How to Launch a Birthday Attack Against DES

download How to Launch a Birthday Attack Against DES

of 32

Transcript of How to Launch a Birthday Attack Against DES

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    1/32

    1

    How to Launch A Birthday Attack

    Against DES

    Zhengjun Cao

    Computer Sciences Department,

    Universite Libre de Bruxelles, Belgium.

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    2/32

    2

    Outline

    Introduction

    Description of DES

    Basic ideaDescription of the birthday attack against

    DES

    ComplexityConclusion

    References

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    3/32

    3

    Introduction

    The DES is a cipher selected as an officialFIPS for US in 1976.

    Other theoretical attacks are possible

    require an unrealistic amount of known orchosen plaintext to carry out.Differential cryptanalysis requires chosen plaintexts

    Linear cryptanalysis needs known plaintexts

    Davies attack requires known plaintexts, has acomputational complexity of , and has a 51%success rate.

    472

    412502

    502

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    4/32

    4

    Introduction

    Birthday attack is given a function , the goal of

    the attack is to find two inputs , such that

    Function yields any of H different outputswith equal probability and H is sufficiently large

    A pair of different arguments and with

    after evaluating the function forabout different arguments on average

    )()( 21 xfxf 2

    x1x

    f

    )(xf

    1x

    H25.1)()( 21 xfxf

    2x

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    5/32

    5

    Description of DES

    Important componentInner function

    Computation path

    S-boxKey schedule

    Process of calculating consists of 4 steps

    1.E expansion2.XOR with a subkey

    3.S box transformation

    4.P permutation

    f

    f

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    6/32

    6

    Description of DES

    DES processes plaintext blocks of ,

    producing ciphertext blocks. The

    effective size of the secret key is

    The input key specified as a key 8

    bits of which (bits 8, 16,,64) may be

    used as parity bits.

    K

    bitsK 56

    bit64

    bitsn 64

    bit64

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    7/32

    7

    Description of DES

    Computation path

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    8/32

    8

    Description of DES

    Inner function f

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    9/32

    9

    Description of DES

    Expansion permutation (E): 32 bits->48bits

    32 1 2 3 4 5

    4 5 6 7 8 9

    8 9 10 11 12 13

    12 13 14 15 16 17

    16 17 18 19 20 21

    20 21 22 23 24 25

    24 25 26 27 28 29

    28 29 30 31 32 1

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    10/32

    10

    Description of DES

    28 28

    110100100

    100100110

    Key schedule of DES

    Left rotation

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    11/32

    11

    Description of DES

    S-box for DES

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    12/32

    12

    Description of DES

    58 50 42 34 26 18 10 2

    60 52 44 36 28 20 12 4

    62 54 46 38 30 22 14 6

    64 56 48 40 32 24 16 8

    57 49 41 33 25 17 9 1

    59 51 43 35 27 19 11 3

    61 53 45 37 29 21 13 5

    63 55 47 39 31 23 15 7

    IP

    40 8 48 16 56 24 64 3239 7 47 15 55 23 63 31

    38 6 46 14 54 22 62 3037 5 45 13 53 21 61 29

    36 4 44 12 52 20 60 2835 3 43 11 51 19 59 27

    34 2 42 10 50 18 58 26

    33 1 41 9 49 17 57 25

    IP-1

    Initial & final Permutations IP and IP-1

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    13/32

    13

    Basic idea

    By the last round in DES, we have

    Hence

    Note that both , are not accessible

    Collision assumption

    Suppose that there is a pair of ciphertexts

    (c,c) generated by the same key and

    satisfying

    By the collision-assumption, we have

    16K15L

    151616,151516 ),( RLKRfLR

    16K

    15161616 ),( LRKLf

    ),(),'( 16161616 KLfKLf

    15151616,1616 ','' LLLLRR

    (1)

