exhaustive key search for des: updates and refinements jean-jacques quisquater ucl crypto group...
TRANSCRIPT
Exhaustive Key Search for DES:
Updates and refinements
Exhaustive Key Search for DES:
Updates and refinements Jean-Jacques QuisquaterUCL Crypto GroupLouvain-la-NeuveBelgium
François-Xavier Standaert(UCL, Columbia, MIT)
[email protected]://uclcrypto.org
keylength.comannouncement
• cryptosavvy.com is down• A new active web site run by UCL Crypto Group• Gives length of keys for the future (till 2050)
based on (adjustable by you) criteria• Secret key, public key (RSA, ECC), hash
functions• Based on papers by Lenstra and Verheul• Approved and reviewed by Arjen Lenstra• Your comments?
The beginning of the story
• Brute force attack: try all keys (possibilities)
• Brute force people: Yahoo (see Jonathan Swift)
• What is it possible today?
Introduction
- Brute-force attacks : often the most realistic
- Basic scenarios : exhaustive search or
precomputation tables
- Hellman (1980) : trade time for memory
time, memory, precomputation
- Rivest (1982) : use of distinguished points (Denning’s book)
More realistic attacks
)( 3/2NO )(NO)( 3/2NO
Exhaustive search: Basic algorithm
• Given m and c, try all keys k in K,– Test if E(m, k) = c
• If yes, output k
• k is the key with high probability
Basic algorithm (in //)
• Split K in K1, K2, K3, …
• Distribute m, c and Ki to node i
• Each node i do– Given m and c, try all keys k in Ki,– Test if E(m, k) = c– If yes, output k
• k is the key with high probability
RFC 3607Network Working Group M. Leech Request for Comments: 3607 Nortel Networks Category: Informational September 2003
Chinese Lottery Cryptanalysis Revisited: The Internet as a Codebreaking Tool
Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract This document revisits the so-called Chinese Lottery massively-parallel cryptanalytic attack. It explores Internet-based analogues to the Chinese Lottery, and their potentially-serious consequences.
1. Introduction In 1991, Quisquater and Desmedt proposed an esoteric, but technically sound, attack against DES or similar ciphers. They termed this attack the Chinese Lottery. It was based on a …
Other paradigm (Chinese Lotto)
• Broadcast (download) m and c
• Each computing node is doing when possible:– Choose a random key r in K– Given m and c, try r,
• Test if E(m, r) = c
– If yes, output k (low communication)
• k is the key with high probability
Other Paradigm(the Chinese Lotto)
• Advantages (Daniel Bernstein :-):– Low cost– No control– No communication– No wire– Efficient (the price of anarchy – see Papadimitriou – is
only 2)– Automatic redundancy at low cost– Trade-offs are possible– Not used?– See also book by Tanenbaum
DES and exhaustive key search machines
- 1977 : Diffie & Hellman, US$ 20M, (predicted DES totally
insecure by the 1990s)
- 1987 : 512 000 DES / second in one chip
- 1993 : Wiener, US$ 1M, success in 3.5 hours (prediction)
- 1997, 1998, RSA : DES cryptograms broken by computer
consortiums in resp. 5 months and 39 days
- 1998 : EFF DES cracker hardware, US$ 200 000, 3 days
- Recent FPGAs ???
- Spartan 3S1000 : US$ 12
- Optimized FPGA implementations of the DES :
XC2V8000: 93184 LUT (22 DES in //): 233 DES/sec/chip
3S1000: 15360 LUT (4 DES in //): 229 DES/sec/chip
US$ 12 000 to crack a DES key in about 3 days
First conclusions
• Pure exhaustive search: 255 keys • Using existing implementations (UCL) with today
technology (Xilinx):– Simplest attack: one chip in 222 sec (2 months)
Long keys today?
• One year (225 seconds)
• One million of Xilinx8000 (better?)
• That is– 225 sec x 220 chips x 233 DES/sec = 278 keys
• Conclusion: 80 bits is NOT enough at all for long term security (112-128-256 bits?).
Hellman’s time-memory tradeoff
- Let P be a fixed chosen plaintext
- Let g be a function that maps ciphertexts to keys
we define
=> ~ encryption , <= cryptanalysis
a) Precomputation :
(r tables)
(store extreme points)
))(()( PEgKf K
b) Online attack :
- Let C be the intercepted ciphertext :
Compute g(C)=f(K)
Start chaining and check for every point if it is the table ?
)(PEC K
iEPY iEPY
1, tiXK 1, tiXK )(YfY
)(YfY
Time-memory tradeoffs using distinguished points
- Variable chain length but detectable extreme points
- Distinguished points have d bits fixed to zero
a) Precomputation :
DES DES DES DES DES
chosen plaintext
EPSP
b) Online attack :
=> Table lookups reduced from t to 1
DES DES DES DES
chosen plaintext
interceptedciphertext
EP
precomputationtableDES DES DES
?
?
