Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Team Presentation 2

Similar presentations


Presentation on theme: "Cryptography Team Presentation 2"— Presentation transcript:

1 Cryptography Team Presentation 2
“Implementation of a RC5 block cipher algorithm and implementing an attack on it” Agarwal, Kshitij Rao, Prashant Project Mentor – Prof. Alan Kaminsky

2 About RC5 Fast symmetric block cipher
Same key for encryption and decryption Plaintext and ciphertext are fixed-length bit sequences (blocks)

3 Parameters of RC5 RC5 – w/r/b E.g. RC5 – 32/16/10 w = 32 bits
r = 16 rounds b = 10-byte (80-bit) secret key variable t = 2 (r + 1) = 2 (16 + 1) = 34 rounds

4 Important parameters in details
“w”(bits) – variable word size Allowable choice for “w” in RC5– 16,32 and 64 Suggested 32 “Two” word input (plaintext) block size – 64-bit plaintext “Two” word output (ciphertext) block size – 64-bit ciphertext Design accepts all w > 0 Variable word size can exploit longer word length of processors like 64 – bit processors.

5 Important parameters in details
“r” – variable number of rounds Tradeoff between high speed and high security. Allowed values 0-255 Suggested – 12 Higher the number of rounds provides increased level of security. “S” – Expanded key table – derived from user’s secret key. “t” – The size of table “S” (depends on “r”) t = 2 ( r + 1 ) words.

6 Important parameters in details
“b” – variable length secret cryptographic key The number of bytes in the secret key K. 16 bytes suggested with allowed values from 0 – 255 “K” – The b-byte secret key : K[0], K[1], ..., K[b-1].

7 Notation and RC5 Primitive Ops
Three Primitive operations(and their inverses) Two’s complement addition of words, modulo 2w ‘+’ Inverse op , subtraction, ‘-’ Bit-wise exclusive OR of words, denoted by ⊕ A left-rotation of words x <<< y , cyclic rotation of word x left by y bits One word of the intermediate results is cyclically rotated by an amount determined bits of another intermediate results. The inverse operation is right-rotation, x>>>y

8 RC5 Algorithm Three parts:- Key Expansion Encryption Algorithm
Decryption Algorithm

9 RC5 Algorithm – Key Expansion
Requirements of key expansion Filling the expanded key table array S[0…t – 1] with random binary words “t” – Size of table “S” => 2 ( r+1 ) S table is not an “S-box” like DES. Entries in S sequentially, one at a time. Random binary words are derived from the K.

10 RC5 Algorithm – Key Expansion
Starting with two magic constants Two word-sized binary constants Pw = Odd((e - 2) 2w ) Qw = Odd((φ – 1) 2w ) e = … (base of natural logarithms) Φ = … (golden ratio), Where, Odd(x) is the odd integer nearest to x For w = 16 and 32 in hexadecimal form P16 = b7e1 Q16 = 9e37 P32 = b7e15163 Q32 = 9e3779b9

11 RC5 Algorithm – Key Expansion
Converting the Secret Key from Bytes to Words c = ceiling(b/u) words Pseudo code for conversion:- Image Source:

12 RC5 Algorithm – Key Expansion
Initializing the S Array Initialization to a particular fixed(key- independent) Image Source:

13 RC5 Algorithm – Key Expansion
Mixing in the Secret Key Pseudo code:- Image Source:

14 RC5 Algorithm Encryption Algorithm
Two w-bit words are denoted as A and B A = A + S[0]; B = B + S[1]; for i = 1 to r do A = (( A ⊕ B ) <<< B ) + S[ 2 * i ]; B = (( B ⊕ A) <<< A ) + S[ 2 * i + 1]; The output is in the registers A and B. Work is done on both A and B, unlike DES where only half input is updated. Image Source:

15 RC5 Algorithm Decryption Algorithm (easily derived from encryption)
Two w-bit words are denoted as A and B for i = r downto 1 do B = (( B – S[ 2 * i + 1 ]) >>> A) ⊕ A; A = (( A – S[ 2 * i ] >>> B) ⊕ B; B = B - S[1]; A = A - S[0]; The output is in the registers A and B.

