How to Launch a Birthday Attack Against DES

7/30/2019 How to Launch a Birthday Attack Against DES

1/32

1

How to Launch A Birthday Attack

Against DES

Zhengjun Cao

Computer Sciences Department,

Universite Libre de Bruxelles, Belgium.


2/32

2

Outline

Introduction

Description of DES

Basic ideaDescription of the birthday attack against

DES

ComplexityConclusion

References


3/32

3

Introduction

The DES is a cipher selected as an officialFIPS for US in 1976.

Other theoretical attacks are possible

require an unrealistic amount of known orchosen plaintext to carry out.Differential cryptanalysis requires chosen plaintexts

Linear cryptanalysis needs known plaintexts

Davies attack requires known plaintexts, has acomputational complexity of , and has a 51%success rate.

472

412502

502


4/32

4

Introduction

Birthday attack is given a function , the goal of

the attack is to find two inputs , such that

Function yields any of H different outputswith equal probability and H is sufficiently large

A pair of different arguments and with

after evaluating the function forabout different arguments on average

)()( 21 xfxf 2

x1x

f

)(xf

1x

H25.1)()( 21 xfxf

2x


5/32

5

Description of DES

Important componentInner function

Computation path

S-boxKey schedule

Process of calculating consists of 4 steps

1.E expansion2.XOR with a subkey

3.S box transformation

4.P permutation

f

f


6/32

6

Description of DES

DES processes plaintext blocks of ,

producing ciphertext blocks. The

effective size of the secret key is

The input key specified as a key 8

bits of which (bits 8, 16,,64) may be

used as parity bits.

K

bitsK 56

bit64

bitsn 64

bit64


7/32

7

Description of DES

Computation path


8/32

8

Description of DES

Inner function f


9/32

9

Description of DES

Expansion permutation (E): 32 bits->48bits

32 1 2 3 4 5

4 5 6 7 8 9

8 9 10 11 12 13

12 13 14 15 16 17

16 17 18 19 20 21

20 21 22 23 24 25

24 25 26 27 28 29

28 29 30 31 32 1


10/32

10

Description of DES

28 28

110100100

100100110

Key schedule of DES

Left rotation


11/32

11

Description of DES

S-box for DES


12/32

12

Description of DES

58 50 42 34 26 18 10 2

60 52 44 36 28 20 12 4

62 54 46 38 30 22 14 6

64 56 48 40 32 24 16 8

57 49 41 33 25 17 9 1

59 51 43 35 27 19 11 3

61 53 45 37 29 21 13 5

63 55 47 39 31 23 15 7

IP

40 8 48 16 56 24 64 3239 7 47 15 55 23 63 31

38 6 46 14 54 22 62 3037 5 45 13 53 21 61 29

36 4 44 12 52 20 60 2835 3 43 11 51 19 59 27

34 2 42 10 50 18 58 26

33 1 41 9 49 17 57 25

IP-1

Initial & final Permutations IP and IP-1


13/32

13

Basic idea

By the last round in DES, we have

Hence

Note that both , are not accessible

Collision assumption

Suppose that there is a pair of ciphertexts

(c,c) generated by the same key and

satisfying

By the collision-assumption, we have

16K15L

151616,151516 ),( RLKRfLR

16K

15161616 ),( LRKLf

),(),'( 16161616 KLfKLf

15151616,1616 ','' LLLLRR

(1)


14/32

14

Basic idea

Denote by where E is expansion

transformation in function

Express as

Each is length 6-bit denotes the concatenation of the two

strings

16EL)( 16LE

1616 ,KEL

f

,8,...,1],[],[ 1616

jjKjEL

]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[

]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[

161616161616161616

161616161616161616

KKKKKKKKK

ELELELELELELELELEL

,

||

15L


15/32

15

Basic idea

Thus for each S-box the input

of is

By the structure of and Eq(1), we have

][ jS

,8,...,1],[ jjS

f

][][ 1616 jKjEL

])[][']([])[][]([ 16161616 jKjELjSjKjELjS


16/32

16

Basic idea

Collision for

PossiblejELjEL

PossiblejELjEL

2

1616

6

1616

2]['][

2]['][

boxjS ][


17/32

17

Description of the birthday attack

against DES

1.Collecting proper ciphertexts

2.Computing the candidates for each

3.Local checking

4.Determining the candidates for


6.Distinguishing K from the candidates

7.Outputting

8,...,1],[16 jjK

16K

K

K


18/32

18


against DES

1.Collecting proper ciphertexts

Choose ciphertexts(64bit) generated by

the same key K. Collect the ciphertexts

with the same and denote the set by

Denote by ,where is the

expansion transformation in function

Express as

16RC

KRC ,16

)( 16LE 16EL E

f

16EL

]8[||]7[||]6[||]5[||]4[||]3[||]2[||]1[ 161616161616161616 ELELELELELELELELEL


19/32

19


against DES

2.Computing the candidates for each

Randomly pick two ciphertexts .Integrate each string of 6-bit with

Determine the candidates for bycheck

8,...,1],[16 jjK

)][']([)][]([ 1616 ajELjSajELjS ? ][

16 jK

]['],[ 1616 jELjEL

KRCcc ,16',

a


20/32

20


against DES

3.Local checking

If there does not exist any candidate for

some then goto step 2.}8,...,1{],[16 iiK


21/32

21


against DES


Derive the candidates for from the

candidates for

16K

16K

]8[],...,1[ 1616 KK


22/32

22


against DES


Derive the candidates for from by

the key schedule of DES

K

K

16K


23/32

23


against DES

6.Distinguishing K from the candidates

Given a plaintext and its corresponding

ciphertext, the key (or its equivalent) can

be distinguished from its candidates by

evaluations.


