![Page 1: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/1.jpg)
CNS2010 lecture 5 :: attacks on DES 1
ELEC5616computer and network
securitymatt barrie
![Page 2: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/2.jpg)
CNS2010 lecture 5 :: attacks on DES 2
DES keys
• Given one plaintext/cyphertext (m,c) pair, there is a very high probability that only one key will satisfy
c = DES(m,k)
• Consider DES as a collection of permutations π(1) … π(256).
• If πi are independent permutations then (m, k) :
Pr [ k1 ≠ k : DES(m, k1) = DES(m, k) ]
= 256 . 2-64
= 2-8 = 0.39%
• Thus given one (m, c) pair the key is uniquely determined. The problem is to find k.
![Page 3: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/3.jpg)
CNS2010 lecture 5 :: attacks on DES 3
attacks on DES
• Exhaustive key search– For a strong n-bit block cypher with a j-bit key, the key can be
recovered on average in 2j-1 operations given a small number (< (j+4)/n) of plaintext-cyphertext pairs
– For DES, j = 56 bits, n = 64 bits so exhaustive search is expected to yield the key in 255 operations
• Cyphertext-only DES key search– Suppose DES is used to encrypt 8 x 8 ASCII characters (=64 bits)
per block, with one bit being a parity bit.– Trial decryption yields all 8 parity bits valid with probability 2-8
• and thus for t blocks 2-8t
– Over 256 keys, this leads to probability of correct key being 2-56 / 2-
8t
• thus only t ~ 10 blocks are enough
![Page 4: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/4.jpg)
CNS2010 lecture 5 :: attacks on DES 4
reducing effort in attacks on DES
• DES is a Feistel network, thus:
DES(m, k) = DES(m, k)
• This is called the “Complementation Property”• So for a CPA:
if c1 = DES(m, k) and c2 = DES(m, k) then if
DES(m, k1) ≠ c1 nor c2 then k ≠ k1 nor k1
• Search space is reduced by half
![Page 5: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/5.jpg)
CNS2010 lecture 5 :: attacks on DES 5
2DES
• Double encryption with DES (2DES) is bad
2DESk1k2(m) = Ek1(Ek2(m))
• 2DES is vulnerable to “meet in the middle” attack– i.e. for a fixed message, m, create a table:
Ek(m) for all k є {0,1}56
• Then for c = Ek1k2(m) try all k until Dk1(c) is in the table
• Thus 2DES can be broken on average in 256 operations using 256 memory slots (a time-space tradeoff)- not good for 112 bits of key (56 + 56)
![Page 6: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/6.jpg)
CNS2010 lecture 5 :: attacks on DES 6
3DES
• Two-key Triple DES (3DES): DES three times, two keys (112 bits)
3DESk1k2(m) = Ek1(Dk2(Ek1(m)))
• The strength of DES (& 3DES) is that it does not form a group
DESk1(DESk2(m)) ≠ DESk3(m)
• Consider the time-space tradeoff on 2TDES: – for time 2(56+64)/s and space s, we can recover k1 and k2 in 2TDES
• If s > 28 then we can do better than exhaustive search.
![Page 7: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/7.jpg)
CNS2010 lecture 5 :: attacks on DES 7
DESX
• A modification of DES to avoid exhaustive key search is DESX
k1 = 56 bits (DES key)k2 = 64 bits (whitening key)k3 = h(k2, k3) = 64 bits
DESXk1k2k3(m) = k3 Ek1 (m k2)
• Whitening key gives greater resilience to brute force attacks
• Given j plaintext / cyphertext pairs, the effective key size is greater than or equal to
|k| + n -1 - log j = 56 + 64 - 1 - log j = 119 - log j
≥ 100 bits
![Page 8: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/8.jpg)
CNS2010 lecture 5 :: attacks on DES 8
DES round functions
• The function F(x,ki): {0,1}32 x {0,1}48 → {0,1}32
x (32 bits) ki (48 bits)
48 bits
48 bits
32 bits
P
6 bits x 8
4 bits x 8
s1 s8
8 x S-boxes (4x16)(substitution)nonlinearconfuse
P-box(permutation)diffuse
expansion
b
![Page 9: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/9.jpg)
CNS2010 lecture 5 :: attacks on DES 9
differential cryptanalysis
• This method is a better-than-brute-force approach to attacking DES with (plaintext, cyphertext) pairs (CPA).