SP
chosen plaintext
here is the secret key
Problems:
- Chains can merge (=> use different g functions)
- Chains can collide
The probability of success depends of how well the
computed chains cover the key space
FPGA Designs
- Nearly as simple as
exhaustive key search
- If n pipeline stages, deal
with n start points in parallel
DESchosenplaintext
Kp
Kp-1
Kp-2
K3
K2
K1
new SP
MASK
test DP? EP
'1'
01
01
Theoretical analysis
• keys• DP condition of order d.• m start points.• r mask functions.• : the minimum chain length.• : the maximum chain length.
k2
mint
maxt
a) Average chain length:
b) Cover g : percentage of chains included in the region [ ; ] = P( ) – P( -1).mint maxt
1. Probability to reach a DP in less than l iterations:
lk
dkl
ik
dk
iilP )
2
21(1)
2
21(1)(
1
0
maxt mint
)(
)(.
lP
lPl
2. Previous proposals for the success rate SR:
1)2
1()..( jkijit
newisKP
m
itj
jkk
itSR 1 1
1)2
1(2
1
• OK for Hellman’s tradeoff• Suggest to stop precomputations at mt²=
• number of chains – mean length of a chain •Not for the DP variant: we store chains, not keys.
k2
3. A prediction of the mergers using a storage function s(j) and the probability to find a new chain after storage s(j): p(j). • j = g m = number of chains in region [ ; ]
•
•
mint maxt
)1()1()( jpjsjs
1
0 2
)(2)(
lk
k ljsjp
)2
)(1()()1(
k
jsjsjs
Linear approximation Euler methods
)()
21()1(
2
jsjsk
)
2
)(1(
)('k
jsjs
Conclusions:• Precedent evaluations of the success rate are not
directly applicable to the DP variant. We propose:
k
msSR
2
)(
• Linear approximation: too conservative.• The condition mt²= is not always optimal
linear approximation (too conservative)
2
2)(
kms
similar to mt² = k2
k2
p(j)
4. Average chain length after sort :
Let be the number of chains of length l, evaluated using the storage function with non-zero initial conditions:
Practically evaluated with length intervals.
ln
max
min
max
min.
mod tt l
tt l
n
nl
mod
Practical experiments
• Against DES-40: mt²= is not optimal and we optimize the online attack.• Against DES-56: critical precomputation.
Both confirmed our theoretical predictions
k2
DES-40 : precomputation task
19.4430.4110.9711.2123.42
s(m)m
19.4430.4110.9711.2123.42
s(m)m modmod
)(
ms
19.6430.4410.8011.2124
19.3830.2710.8811.2123
19.0830.0510.9711.2122
18.7229.7611.0411.2121
s(m)m
19.6430.4410.8011.2124
19.3830.2710.8811.2123
19.0830.0510.9711.2122
18.7229.7611.0411.2121
s(m)m modmod
)(
ms
EXP
THEORY
Note that mt²= would mean to stop precomputations at m= .
k257.172
DES-40 : online attack
- Presented at the rump session of CRYPTO 2001
- Performed on a single PC (256MbRAM, 350Mhz)
- Breaks a 40-bit key in ~10 sec
- An exhaustive key search on the same PC would have
taken ~50 days.
- PS = 72% (theory predicted 73.7%).
- HW useful for larger keys.
DES-56 : precomputation task
21.6438.9417.301823
20.9938.6117.621822
20.3038.1317.821821
19.5537.3817.831820
s(m)m
21.6438.9417.301823
20.9938.6117.621822
20.3038.1317.821821
19.5537.3817.831820
s(m)m modmod
)(
ms
21.1438.5517.411823
20.6938.2717.581822
20.1437.8617.721821
19.4737.3017.831820
s(m)m
21.1438.5517.411823
20.6938.2717.581822
20.1437.8617.721821
19.4737.3017.831820
s(m)m modmod
)(
ms
EXP
THEORY
DES-56 : online attack predictions
2464824
222561222
2010241620
1840962018
rCmem (CDROMS)Nbr chains/mask
2464824
222561222
2010241620
1840962018
rCmem (CDROMS)Nbr chains/mask
=> With a reasonable encryption rate ( enc/sec)and 4096 CDROM’s, we could break DES-56 in about:
seconds = 4.2 min.with PS = 75%.
282
828
1818
22
22
A lot of other parameters are possible…
Other example (in the paper):
Hellman’s parameters:
~ 2048 CDROMS of memory
Attack in ~ 20 minutes (< half an hour)
192192r
Prospects
- Practical attacks against « real » systems:
- Bond 2002, attack against IBM 4758 CCA (used in retail
banking to protect the ATM infrastructure)
- Oechslin 2003, MS-Windows instant crack
- KULeuven paper of this morning
Both based on time-memory tradeoff techniques
- Rainbow tables (better for the precomputations), see Philippe Oechslin
Conclusions
- Time-memory tradeoff using distinguished points revisited
- Practical consequences (by far) more dramatic than
exhaustive key search
- Practical implementations are possible up to 56 bits
- Rainbow tables are simpler to build and analyze
- Distinguished points have a more theoretical interest
and can be used to detect collisions (e.g. hash functions)
(see Q. and Delescaille, at Eurocrypt and Crypto).