Generic Attacks on Symmetric Cipherspalash/talks/generic.pdf · Top 24 bits loaded by the computer....
Transcript of Generic Attacks on Symmetric Cipherspalash/talks/generic.pdf · Top 24 bits loaded by the computer....
Generic Attacks on SymmetricCiphers
Palash Sarkar
Indian Statistical Institute
email: [email protected]
IndocryptThe 7th International Conference on Cryptology in India
Kolkata, India10th December, 2006.
Indocrypt 2006 – p.1/73
Symmetric Key Encryption
message ciphertext ciphertext
secret key K secret key K
public channelEncrypt Decrypt
message
Adversary
Adversary’s goal: To obtain secret key .
Indocrypt 2006 – p.2/73
Generic Attacks
� Most basic of all attacks.
� Treats the algorithm as a black box.
� The same attack idea can be used for manyalgorithms.
� One can utilise a large amount of parallelism.
� Most feasible implementation in special purposehardware.
� There are some reported implementations.
Indocrypt 2006 – p.3/73
Non-Generic Attacks
� Exploits special properties of an algorithm or aclass of algorithms.
� Examples: Linear and differential cryptanalysis,correlation attacks, algebraic attacks, etcetra.
� The literature abounds in such attacks and ideas.
� Very little (or no) work on
� hardware implementation of non-genericattacks;
� exploiting parallelism.
Indocrypt 2006 – p.4/73
Presentation Outline
� Exhaustive search attacks.
� Exhaustive search on DES.
� DES Cracker by Electronics FrontierFoundation (EFF).
� Time/Memory trade-off (TMTO) attacks.
� Hellman’s algorithm.
� Rivest’s distinguished point method.
� Biryukov-Shamir multiple data method.
� Other variants.
Indocrypt 2006 – p.5/73
Presentation Outline (contd.)
� A Cost Analysis of TMTO Attack.
� Strength of different key sizes.
� Non-Conventional Techniques for ExhaustiveSearch.
� Based on DNA computing.
� Based on photographic techniques.
� Rejewski’s Attack on Enigma.
� Unearthing some modern ideas in the oldattack.
Indocrypt 2006 – p.6/73
Exhaustive SearchKnown Plaintext:
� A pair
�
�
�
is available.
� Attack: Decrypt by the possible keysone-by-one until is obtained.
Ciphertext Only:
� Only is available.
� Attack: Decrypt by the possible keysone-by-one until a “meaningful” message isobtained.
Parallelism:
� Decryptions by separate keys are unrelated.
� Efficiently parallelizable, subject to resourcerestrictions.
Indocrypt 2006 – p.7/73
Exhaustive Search on DESDiffie-Hellman (1977):
Special purpose hardware;Estimated time 12-hours at a cost of USD
� �
M.
Wiener (1993):Special purpose hardware;Estimated time 3.5 hours at a cost of USD
�
.
Goldberg-Wagner (1996):FPGA based hardware;Estimated time one year at a cost of USD
���
� � �
.
Indocrypt 2006 – p.8/73
Exhaustive Search on DESResponse to challenges announced at RSACryptographic Trade Shows.
1997:Software – using computers distributed on theinternet;Time required five months.
1998:Software – using computers distributed on theinternet;Time required 39 days.
Indocrypt 2006 – p.9/73
Exhaustive Attacks on DESElectronic Frontier Foundation (EFF) (July 17,
1998): DES CrackerSpecial purpose hardware;Time required: Solved “DES Challenge II” inless than 3 days.Cost: USD
� � ��
� � �
(hardware + development)
Quisquater-Standaert (2005):Time/Memory Trade-Off;Estimated cost of USD
� ��
� � �
and online timehalf an hour.
Contrast: 100,000 British pounds to build onecryptanalytic machines to attack Engima ( � 1941).(“The Code Book” by Simon Singh, Page 174).
Indocrypt 2006 – p.10/73
DES Cracker – Basic Design
� DES key space size =
� � �
.
� Ciphertext only attack.
� Hierarchical design.
� Parallel search units controlled by a singlecomputer.