• Involves looking at the XOR of two texts.
• We consider any s-box function F(x, ki) :
• Define the difference measure (on input) as Δ = b1 b2
= (x1 ki) (x2 ki)
= x1 x2
• The input XOR (b1 b2) does not depend on the key but the output XOR (e1 e2) does.
S box
b1, b2 (2x6 bits)
e1, e2 (2x4 bits)
![Page 10: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/10.jpg)
CNS2010 lecture 5 :: attacks on DES 10
differential cryptanalysis
• Now define the set Δ(b) consisting of ordered pairs (b1 , b2) having input XOR b:
Δ(b) = {(b1, b2) є {0,1}6 | b1 b2 = b}
where
| Δ(b) | = 26 = 64
• Take the example where b = 110100, then if we consider the first S-box the pairs might be
Δ(b) = {(000000,110100), (000001,110101), … (111111,001011)}
110100 110100 110100
![Page 11: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/11.jpg)
CNS2010 lecture 5 :: attacks on DES 11
differential cryptanalysis
• If this is done for all 64 pairs in Δ(b) then the following distribution of output XORs (e1 e2) is obtained:
(e1 e2) 0000 0001 0010 0011 … 1111
0 8 16 6 6
• Now suppose that (b1 b2) = 110100 and (e1 e2) = 0001, then (b1 , b2) must be one of eight possible pairs, hence b1 is one of 16 possible values.
• Since x1 is known (this is a KPA), the 6 bits of the key XORed with x1 to give b1 are one of 16 possible values.
• This procedure is repeated for different Δs to make deductions about the key bits and eventually recover the key.
![Page 12: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/12.jpg)
CNS2010 lecture 5 :: attacks on DES 12
linear cryptanalysis
• Consider the cyphertext derived by combining certain bits from the plaintext and key:
• The cypher can easily be broken, for example, if
c[1] = p[4] p[17] k[5] k[3]i.e. k[3] k[5] = c[1] p[4] p[17]
• This is because the cypher is linear.
plaintext key
cyphertext
![Page 13: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/13.jpg)
CNS2010 lecture 5 :: attacks on DES 13
linear cryptanalysis
• If we use the following notation:
p[i1, …, iu] = p[i1] p[i2] … p[iu]
(the xor bits of the plaintext)
• Also define
ρ = Pr [ p[i1, …, iu] c[j1, …, jv] = k [s1, …, sw] ]
• Now if |ρ - 0.5| is large, then we can guess k [s1, … , sw]
• Optimally for a break|ρ - 0.5|= 0.5 (ρ = 0 or 1)(perfect cipher would have ρ = 0.5)
![Page 14: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/14.jpg)
CNS2010 lecture 5 :: attacks on DES 14
algorithm to recover key bits
• Given R plaintext, cyphertext pairs (R is large):
if ρ > 0.5 then
k[s1, …, sw] = majority{p[i1, …, iu]} c[j1, …, jv]}
over all plaintext cyphertext pairs
if ρ < 0.5 then
k[s1, …, sw] = minority = 1 majority
• (*) Fact: if given R ≥ (ρ - 0.5)-2 then the correct value of k[s1, … , sw] is obtained with probability > 97.7%
![Page 15: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/15.jpg)
CNS2010 lecture 5 :: attacks on DES 15
linear cryptanalysis of DES
• In 1993, Matsui made the following observation about DES which approximates the 5th S-box as a linear function:
ρ5 = Pr[ x[4] = S5(x)[0,1,2,3] ] = 12/64 = 0.19
(Note x є {0,1}6)
• For the ith DES round
Pri [ri[15] F(ri , ki)[7,18,24,29] = ki[22]] = ρ5 = 0.19
(ri is the ith round right hand part)
where the bits have been chosen to undo the permutation.