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    14/32

    14

    Basic idea

    Denote by where E is expansion

    transformation in function

    Express as

    Each is length 6-bit denotes the concatenation of the two

    strings

    16EL)( 16LE

    1616 ,KEL

    f

    ,8,...,1],[],[ 1616

    jjKjEL

    ]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[

    ]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[

    161616161616161616

    161616161616161616

    KKKKKKKKK

    ELELELELELELELELEL

    ,

    ||

    15L

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    15/32

    15

    Basic idea

    Thus for each S-box the input

    of is

    By the structure of and Eq(1), we have

    ][ jS

    ,8,...,1],[ jjS

    f

    ][][ 1616 jKjEL

    ])[][']([])[][]([ 16161616 jKjELjSjKjELjS

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    16/32

    16

    Basic idea

    Collision for

    PossiblejELjEL

    PossiblejELjEL

    2

    1616

    6

    1616

    2]['][

    2]['][

    boxjS ][

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    17/32

    17

    Description of the birthday attack

    against DES

    1.Collecting proper ciphertexts

    2.Computing the candidates for each

    3.Local checking

    4.Determining the candidates for

    5.Determining the candidates for

    6.Distinguishing K from the candidates

    7.Outputting

    8,...,1],[16 jjK

    16K

    K

    K

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    18/32

    18

    Description of the birthday attack

    against DES

    1.Collecting proper ciphertexts

    Choose ciphertexts(64bit) generated by

    the same key K. Collect the ciphertexts

    with the same and denote the set by

    Denote by ,where is the

    expansion transformation in function

    Express as

    16RC

    KRC ,16

    )( 16LE 16EL E

    f

    16EL

    ]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[ 161616161616161616 ELELELELELELELELEL

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    19/32

    19

    Description of the birthday attack

    against DES

    2.Computing the candidates for each

    Randomly pick two ciphertexts .Integrate each string of 6-bit with

    Determine the candidates for bycheck

    8,...,1],[16 jjK

    )][']([)][]([ 1616 ajELjSajELjS ? ][

    16 jK

    ]['],[ 1616 jELjEL

    KRCcc ,16',

    a

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    20/32

    20

    Description of the birthday attack

    against DES

    3.Local checking

    If there does not exist any candidate for

    some then goto step 2.}8,...,1{],[16 iiK

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    21/32

    21

    Description of the birthday attack

    against DES

    4.Determining the candidates for

    Derive the candidates for from the

    candidates for

    16K

    16K

    ]8[],...,1[ 1616 KK

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    22/32

    22

    Description of the birthday attack

    against DES

    5.Determining the candidates for

    Derive the candidates for from by

    the key schedule of DES

    K

    K

    16K

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    23/32

    23

    Description of the birthday attack

    against DES

    6.Distinguishing K from the candidates

    Given a plaintext and its corresponding

    ciphertext, the key (or its equivalent) can

    be distinguished from its candidates by

    evaluations.

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    24/32

    24

    Description of the birthday attack

    against DES

    7.Outputting

    If the key cannot be derived from the pair

    goto step 2. Otherwise, output the key.

    Remark In the above attack, we aim at

    finding a collision ,which is achieved

    by evaluating possible values for

    This is the reason for calling it a birthday

    attack.

    )',( cc

    K

    )',(1515

    LL

    .8,...,1],[16 jjK

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    25/32

    25

    Complexity

    On the complexity of evaluations

    To derive the candidates for

    We should evaluate all 6-bit values, which

    are integrated with separately.

    But all evaluations can be run in

    parallel and be separately restricted in

    eight boxes. In this case, the time for one

    evaluation is less than that for an

    evaluation using one round in DES.

    8,...,1],[16 jjK

    ]['],[ 1616 jELjEL

    628

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    26/32

    26

    Complexity

    On the amount of rounds

    The birthday attack against DES does not

    relate to the amount of rounds.

    It is entirely based on the inner function

    and the key schedule in DES

    This is a peculiar property of the birthdayattack.

    f

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    27/32

    27

    Complexity

    On the amount of ciphertexts

    By and the definition

    of ,we define

    To find a collision for it, i.e.,

    about

    arguments should be evaluated.

    where is the cardinal number

    of , because each ciphertext is of only

    64-bit.