� 24 search units fit inside a chip.
� 64 chips are mounted on a large board.
� 12 boards are mounted onto a chassis.
� 2 chassis are used.
� Total of 36,000 search units.
Indocrypt 2006 – p.11/73
One Search Unit
� Includes a 32-bit counter to generate candidatekeys.
� Top 24 bits loaded by the computer.
� Total key size is 56 bits.
� A direct implementation of a 56-bit counterwas considered to be too costly.
� Interrupts the computer after searching
� ��
keys.
� Reports “interesting” plaintext to the computer.
� Final decision taken by the computer.
Indocrypt 2006 – p.12/73
Suggested Improvement
� Use of 56-bit LFSR to generate candidate keys.
� Easy to partition total key space into disjoint sets.
� Parallel generation of the subsets is easy.
� Each search unit has a separate implementationof the LFSR.
� Advantages:
� Next key in one clock cycle.
� Avoids the
� � �
interrupts made by the searchunits to the computer.
� Leads to a simpler, smaller and faster design.
Recent: Mukhopadhyay-Sarkar, 2006.Earlier: Wiener, 1993; Goldberg-Wagner 1996.
Indocrypt 2006 – p.13/73
Time/Memory Trade-Off
� Introduced by Hellman in 1980.
� Basic idea:
� Perform an exhaustive search (or a little morecomputation) once.
� Store some of the results of intermediatecomputations.
� At a later stage use the stored results to obtainsecrets significantly faster than exhaustivesearch.
� In its general form, a TMTO inverts a one-wayfunction.
Indocrypt 2006 – p.14/73
Basic Hellman Method
� Define
� � � �� �
for a fixed . Inverting
� �
on � �� �
yields .
� Pre-Computation:
� Compute � tables of size � � �each.
� For each table, store only the first and the lastcolumn, sorted on the last column.
� Online Search:
� Given �, we have to find � such that
� � � � �.
� Perform some computations and look-ups onthe stored tables to find �.
� Success depends on proper choice of theparameters �
�
�
and �.
Indocrypt 2006 – p.15/73
Single Table ComputationThe domain and range of are same and of size .
� Chain: Given �, the chain starting at � is
��
� � �
�
�� � �
�
�� � �
�� � � �
� � � �
� Choose � points � ���
��� � � �
� ��� randomly.
� Construct chains (rows of the table) starting atthese points.
� The start points and the end points are stored,sorted on the end points.
Indocrypt 2006 – p.16/73
A Hellman Tablex1,0 x x x xf f f f f
1,1 1,2 1,t−1 1,t......
x x x x xf f f f f......
x x x x xf f f f f......
x x x x xf f f f f......
2,0 2,1 2,2 2,t−1 2,t
3,0 3,1 3,2 3,t−1 3,t
m,0 m,1 m,2 m,t−1 m,t
.................
.................
.................
.................
.................
Start Points End Points
Indocrypt 2006 – p.17/73
Set of Tables
� One table cannot have too many rows, as thenrepetition will occur.
� Let ��� � � � � be very simple functions.
� Define � � � � .
� We assume that the � ’s behave as independentrandom functions.
� Construct � tables using the functions ��� � � � � .
� We wish to have � � � � .
Indocrypt 2006 – p.18/73
Online SearchSearch for � in the
�
th table. Repeat for each table.
� Let � � �� � �
.
� If � is in the
�
th table, then its predecessor in thechain (row) is a pre-image of �.
� Compute
� � � ��
� � � ��
��
�
�� ��
�
�
��
�� � � �
� � �
��
�
��
� Look-up each ��� among the end-points of the
�
thtable.
� If found, then from the corresponding start-point,generate the chain upto � �.
� The predecessor of � � is a pre-image of �.Indocrypt 2006 – p.19/73
Coverage and Analysis
� Constants are ignored.
� � ��
(birthday paradox).
� � � � � (total coverage).
� Pre-Computation: Number of invocations =(exhaustive search).
� Memory: � � � �.
� Online search: � � �;
Max number of invocations = � �
;Max number of table look-ups = � �
.
