (K 6,K 7 ) consider S(x) = C[(R(x)  K 4 ) + K 5 ] + x  For each candidate (K 4,K 5 ), compute z = C[((v + x)  K 4 ) + K 5 ] + x and y = C[(z  K 6 ) + K 7 ] + x  Then use A table as in (K 6,K 7 ) case  Same idea extends to K 3,K 2,K 1,K 0

37 CMEA 37 SCMEA Secondary Phase: Backtracking  Let n be number of (K 6,K 7 ) expected  Then expect about n 4 putative keys  From previous slide, about 150 known plaintexts yields 2 4 = 16 putative keys o However, with 75 known plaintexts, number of keys is about 2 44 o Exhaustive key search is 2 63 work

38 CMEA 38 SCMEA Secondary Phase: Meet-in-the-Middle  Can do much better than backtracking  Practical if 4 or more unique T(j) in A o At least 4 rows of A each with a single 1 o May be practical if at least 4 rows with small number of 1s  Meet-in-the-middle empirical results:

39 CMEA 39 SCMEA Secondary Phase: Meet-in-the-Middle  Spse T(a),T(b),T(c),T(d) known from A  For each (K 0,K 1,K 2,K 3 ) compute Q(a) = C[(a  K 0 ) + K 1 ] + a R(a) = C[(Q(a)  K 2 ) + K 3 ] + a  And similarly for b,c,d  Store (R(a),R(b),R(c),R(d)) and (K 0,K 1,K 2,K 3 ) in a row of matrix M  Then M has 2 32 rows—sort on R

40 CMEA 40 SCMEA Secondary Phase: Meet-in-the-Middle  Again, T(a),T(b),T(c),T(d) known from A  For each (K 4,K 5,K 6,K 7 ) work backwards from (known) T(a) to find S(a),R(a) satisfying S(a) = C[(R(a)  K 4 ) + K 5 ] + a T(a) = C[(S(a)  K 6 ) + K 7 ] + a  And similarly for b,c,d  Note that must “invert” Cave Table  Search for (R(a),R(b),R(c),R(d)) in M

41 CMEA 41 SCMEA Secondary Phase: Meet-in-the-Middle  If match, have met-in-the-middle  Then we have (K 0,K 1,K 2,K 3,K 4,K 5,K 6,K 7 ) for which T(a),T(b),T(c),T(d) all match their known values  With 4 known T s, expect few solutions o Work and storage on order of 2 32  It is possible to do better (again)!

42 CMEA 42 SCMEA Secondary Phase: Meet-in-the-Middle  Improved version o Work of 2 32 but storage of only 2 24  Somewhat tricky…  Again, T(a),T(b),T(c),T(d) known from A  For each (K 0,K 1,K 2 ) compute a = (C[(a  K 0 ) + K 1 ] + a)  K 2  And similarly for b,c,d

43 CMEA 43 SCMEA Secondary Phase: Meet-in-the-Middle  For each (K 0,K 1,K 2 ) compute a = Q(a)  K 2 = (C[(a  K 0 ) + K 1 ] + a)  K 2  And similarly for b,c,d  Create a table M with each row (a,b,c,d,K 0,K 1,K 2 )  Indexed by ( a  d,b  d,c  d)  Note that M has 2 24 rows

44 CMEA 44 SCMEA Secondary Phase: Meet-in-the-Middle  Given the table M  For each (K 4,K 5,K 6,K 7 ) find a  such that R(a) = C[a  ] + a S(a) = C[(R(a)  K 4 ) + K 5 ] + a T(a) = C[(S(a)  K 6 ) + K 7 ] + a  And similarly for b ,c ,d 

45 CMEA 45 SCMEA Secondary Phase: Meet-in-the-Middle  Recall R(a) = C[(Q(a)  K 2 ) + K 3 ] + a  Since a = Q(a)  K 2 and R(a) = C[a  ] + a  We have a  = a + K 3  Then a  d  = (a + K 3 )  (d + K 3 ) = a  d  And (a  d ,b  d ,c  d  ) = (a  d,b  d,c  d)

46 CMEA 46 SCMEA Secondary Phase: Meet-in-the-Middle  Bottom line: (a  d ,b  d ,c  d  ) forms index into table M  If such an entry exists, it matches some (a  d,b  d,c  d)  We have met-in-the-middle!  Know putative (K 0,K 1,K 2,K 4,K 5,K 6,K 7 )  Compute K 3 = a  a

47 CMEA 47 SCMEA Secondary Phase: Meet-in-the-Middle  Note: Some chance of false alarm o Must test each putative key by trial decryption  Note: backtracking and meet-in-the- middle can be combined o Use backtracking to find putative keys o Use meet-in-the-middle to on the resulting putative keys

48 CMEA 48 CMEA Known Plaintext Attack  Almost the same as SCMEA attack  More known plaintext required to mark impossible entries in A tables o Due to ambiguity on low-order bit  Once the A tables have been found, attack is exactly the same as SCMEA

49 CMEA 49 More Secure CMEA?  Skewed Cave Table is crucial for attack  What if we make Cave Table a perm? o Make Cave Table is a key-dependent permutation?  Eliminate attacks discussed here  But are there other attacks?

50 CMEA 50 CMEA Conclusions  Designed to be highly efficient o At the expense of some security  Cave Table is unusual  Attacks use combinatorial algorithms  CMEA is a weak block cipher o But interesting

Download ppt "CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For."

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.

Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 22 By Herbert I. Gross and Richard A. Medeiros next.

Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 22 By Herbert I. Gross and Richard A. Medeiros next.
1.2 Row Reduction and Echelon Forms

1.2 Row Reduction and Echelon Forms
Linear Equations in Linear Algebra

Linear Equations in Linear Algebra
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.

PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
FEAL FEAL 1.

FEAL FEAL 1.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.

Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Similar presentations

Ads by Google