Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Transcription

1 Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information about the key. To understand how it works, we ll confine ourselves to a toy DES which uses four Feistel rounds to encrypt. Suppose we have access to the system, but not to the key K. We now describe a chosen plaintext attack. We begin by encrypting two messages P = L 0 R 0 and P = L 0 R 0. Let s assume for the time being that we know the two outputs L 1 R 1 and L 1 R 1, of the first Feistel round, and that R 1 = R 1. We then compare the two outputs by computing their differences L 1 = L 1 L 1 and R 1 = R 1 R 1. But since R 2 = L 1 f (R 1, K 2 L 3 = R 2 = L 1 f ( R 1, K 2 R 4 = L 3 f (R 3 = L 1 f (R 1, K 2 f ( R 3 it follows that the differences in the right halves of the outputs of the fourth round is

2 Attacks on DES 2 R 4 = R 4 R 4 [ ] = L 1 f ( R 1, K 2 f (R 3 [ L 1 f (R 1, K 2 f (R 3 ] = L f (R 3 f (R 3 = L 1 f (R 3 f ( R 3 = L 1 f ( L 4 f ( L 4 From this we deduce that R 4 L 1 = f ( L 4 f ( L 4. In particular, since we know the ciphertexts L 4 R 4 and L 4 R 4, we can determine the differences L 4 and R 4 as well, so we know all the ingredients of the last formula above, except K 4. In fact, to calculate f ( L 4 and f ( L 4 we must apply the expander function to L 4 and L 4 then XOR each with K 4. These become inputs for the S-boxes. The difference between these two expressions (their XOR will then cancel the double contribution of K 4, leaving

3 Attacks on DES 3 E( L 4 E( L 4 = l 1 l 2 l 4 l 3 l 4 l 3 l 5 l 6 l 1 l 2 l 4 l 3 l 4 l 3 l 5 l 6 = E( L 4 L 4 = E( L 4 So before the two inputs enter the S-boxes, their difference is E( L 4, whereas after they leave the S- boxes, their difference is R 4 L 1. The first of these is a known 8-bit word and the second a known 6-bit word. Since we know the workings of the S-boxes, we can use this information to reconstruct bits of the key K. Consider the leftmost 4-bit half of E( L 4, which is the XOR of our two inputs E( L 4,E(L 4 to S 1. If this difference equals, say, 1011, while the leftmost 3-bit half of R 4 L 1 the XOR of the two outputs f ( L 4, f ( L 4 from S 1 equals, say, 100, then the following analysis can be performed. Run through the 16 possible 4-bit pairs whose difference equals 1011: these are candidates for E( L 4 and E (L 4. The pairs of their outputs from S 1 must give f ( L 4 and f ( L 4, but their difference must equal 100. This restricts the possibilities considerably. In this case, because

4 Attacks on DES 4 S 1 : , there are only two 4-bit pairs, (1010, 0001 and (0001, 1010 with difference 1011 whose outputs from S 1 namely, (110, 010 and (010, 110 have the required difference 100. So if E( L 4 = and E( L 4 = (notice that the difference of their left halves must equal 1011 and if K L 4 denotes the left half of K 4, then the inputs to S 1 form the set {1011 K 4 L,0000 K 4 L } = {1010,0001}. From this we see that K 4 L must equal 1010 or A similar analysis for some other plaintext blocks should eventually determine the exact value of K 4 L. Repeat this analysis with the inputs and outputs for S 2 to determine K 4 R, the right half of K 4, and we can then reconstruct K 4 entirely. Since K 4 consists of all but one bit of K, we are left with two possibilities for K. But we know L 1 R 1 and L 4 R 4, so we can try both possibilities for K to see which one correctly transforms L 1 R 1 into L 4 R 4.

5 Attacks on DES 5 The main flaw in the analysis above was the unwarranted assumption that we could know L 1 R 1, the output of the first Feistel round. We can produce a ciphertext L 4 R 4 from a plaintext L 0 R 0, but without the key in hand, there is no easy way to gain access to the intermediate output L 1 R 1. There is, nonetheless, a way to remove this flaw, which is based on a weakness in the S-boxes. Of the 16 4-bit input pairs to S 1 with XOR 0011, fully 12 of them have an output pair with XOR 011. S 1 : inputs w/ outputs output XOR 0011 XOR 0000, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