�
�
�
�
(the trade-off curve).( � �
� � �
.)
Indocrypt 2006 – p.20/73
Distinguished PointsIntroduced by Rivest.
Distinguished point (DP): A string with a fixednumber of bits 0.
Pre-Computation: Generate a chain only upto a DP,or of length
�
whichever occurs earlier.
Online Search: Perform a look-up only afterencountering a DP.
� Only one look-up for each table required.
� Total number of look-up comes down to �.
Chains are of variable length.
Trade-off curve does not change.
Indocrypt 2006 – p.21/73
TMTO With Multiple DataBiryukov-Shamir, 2000.
� Given: � ��� � � �
� � .Requirement: Invert any of the � � ’s.
� Choose � � � �
.
� Coverage � � � � �
. Birthday paradox assuresa constant success probability.
� Trade-off curve:� �
�
�
.
Biryukov-Mukhopadhyay-Sarkar (2005) presents adetailed analysis.
Indocrypt 2006 – p.22/73
Rainbow MethodOechslin, 2003.
� It is a variant of the Hellman method.
� Rainbow chain: � � � �.
� � � �� � ��
�
� � � �� � ��
�� � � �
� � � �� � ��� ���
Recall: �� �
is obtained from
� �
by a simpleoutput modification.
� A single rainbow table of size � � � �
is used.
� Online search time is one-half of Hellman’smethod.
� Trade-off curve:
�
�
��
Biryukov-Mukhopadhyay-Sarkar (2005).Indocrypt 2006 – p.23/73
Rainbow Crack
� A software implementation of the rainbowmethod.
� Pre-computed tables available on the net.
� Using these, the program can crack Windowspasswords in a few seconds of online time.
� A vindication of the TMTO method.
The following website provides a real-life demo.
http://lasecwww.epfl.ch/
�
oechslin/projects/ophcrack/
Indocrypt 2006 – p.24/73
Theoretical Issues
� Hellman’s assumption:
� is a random function.
� ��� � � �
� are independently chosen randomfunctions.
� Fiat-Naor (1991) counter-example :
� �
� � �
points induce a permutation.
� Other keys map to zero.
� Hellman’s method on such results in a lot ofzeros in the tables.
� Success probability drops.
Indocrypt 2006 – p.25/73
Inverting Any FunctionFiat-Naor 1991.
� Store high in-degree images in a single table.
� For the other points use a variant of Hellman’sstrategy.
� Can provably invert any function.
� Trade-off Curve:
�
�
�
.
� Worse trade-off compared to Hellman’s method.
Indocrypt 2006 – p.26/73
An Easy Solution
� Output modifications.
� Hellman: Permute output bits.
� Oechslin: �� � � � � � � �
.
� For both methods, it is possible to constructFiat-Naor type examples.
� A new output modifier (Mukhopadhyay-Sarkar2005).
� Randomly choose a maximal length LFSR.
� Suppose LFSR states are ��
��� � � .
� Define �� � � � � � �
� .
� Difficult to construct a Fiat-Naor typeexample for this construction.
Indocrypt 2006 – p.27/73
Applying TMTOIdentifying one-way functions in cryptographicalgorithms.
� Hellman: Block ciphers. For a fixed
� � � �� ��
� Babbage, Golic, Biryukov-Shamir: Streamciphers.
internal state � keystream-segment map.
� Biryukov-Shamir-Wagner: A5/1 stream cipher.
� A variant of distinguished point method.
� Introduces a new technique called BSWsampling.
Indocrypt 2006 – p.28/73
Applying TMTO
� Hong-Sarkar:
� Stream ciphers.
(Key, IV) � keystream-segment map.
� Several modes of operations of block ciphers.
� A general method of applying TMTO.
� Biryukov-Mukhopadhyay-Sarkar:
� Unix password.
� Other applications are known.
Indocrypt 2006 – p.29/73
Parallelism
� DES Cracker uses a large amount of parallelism.
� Hardware designs for TMTO are parallel.
� Bernstein 2005.