16 Description of the attack
Initial proposed attack was differential attack Why switch to Meet-in-the-Middle Attack?! Why attack only to RC5 reduced to round 1 For one round, we need to brute force S[3] and S[2] S[1] will be calculated on the basis of S[3] S[0] will be calculated on the basis of S[2]

17 Description of the attack(contd.)
For brute forcing S[2] We need to have the value of the register B The value of register B is generated with the help of S[3] S[3] has to be computed before starting the computation of S[2]. Decryption algorithm recap. for i = r downto 1 do B = (( B – S[ 2 * i + 1 ]) >>> A) ⊕ A; A = (( A – S[ 2 * i ] >>> B) ⊕ B; B = B - S[1]; A = A - S[0];

18 Description of the attack(contd.)
Operations required for brute forcing S[2] and S[3] = 2 x 232 = 233

19 Description of the attack program
Usage of the attack program java Attack <seed> <seed>=The pseudo random number generator(PRNG) seed The input to the attack program is the PRNG seed. Utilized for generating a random key of 16 bytes. Multiple plaintexts of (32+32) bits for 2w word input. Utilizing the two above, corresponding cipher texts are also generated. Why are we generating these, will come in a minute.

20 Description of the attack program
Working of the Attack Program The attack program is developed in Java. 232 operations mentioned earlier for brute forcing the value of S[3] are independent of each other. The program exploits the above, by splitting the computations over all available processors. Similarly, the computations of 232 operations for brute forcing the value of S[2] after correctly guessing the value for S[3] are split over the available processers. This is achieved by the use of RIT’s Parallel Java Library Developed by Prof. Alan Kaminsky

21 Description of the attack program
Output of the Attack Program Printout of the randomly generated plaintexts and ciphertexts along with the key After this printout the four found subkey values are printed. The values are printed in the base 10 decimal format.

22 Results of the attack program
Input 1: java Attack 1234 Output 1: Plaintext : 3eac66b63480cbdf Key : 540d288d630efa40935e68393c24d53c ciphertext : f40399a37aea39b4 Plaintext : cb22c3f8 ciphertext : 7edbef1c9bbf72e3 Plaintext : 622a3a0609d7cd42 ciphertext : a477bf7d18ee8f36 Plaintext : 476e1cd8d76a0bad ciphertext : f2bbce3b49c55317 Plaintext : c c4c5bb2 ciphertext : 1968d2c31e601e58 Plaintext : 73bee f Key : 540d288d630efa40935e68393c24d53c ciphertext : cc03279bb26ff46e Plaintext : fb69aebc0324d257 ciphertext : 8acecb7240f37473 Plaintext : 27dfe2cb4183de82 ciphertext : 58cc58cb90bc94b4 Plaintext : f5553a b4 ciphertext : e66d108254dc88bf Plaintext : 8d05c8c5988d2017 ciphertext : e4228fbbff2e780e s0 : s1 : s2 : s3 :

23 How many encryptions and how many known plaintexts and ciphertexts are required for the attack to succeed(contd.) As we know, subkey array is generated from the key. This array is dependent of the key provided. If key is unique, then the generated subkey array shoud also be unique Two plaintexts and ciphertexts are required for the attack to succeed. One plaintext and ciphertext are required for brute forcing the subkeys. Another one is required to make sure which brute forced values of subkeys are correct.

24 How many encryptions and how many known plaintexts and ciphertexts are required for the attack to succeed(contd.) For RC5-32/1/16 – that is, 128 bits of key The number of round being 1, t = 2( r + 1) = 4 Size of S array in bits 4 x 32 = 128bits For 128 bits input key, we generate 128 bits of subkey array Just in case We actually generated one key and 10 randomly generated plaintexts and their corresponding ciphertexts in order to attack the cipher.

25 Analysis of each item found in the literature search
Literature that we studied were focused upon the differential attacks. The differential attack in the examples are based on the substitution boxes and the S-boxes are available with the specification of the block cipher. The problem is that there is no concept of substitution boxes in the RC5 block cipher, so we found it difficult to translating the examples onto the RC5 algorithm to carry out the differential attack.

26 Analysis of each item found in the literature search
No literatures were available for successful Meet-in- the-middle attack Possible reasons:- One round of encryption is not used in practice. As explained earlier, going above one round is not good idea. Instead the key can be brute forced.

27 Lessons Learned Implementation of RC5 block cipher
Usage of the bit shifting operators in Java Importance of Parallel Programming

28 Future Work Differential attack against the cipher was not performed due to the use of substitution boxes in all the examples and tutorials we read. Study of the differential attacks that can be performed on the RC5 block cipher.

29 References 1.) Rivest, R. L. (1994). "The RC5 Encryption Algorithm" (pdf). Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e. pp. 86–96. 2.) H. Heyes. A tutorial on linear and differential cryptanalysis. 3.) 4.) 5.) Alan Kaminsky. Building Parallel Programs: SMPs, Clusters, and Java. Cengage Course Technology, ISBN 6.) Parallel Java Library developed by Prof. Alan Kaminsky

30 THANK YOU Questions, if any.


Download ppt "Cryptography Team Presentation 2"

Similar presentations


Ads by Google