6 Attacks on DES 6 Similarly, there is an asymmetry in S 2 in that half of the input pairs whose XOR equals 1100 have outputs whose XOR is 010. These asymmetries can be exploited in a clever way. Suppose we choose two plaintexts P = L 0 R 0 and P = L 0 R 0 so that R 0 = R 0 R 0 = These enter the expander on their way to the S-boxes, so the inputs to the S-boxes have an XOR equal to E( = (remember that the contribution of the key is doubled away. Therefore, the input XOR for S 1 is 0011 and the input XOR for S 2 is So if the plaintexts were chosen at random with R 0 = R 0 R 0 = , there is a probability of 12 / 16 = 75% that the output XOR from S 1 will be 011, and a 50% probability that the output XOR from S 2 will be 010. Assuming independence of these inputs, there will be a = probability that the combined outputs, f (R 0, K 1 and f (R 0, K 1, have an XOR equal to (Actually, the inputs are not independent since bits 3 and 4 are part of both, but the approximation is not too bad.

7 Attacks on DES 7 If now we further choose our plaintext so that L 0 and L 0 so that L 0 = L 0 L 0 = , then since R 1 = L 0 f (R 0, K 1 (and similarly for R 0, we will have R 1 = R 1 R 1 = [L 0 L 0 ] [f (R 0, K 1 f (R 0, K 1 ] = = showing that R 1 = R 1. That is, if we choose two random plaintexts whose XOR equals L 0 R 0 = , then there should be roughly a 37.5% chance that L 1 R 1 = By our earlier discussion, a three-round differential cryptanalysis should provide us with a small set of possible keys K 4, while the remaining 62.5% of the time, we should get other random values for K 4. That is, the correct key for K 4 should recur much more often than other choices. Once we have amassed enough data, we can discover the correct key. (The full key K can be found as discussed above.

8 Attacks on DES 8 For real DES, an elaboration of this method was used by Biham to recover the key, as long as there are no more than 15 Feistel rounds employed. Since actual DES uses 16 rounds, it is thought that the designers of the system expected the development of differential cryptanalysis and worked this extra security into the design! From the time that DES was instituted as an industry standard in the mid-1970s, the tremendous speed in which computing hardware improved began to compromise the security of the system: it became more and more likely that even brute-force attacks on faster and faster machines could render the system obsolete as a reliable cryptographic standard. By the early 1990s, special-purpose machines were being designed to do just that. Simultaneously, advances in distributed computing and the design of programmable logic arrays produced new tools to attack DES. Five months after announcing a challenge to crack a DES message in 1997, a distributed computing network managed to find the key, and in 1998 a second challege succumbed in just 39 days! The same year, a specially designed machine called DES Cracker succeeded in finding DES keys in about 4.5 days, and this on chips running at only 40 MHz. The time had come to strengthen the security of DES.

9 Attacks on DES 9 Triple DES and the Meet-in-the-Middle Attack One idea for strengthening DES is to use it multiple times with different keys, since running a plaintext twice through DES using two different 56-bit keys ought to be equivalent to squaring the size of the keyspace. But in fact, this is not the case; it merely doubles the size of the keyspace! However, triple DES (running DES three times with different keys is equivalent to squaring the size of the original keyspace. There are three common implementations of triple DES. One way is to employ three different keys, K 1, K 2, K 3. Another is to use only two, K 1, K 2, but to proceed as follows: first encrypt using K 1, then decrypt with K 2, then encrypt again with K 1. A third method, called DESX, instructs the user to XOR the message with the first key, then encrypt via DES with the second, and finally, XOR the result with the third. Only the third of these methods turns out to be secure; the first two methods succumb to the meetin-the-middle attack, which we now describe.

10 Attacks on DES 10 We describe the method first for double DES. Suppose Alice encrypts plaintexts P using two keys K 1, K 2 to obtain ciphertexts C = E K1 (E K2 (P. If Eve intercepts a plaintext-ciphertext pair (P,C, then for all possible keys K she can compute and store all 2 56 values of E K (P and all 2 56 values of E K (C (which are the same as the values of D K (C, but for some complementary key. Then she can compare the entries in the first list against the entries of the second, knowing that a match must exist (since D K2 (C = E K1 (P. In fact, it is likely that many matches may occur, so it may be necessary to perform this trick to multiple plaintext-ciphertext pairs to discover the correct pair of keys. In the case of the triple DES implementation in which C = E K1 (D K2 (E K1 (P, Eve uses the fact that D K1 (C = D K2 (E K1 (P. So she computes and stores the values of D K2 (E K1 (P and, simultaneously, the 2 56 values of D K (C, then searches for matches. This attack shows that triple DES has the security of a system whose keyspace has size