� Points out that a clever but sequential attackcan be inferior to brute force but parallelsearch.
� Writes Hellman+DP and rainbow methods asexhaustive search attacks.
Indocrypt 2006 – p.30/73
Processors and Bounds
� Amirazizi-Hellman 1988: Introducedtime/memory/processor trade-offs.
� Uses a number of processors.
� Uses a large shared memory.
� Uses a switching/sorting network.
� Wiener 2004: Notion of full cost (Lenstra et al2002, Bernstein 2001).
number of components � duration of their use
� A bound of� �
�� � � �
on the interconnectioncost for connecting � processors to � memoryblocks.
Indocrypt 2006 – p.31/73
TMTO Architecture
� FPGA implementations:
� Standaert et al (2002): 40-bit DES keys.
� Mentens et al (2006): 48-bit UNIXpasswords.
� Use of counters for start point generation.
� Special purpose hardware: (Top-level design.)Mukhopadhyay-Sarkar 2006.
� A different architecture for avoiding lowerbound on interconnection cost.
� Use of LFSRs for start point generation andfunction masking.
� Store one table on a DVD.
Indocrypt 2006 – p.32/73
Pre-Computation: Basic BlocksFreshMemory
Completed Table
SortingChain
Computation
UnsortedTable
Sorted Table
SCC
sgc1 sgc2
startsignal
And
Assembly line processing.
Indocrypt 2006 – p.33/73
Chain Computation
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .PMS1
PMSn
WB1WBn
P1
Pn
LR
SC
CTtag
2s 2sr1
22s r2
s
r1
r2s
. . . . .
(O , O )1 sg1O3
sg2
sg3
sg4
5sg
2
startsignal
sgc1
Memory
Indocrypt 2006 – p.34/73
Architecture of each �
O3
SPG
s
PUnit
Out2
Out3
In2In1
C2
TSC2
r2
sg1
sg2
Output to R
Input from L
Out4O1Out1
O2
Indocrypt 2006 – p.35/73
Architecture of Punit
MUXMUX MUXMUXMUXMUX
0 0
RF1
SPC1s
SPR 1
R21s
r1
DP?
p s
R3 R4
R5
s s
s
SPRq
sSPR2
RF
s
RF
s
RFqs
R
Rs
22 s
s
...
s
2
q−1
2q
SPC2
r
s
s
. . .
. . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
C1
r1
SC1
SPC
+1
1
r1
r1
r1
. . .
. . .
. . .
.
q
Out1
Out4
Out
Out2
3
s
In1 In2
SPRq+1
ss
Architecture when is an iterated round function.Indocrypt 2006 – p.36/73
Online Search
SC
SCHEDULER
DB1
DBn
RB 1
RBn
P1
Pn
R
. . .
. .
. . .
. .
. . .
. .
. . .
. .
. . .
. .
L
s
s
s
s
new table
Table. . .
. .
3s 3s
. . . . . . . .
. . .
. . .
. .
B
move table
n
Q 1
1(mask, y’ , DP)
(mask, y’, SP)
(mask, y’, SP)
Q k
SCHEDULER 2
Output memory block (OMB)
Search in a single table for multiple data points.
Indocrypt 2006 – p.37/73
Online Search P-processor
from DBInput
y/
MR
DR PUnit
Out 3
Out2
TSC2
r
PC
3
1
Input from L
signal to RB
Output to R
new table
Out4Out1
DPpsig
mask
Indocrypt 2006 – p.38/73
Finding the Key
SCHEDULER
STOP. .
. . .
. . .
.
. . .
. . .
. . .
. . .
. . .
. . .
RB1
RBn
P1
Pn
OMB
false alarm
false alarm
Key
Key
(mask, y’, SP)
Indocrypt 2006 – p.39/73
Approximate Cost Analysis
� Assumption: For an �-bit cipher, with �
� � �
,the throughput and area will be the same as thatof the best AES-128 implementation.
� AES-128 implementation.
� Good and Benaissa (CHES 2005) proposed anew FPGA design using Xilink Spartan III(XC3S2000).