    ),( 16161615 KLfRL

    1516, :16

    LLC KR

    KRC ,16

    D162D

    KRC ,16

    162)'(')( 16,151516, 16161616 LPLLLP KRKR

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    28/32

    28

    Complexity

    On the amount of candidates for K in

    each iteration

    Define the block-distance between

    as

    Best case block-distance is the MAX, 8

    Worst case block-distance is the Min, 1

    On average, a leads to candidates for

    K. We conjecture the amount of

    candidates for in each iteration is

    16K

    ]}['][:{# 1616 ELELd

    K

    6

    7

    182

    KRCcc ,16',

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    29/32

    29

    Complexity

    On the amount of iterations

    In the worst case is ,the average

    amount of iterations is .

    Hence, the birthday should evaluate

    candidates for .

    3022

    )1( DD

    K

    482

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    30/32

    30

    Complexity

    On the amount of plaintexts

    In the proposed attack, we need a

    plaintext and the corresponding ciphertext

    to distinguish the key (or its equivalents)

    from its candidates.

    Note that the resulting amount of the key

    or its equivalents will be sharply

    decreased as the increase of plaintexts.

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    31/32

    31

    Conclusion

    We believe the simple derivation of

    candidates for from and the

    relationship can be a serious

    problem in DES. it is due to historicalconsiderations instead of a contrived

    process.

    K 16K

    ii RL 1

  • 7/30/2019 How to Launch a Birthday Attack Against DES

    32/32

    32

    References

    [1] http://en.wikipedia.org/wiki/Data_Encryption_Standard [2] http://en.wikipedia.org/wiki/Birthday_attack

    [3] http://dhost.info/pasjagor/des/start.php?id=0

    [4] E.Biham, A.Biryukov. An Improvement of Davies' Attack on DES, Journal of Cryptology. 1997, 10(3), 195-206

    [5] E.Biham, O.Dunkelman, N.Keller. Enhancing Dierential-Linear Cryptanalysis. Advances in

    Cryptology-ASIACRYPT'2002. LNCS 2501, Springer-Verlag, 1990, 254-266

    [6] E.Biham, A.Shamir. Dierential Cryptanalysis of DES-like Cryptosystems, Advances in Cryptology-

    CRYPTO'1990. LNCS 537, Springer-Verlag, 1990. 2-21

    [7] A.Biryukov, C.Canniere, M.Quisquater. On Multiple Linear Approximations, Advances in

    Cryptology-CRYPTO'2004. LNCS 3152, Springer-Verlag, 2004. 1-22

    [8] S.Burton, J.Kaliski, R.Matthew. Linear Cryptanalysis Using Multiple Approximations, Advances in

    Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 26-39

    [9] D.Coppersmith. The data encryption standard (DES) and its strength against attacks. IBM Journal

    of Research and Development. 1994, 38 (3), 243-250

    [10] K.Campbell, M.Wiener. DES is not a Group. Advances in Cryptology-CRYPTO'1992. LNCS 740,

    Springer-Verlag, 1992, 512-520

    [11] W.Die, M.Hellman. Exhaustive Cryptanalysis of the NBS Data Encryption Standard, IEEE Com-

    puter 10(6), June 1977, 74C84

    [12] J.Gilmore. Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design. O'Reilly, 1998[13] P.Junod. On the Complexity of Matsui's Attack. Selected Areas in Cryptography'2001, LNCS 2259,

    Springer-Verlag, 2001, 199C211.

    [14] L.Knudsen, J.Mathiassen. A Chosen-Plaintext Linear Attack on DES, Fast Software Encryption-

    FSE'2000. LNCS 1978, Springer-Verlag, 2000, 262-272

    [15] M.Matsui. Linear Cryptanalysis Method for DES Cipher, Advances in Cryptology-

    EUROCRYPT'1993. LNCS 765, Springer-Verlag, 1993, 386-397

    [16] M.Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard, Advances in

    Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 1-11