![Page 16: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/16.jpg)
CNS2010 lecture 5 :: attacks on DES 16
attack on 3 round DES
From the first round we can writePr[r1[7,18,24,29] xor l0[7,18,24,29] xor r0[15] = k0[22]] = ρ5
From the last round we can writePr[r1[7,18,24,29] xor cr[7,18,24,29] xor cl[15] = k2[22]] = ρ5
XORing together givesPr[l0[7,18,24,29] xor cr[7,18,24,29] xor cl[15] xor r0[15] = k0[22] xor k2[22]]
= ρ5 . ρ5 + (1- ρ5)2 = 0.7
Using the fact (*) we can find k0[22] xor k2[22] using R = (0.7 - 0.5)-2 = 25 plaintext/cyphertext pairs
l0 r0
r1
r2
r3
l1
l2
l3
left half of plaintext right half of plaintext
F(r0,k0)
F(r1,k1)
F(r2,k2)
left half of cyphertext right half of cyphertext
![Page 17: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/17.jpg)
CNS2010 lecture 5 :: attacks on DES 17
DES strengths against attacks
Attack Complexity # messages requirements
known chosen storage processing
exhaustive precomputation - 1 256 1 (lookup)
exhaustive search 1 - neg. 255
linear cryptanalysis 243 (85%) - for texts 243
238 (10%) - for texts 250
differential cryptanalysis - 247 for texts 247
255 - for texts 255
![Page 18: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/18.jpg)
CNS2010 lecture 5 :: attacks on DES 18
advanced encryption standard (AES)
• NIST Requirements:– Block cypher– 128 bit blocks– 128/192/256 bit keys– Strength equal to or better than 3DES at greatly improved
efficiency• smartcard, hardware, software• flexibility• simplicity and elegance
– Royalty-free worldwide– security for over 30 years– may protect sensitive data for over 100 years– public confidence in the cypher
![Page 19: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/19.jpg)
CNS2010 lecture 5 :: attacks on DES 19
AES candidates
• 15 submissions from international field• Some strong candidates:
Name Type Rounds Rel. Speed Gates(cycles)
Twofish Feistel 16 125423k
Serpent SP-network 32 1800 70kMars Ext. Feistel 32 1600 70k
cellsRijndael Square 10, 12, 14 1276
???RC6 Feistel 20 1436
???
![Page 20: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/20.jpg)
CNS2010 lecture 5 :: attacks on DES 20
AES
• Rijndael (pronounced “rain-dahl”) announced Oct 2000• Operates on 128 bit blocks• Key length is variable: 128, 192 or 256 bits• An SP-network
• Uses a single S-box which acts on a byte input to give a byte output (think of as a 256 byte lookup table):
S(x) = M(1/x) + b over the field GF(28)(M is a matrix, b is a constant)
• Construction gives tight differential and linear bounds.
![Page 21: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/21.jpg)
CNS2010 lecture 5 :: attacks on DES 21
AES overview
• Linear transformation arranging 16 bytes of the value being encoded in a square and doing bytewise shuffling and mixing.
• Step 1: Add Round Key– simply XORs in the subkey for the current round
• Step 2: Byte-sub– S-box substitution
• Step 3: Shuffle (ShiftRows)– top row of four bytes in unchanged– second row is shifted one place left– third row is shifted two places left– fourth row is shifted three places left
• Step 4: Mix Column– four bytes in a column are mixed using a matrix multiplication
• Result: Change in the input effects all of output in 2 rounds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
![Page 22: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/22.jpg)
CNS2010 lecture 5 :: attacks on DES 22
AES
![Page 23: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/23.jpg)
CNS2010 lecture 5 :: attacks on DES 23
AES overview
• Number of rounds variable:– 10 for 128-bit keys– 12 for 192-bit keys– 14 for 256-bit keys
• Gives 50% margin of safety based on current known attacks– attack for 6 round 128 bit keys– attack for 7 round 192 bit keys– attack for 9 round 256 bit keys– however require enormous amount of texts (certificational)
• Safety against feasible attacks believed to currently be ~100%
![Page 24: CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie mattb@ee.usyd.edu.au](https://reader036.vdocuments.mx/reader036/viewer/2022081501/56649d635503460f94a466a2/html5/thumbnails/24.jpg)
CNS2010 lecture 5 :: attacks on DES 24
references
• Towards the 128-bit Era: AES Candidates (interest only)http://home.ecn.ab.ca/~jsavard/crypto/co0408.htm
• Stallings (3rd Ed)– §4
• Handbook of Applied Cryptography– §7.1 - §7.4