� Cost: USD 12.00 per Xilink Spartan IIIFPGA device.
� 25 Gbps =��
� � � ��
AES-128 encryptions/sec
Indocrypt 2006 – p.40/73
How Accurate is the Analysis?
� It is an initial study based on one particulararchitecture.
� Under estimates?
� Time for DVD load/unload.
� Time for parallel sorting.
� Power consumption, circuit failures, ...
� Over estimates?
� Cost of processor, memory and othercomponents.
� Speed of encryption.
� Development cost: Very difficult to estimate.
Indocrypt 2006 – p.41/73
Is the Analysis Meaningful?
� It provides some idea about the relative strengthof different key sizes.
� Costs should scale only by small factors.
� Provides an outline of how to perform a costanalysis.
� A more detailed cost analysis will be welcome.
� Different architectures are welcome.
Indocrypt 2006 – p.42/73
Parameters
� � �� : Pre-computation time in seconds.
� � � �� : Online time in seconds.
� �: cost of processors in USD.
�
�: cost of memory in USD.
�
�
: number of DVD readers.
� � : cost of DVD readers in USD.
Note: Estimates based on Mukhopadhyay-Sarkar(2006).
Indocrypt 2006 – p.43/73
Table 1: Trade-off for different values of � with � �
.
� � � � ���� � � ��� �� ��� � �� �
56
� � � � � � � ��� � � � � � � � � � � �� � � � � �
64
� � � � � � � ��� � � � � � � � � � � � � �� � � �
80
� � � � � � � � � � � � � � � � � �� � � � � � � � �� � � �
86
� �� � �� � �� � � � � � � � �� � � �� � � � ��� � � �
96
� � � � � � � � � � � �� � � � � � � � � � �
1
� �� �
80
128
� � � � � � � � � � �� � � � � � � � � � � �
1
� �� �
80
Indocrypt 2006 – p.44/73
Analysis
� 56-bit and 64-bit keys are completely insecure.
� 80-bit keys: One-year of pre-computation time;cost of USD 500M; online time less than asecond.
� 96-bit keys: Pre-computation time is more than4000 years and cost around USD 1 billion.
Indocrypt 2006 – p.45/73
Table 2: Trade-off for different values of � and� � �
� .
� � � � � � �� � � �� � �� � �� �
80
� �� � � ��� � � ��� � � � � �� � � �� �
1
� ��� �
845
86
� �� � � � �� � � ��� � � � � � � � � �� �1
� ��� �
776
96
� � � � � � ��� � � �� � ���� � � �1
� ��� �
320
96
� � � � � � � � � � � ���� � � �
1
� ��� � � �� �
128
� � �� � � � � � � � �� � �
1
� ��� � � �� �
128
� � � � � � � � � � � � � �� � � � � � � � � � � � � �� �
128
� � � � � � � � � � � � � � � � � �
1
� ��� � � � �� �
Indocrypt 2006 – p.46/73
Analysis for �
�� �
� 80-bit: Attack becomes much easier.
� 96-bit: Attack becomes reasonable.
� 128-bit: At least one of the parameters among
�
� �� �
�� �
�
become infeasible.
Currently 128-bit seems to be secure, until a newtechnological revolution invalidates the analysisperformed here.
Indocrypt 2006 – p.47/73
Desirable Goals
� Exhaustive search.
� 80-bit keys: Borderline of feasibility.
� 96-bit keys: Does not look possible.
� TMTO.
� 56-bit, 64-bit: Methodology validation.
� 80-bit: With � � � ��
� � �. Feasible.
� 96-bit: With � � � ��
� � ��
� � �
. Ambitious.
� A5/3: 64-bit key, 22-bit IV:
� Used in practice.
� TMTO or exhaustive search? Both are doable.
Indocrypt 2006 – p.48/73
Breaking in the Future“Today’s crypto systems must resist
attack by tomorrow’s computers.Nanotechnology explores the limits of whatwe can make.”
Ralph Merkle, 15 August 2005(IACR Distinguished Lecture, CRYPTO).