24/32

24


against DES

7.Outputting

If the key cannot be derived from the pair

goto step 2. Otherwise, output the key.

Remark In the above attack, we aim at

finding a collision ,which is achieved

by evaluating possible values for

This is the reason for calling it a birthday

attack.

)',( cc

K

)',(1515

LL

.8,...,1],[16 jjK


25/32

25

Complexity

On the complexity of evaluations

To derive the candidates for

We should evaluate all 6-bit values, which

are integrated with separately.

But all evaluations can be run in

parallel and be separately restricted in

eight boxes. In this case, the time for one

evaluation is less than that for an

evaluation using one round in DES.

8,...,1],[16 jjK

]['],[ 1616 jELjEL

628


26/32

26

Complexity

On the amount of rounds

The birthday attack against DES does not

relate to the amount of rounds.

It is entirely based on the inner function

and the key schedule in DES

This is a peculiar property of the birthdayattack.

f


27/32

27

Complexity

On the amount of ciphertexts

By and the definition

of ,we define

To find a collision for it, i.e.,

about

arguments should be evaluated.

where is the cardinal number

of , because each ciphertext is of only

64-bit.

),( 16161615 KLfRL

1516, :16

LLC KR

KRC ,16

D162D

KRC ,16

162)'(')( 16,151516, 16161616 LPLLLP KRKR


28/32

28

Complexity

On the amount of candidates for K in

each iteration

Define the block-distance between

as

Best case block-distance is the MAX, 8

Worst case block-distance is the Min, 1

On average, a leads to candidates for

K. We conjecture the amount of

candidates for in each iteration is

16K

]}['][:{# 1616 ELELd

K

6

7

182

KRCcc ,16',


29/32

29

Complexity

On the amount of iterations

In the worst case is ,the average

amount of iterations is .

Hence, the birthday should evaluate

candidates for .

3022

)1( DD

K

482


30/32

30

Complexity

On the amount of plaintexts

In the proposed attack, we need a

plaintext and the corresponding ciphertext

to distinguish the key (or its equivalents)

from its candidates.

Note that the resulting amount of the key

or its equivalents will be sharply

decreased as the increase of plaintexts.


31/32

31

Conclusion

We believe the simple derivation of

candidates for from and the

relationship can be a serious

problem in DES. it is due to historicalconsiderations instead of a contrived

process.

K 16K

ii RL 1


32/32

32

References

[1] http://en.wikipedia.org/wiki/Data_Encryption_Standard [2] http://en.wikipedia.org/wiki/Birthday_attack

[3] http://dhost.info/pasjagor/des/start.php?id=0

[4] E.Biham, A.Biryukov. An Improvement of Davies' Attack on DES, Journal of Cryptology. 1997, 10(3), 195-206

[5] E.Biham, O.Dunkelman, N.Keller. Enhancing Dierential-Linear Cryptanalysis. Advances in

Cryptology-ASIACRYPT'2002. LNCS 2501, Springer-Verlag, 1990, 254-266

[6] E.Biham, A.Shamir. Dierential Cryptanalysis of DES-like Cryptosystems, Advances in Cryptology-

CRYPTO'1990. LNCS 537, Springer-Verlag, 1990. 2-21

[7] A.Biryukov, C.Canniere, M.Quisquater. On Multiple Linear Approximations, Advances in

Cryptology-CRYPTO'2004. LNCS 3152, Springer-Verlag, 2004. 1-22

[8] S.Burton, J.Kaliski, R.Matthew. Linear Cryptanalysis Using Multiple Approximations, Advances in

Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 26-39

[9] D.Coppersmith. The data encryption standard (DES) and its strength against attacks. IBM Journal

of Research and Development. 1994, 38 (3), 243-250

[10] K.Campbell, M.Wiener. DES is not a Group. Advances in Cryptology-CRYPTO'1992. LNCS 740,

Springer-Verlag, 1992, 512-520

[11] W.Die, M.Hellman. Exhaustive Cryptanalysis of the NBS Data Encryption Standard, IEEE Com-

puter 10(6), June 1977, 74C84

[12] J.Gilmore. Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design. O'Reilly, 1998[13] P.Junod. On the Complexity of Matsui's Attack. Selected Areas in Cryptography'2001, LNCS 2259,

Springer-Verlag, 2001, 199C211.

[14] L.Knudsen, J.Mathiassen. A Chosen-Plaintext Linear Attack on DES, Fast Software Encryption-

FSE'2000. LNCS 1978, Springer-Verlag, 2000, 262-272

[15] M.Matsui. Linear Cryptanalysis Method for DES Cipher, Advances in Cryptology-

EUROCRYPT'1993. LNCS 765, Springer-Verlag, 1993, 386-397

[16] M.Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard, Advances in

Cryptology-CRYPTO'1994. LNCS 839, Springer-Verlag, 1994, 1-11

How to Launch a Birthday Attack Against DES

Documents

Transcript of How to Launch a Birthday Attack Against DES