Indocrypt 2006 – p.49/73
Processor Technology
� Current technology is CMOS based.
� Speed of light; clock speed; channel length(of MOSFET).
� 50 nanometers channel length can producearound 20GHz clock speed.
� This hits the physical barrier.
� Geobacter.
� Certain bacteria uses metal for respiration.
� Can be used to construct conductingnanowires.
� Quisquater at rump session of Crypto 2005.
Indocrypt 2006 – p.50/73
Memory Technology
� Blu-ray technology
� paper disc
� capability to store several hundred Gb on asingle disc.
� Holographic-memory discs:
� theoretical possibility of one terabyte datastorage at an access speed of 120megabits/sec.
� Non-volatile memory technology.
Indocrypt 2006 – p.51/73
Interconnection Network
� Connecting many processors to many memoryunits is a major problem.
� How to bypass the problem?
� Optical connections?
� Any other possibilities?
Indocrypt 2006 – p.52/73
Non-Conventional Technology
� Already proposed attacks on DES.
� DNA computing – Boneh-Dunworth-Lipton(1995).
� Photographic techniques – Shamir (1998).
� Other candidates.
� Quantum computing.
� Optical computing.
Indocrypt 2006 – p.53/73
General Idea
� Known plaintext attack. A pair
�
�
�
is known.
� Define
� � � �� �
.Goal: Find .
� Basic idea.
� For each key , generate all possible pairs
�
�
� � �
.
� Pick out the pairs�
�
� � �
such that
� � �
.
� Parallelism: Single instruction multiple data(SIMD) architecture.
� Exploit denseness of the medium to represent“all possible states”.
Indocrypt 2006 – p.54/73
General Idea
� Initial state: All possible keys.
� Intermediate state: All possible partial resultsobtained by encrypting with all possible keys.
� Final state: All possible ciphertexts obtained byencrypting with all possible keys.
� Change of state: Effected by performing one step(of DES).
� Total number of operations equals total numberof steps of DES.
� Execution of each operation is time consuming.
� Some operations can be executed in parallel, butthis kind of parallelism is restricted.
Indocrypt 2006 – p.55/73
General Idea
� Representation of bit strings in the medium.
� Applying binary operations on bit strings.
� Applying domain specific operations toimplement binary operations.
� DNA computing: Look-up tables can beimplemented.
� Photographic techniques: Converts look-uptables into Boolean functions.
Indocrypt 2006 – p.56/73
DNA Computing
� DNA strand: An “oriented” string over thealphabet
�
� � �
�
.
� Binary string representation.
� Let length of the string be �.
� Let �� � �
�
�� � �
be 30-mers used to representthe fact that the
�
th position is
�
or
�
respectively.
� Let
��
�� � � �
�� be 30-mers used as separators.
� Let � � � � � � � � �. Representation
�� �
� � �� �� �
� � �� �
� � � �
��� � �
� � �� ��
�
��
�
�� �
’s are distinct and have no longcommon substrings.
Indocrypt 2006 – p.57/73
DNA Operations
� Extract: From a solution, separate out strandswith a specific substring.
� Can be used to perform operations onconsecutive bits of a binary string.
� A DES step is either a XOR gate or a tablelook-up.
� Suitably defined extract can be used toperform both.
� Amplify: Create duplicates of all DNA strands inthe solution.
� Tag: Append a short new sequence onto allstrands in the solution.
Indocrypt 2006 – p.58/73
Analysis
� One litre of solution can contain
� � � �
DNAstrands.
� This can just about represent all
� � �
possible keysof DES.
� Each extract operation is time consuming.
� Estimates.
� About 10 extract operations in a day.
� Around 4 months to prepare a solutioncontaining all possible
�
�
� � �
pairs.
� Finding from such a solution can becompleted in a few hours.
� Assumes an error-free model.Indocrypt 2006 – p.59/73
Photographic Technique
� Each pixel represents a bit.
� Operations:
�
�
-film: Develop a unexposed film.
�
�
-film: Develop a film exposed under stronglight.
� Random film: Photograph a random pattern.
� NOT: Contact print to another film.
� NOR: Contact print two stacked films toanother film.
� NAND, XOR: Little more complicated.
Indocrypt 2006 – p.60/73
Representation of Keys
� Stack
� �
random films.
� A vertical line through the films represent aparticular key.
� All possible vertical lines represent a set of keys.
� Keys cannot be individually operated upon.
� Problem: Number of possible keys can greatlyexceed the number of pixels.
Indocrypt 2006 – p.61/73
Representation of States
� Initial state:
� Multiple copies of the message.
� Stack
� �
single colour (all 0 or all 1) films.
� Number of copies equals number of pixels.
� Intermediate state: Result of partial encryption ofunder the represented keys.
� Final state: Result of encryption of under therepresented keys.
Indocrypt 2006 – p.62/73
DES Operations
� Bit permutations and expansions:
� Easy to perform.
� Permute films and make copies of films.
� Bitwise XOR.
� Requires three photographic operations.
� S-box look-up:
� Can be defined as Boolean functions.
� Implemented using multi-input NAND, NORgates and two-input XOR gates.
Indocrypt 2006 – p.63/73
Can 128-bit Keys be Attacked?
� Storage.
� This will require the representation of all the
� � � �
keys.
� DNA Computing: The volume of solutionbecomes impractical.
� Photo film: The film area becomesimpractical.
� Operations.
� Each operation (DNA operation or photoprinting) is time consuming.
� Conclusion: It is unlikely that AES-128 is goingto be meaningfully attacked by such techniques.
Indocrypt 2006 – p.64/73
A Historical PerspectiveThis part of the talk is based on “The Code Book” bySimon Singh.
� Enigma: Mechanization of secrecy.
� Extensively used by the Germans during thesecond world war.
� Polish attack – Rejewski.
� Exploits double encryption of the messagekey.
� A ciphertext only attack.
� An attack on the mode of operation.
� British attack – Turing.
� A known plaintext attack.Indocrypt 2006 – p.65/73
Enigma Components
� Scramblers.
� Time varying permutations of the alphabet,i.e., the permutation changes as the encryptionproceeds.
� The order of the scramblers can be changed.
� Initial setting of the scramblers and their orderconstitutes the scrambler part of the key.
� Plugboard.
� A permutation introduced before thescramblers.
� Not time varying.
� Settings are part of the key.
� Other components: Reflector, ring.Indocrypt 2006 – p.66/73
Mode of Operation
� Day Key:
� Pre-distributed to all concerned parties.
� Specified the scrambler and plugboardsettings.
� Message Key:
� Choose a scrambler setting – three letters.
� Encrypt the message key twice with the daykey.
� Transmit the double encryption of themessage key.
� Encrypt the message with the message key.
Indocrypt 2006 – p.67/73
Rejewski’s Attack
� Weakness: Double encryption of a (unknown)message.
� Observation:
� This defines a permutation of the alphabetwhich can be constructed only from theciphertext.
� Change of plugboard settings gives rise to aconjugate permutation.
� The cycle structure is independent of theplugboard settings.
Indocrypt 2006 – p.68/73
Attack Techniques
� Divide and conquer.
� Time/Memory trade-off.
Indocrypt 2006 – p.69/73
Divide and Conquer
� First find the scrambler settings for the day key.
� Next find the plugboard settings for the day key.
� This is relatively easier.
� A trial and error method can be used.
Indocrypt 2006 – p.70/73
Time/Memory Trade-OffPre-computation:
� For each possible scrambler setting, compute thecorresponding permutation and its cycle structure.
� Store (scrambler setting, cycle structure) in atable.
� Initially required one year hand computation byexperts.
� Later mechanized (bombes).
Indocrypt 2006 – p.71/73
Time/Memory Trade-Off
� Online search:
� Construct the permutation from the ciphertext.
� Compute its cycle structure.
� Use table look-up to find the correspondingscrambler setting.
� Memory: Required to store the table.
Indocrypt 2006 – p.72/73
Thank you for your attention!
Indocrypt 2006 – p.73/73