CRYPTANALYSIS OF A MODIFIED ROTOR MACHINE

Similar documents
On Correlation Between the Order of S-boxes and the Strength of DES

A block cipher enciphers each block with the same key.

Improved Cascaded Stream Ciphers Using Feedback

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Towards Provable Security of Substitution-Permutation Encryption Networks

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Chapter 2 Classical Cryptosystems

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Differential-Linear Cryptanalysis of Serpent

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Cryptanalysis of a Multistage Encryption System

Linear and Differential Cryptanalysis of SHA-256

Algebraic Attack Against Trivium

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Linear Cryptanalysis

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Transform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and

A Five-Round Algebraic Property of the Advanced Encryption Standard

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

AES side channel attacks protection using random isomorphisms

Analysis of SHA-1 in Encryption Mode

The Security of Abreast-DM in the Ideal Cipher Model

LOOKING INSIDE AES AND BES

Introduction to Cryptology. Lecture 2

Public Key Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Lecture 12: Block ciphers

How to Find Short RC4 Colliding Key.

Cryptanalysis of the Bluetooth Stream Cipher

Structural Cryptanalysis of SASAS

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Week 7 An Application to Cryptography

All-Or-Nothing Transforms Using Quasigroups

FFT-Based Key Recovery for the Integral Attack

its weaknesses. The ASG consists of three subgenerators K,fl,

Cryptanalysis of the Stream Cipher ABC v2

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

CRYPTOGRAPHY AND NUMBER THEORY

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

EME : extending EME to handle arbitrary-length messages with associated data

Differential Fault Analysis of Trivium

The Pseudorandomness of Elastic Block Ciphers

PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS

monoalphabetic cryptanalysis Character Frequencies (English) Security in Computing Common English Digrams and Trigrams Chapter 2

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Analysis of Some Quasigroup Transformations as Boolean Functions

Division Property: a New Attack Against Block Ciphers

Attacks on the RC4 stream cipher

Cryptanalysis of a public-key cryptosystem based on approximations by rational numbers *

Cryptanalyses of Some Multimedia Encryption Schemes

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Statistical and Algebraic Properties of DES

Lecture 4: DES and block ciphers

arxiv:cs/ v1 [cs.cr] 2 Feb 2004

Lecture Notes. Advanced Discrete Structures COT S

Specification on a Block Cipher : Hierocrypt L1

Classical Cryptography

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

Differential properties of power functions

Algebraic Analysis of the Simon Block Cipher Family

Homework 4 for Modular Arithmetic: The RSA Cipher

Ideals over a Non-Commutative Ring and their Application in Cryptology

COMM1003. Information Theory. Dr. Wassim Alexan Spring Lecture 5

Linear Cryptanalysis of RC5 and RC6

A UNIVERSAL ALGORITHM FOR HOMOPHONIC CODING

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

MasterMath Cryptology /2 - Cryptanalysis

A NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Linear Approximations for 2-round Trivium

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268

Cryptanalysis of the Stream Cipher DECIM

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Algebraic Attacks and Stream Ciphers

Nonlinear Equivalence of Stream Ciphers

Optimum Binary-Constrained Homophonic Coding

Cryptanalysis of Achterbahn

Fast Correlation Attacks: an Algorithmic Point of View

Cryptanalysis of Hiji-bij-bij (HBB)

Cryptography Lecture 4 Block ciphers, DES, breaking DES

A Block Cipher using an Iterative Method involving a Permutation

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Linear Ciphers. Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D Mainz

Simple Codes MTH 440

CPSC 467b: Cryptography and Computer Security

Transcription:

CRYPTANALYSIS OF A MODIFIED ROTOR MACHINE Peer Wichmann Institut Universitgt Karlsruhe fiir Algorithmen u. kognitive Systeme 1 Introduction In some operating systems one can find a modified rotor machine as a file crypt. The difference to a normal rotor machine can be characterized in two points: - First difference : A different rotor model. In general we have: output := permutation(input+position)-position here we have: output := permutation(input+position) We guess the main purpose of this modification is to speed up the encryption. - Second difference: An input based step function (new position) := (old position) + (output of previous rotor) Because of this two modifications the input to the permutation and the new position are equal and do not have be computed separately. In our description we use the following name conventions: u[i] plaintext at time i (i = 1,2,3,...), c[i] ciphertext at time i (i = 1,2,3,...), n is the number of rotors, J.J. Quisquater and J. Vandewalle (Eds.): Advances in Cryptology - EUROCRYPT 89, LNCS 434, pp. 395-402, 1990. 0 Springer-Verlag Berlin Heidelberg 1990

396 Pk stands for the permutation on the k-th rotor, A := {0,1,..., M - 1) is the enciphered alphabet (normally one would think of M = 256 for byte encryption), uj[i] and bj[i] are intermediate sequences used to define the position and the output of each rotor. ( j = 0,1,2,..., n ) Using this conventions we can describe the encryption as follows: - Interface to the recursion scheme: bj[o] := 0 j = 1)2)..., n ~[i] := ~[i] i = 1,2,3,... ~[i] := ur[i] i = 1,2,3,... - Recursion scheme: bj[i] uj[i] := := ~ j - ~ ( i ] + bj[i - 11 mod M j = 1,2,..., R i = 1,2,3,... Pj (bj[ill j = 1,2,..., 7~ i = 1,2,3,... Perhaps, the following picture is more convenient: The key is formed by the n permutations P1,.., P,. The number of keys is limited by isomorphisms: Let h : A -+ A be a group isomorphism on (A,+) and h-' the inverse isomor- phism. If P, is substituted by h(p,) and P,+l is substituted by Pi+l(h-') (z E {1,2,...,n - l}), the same encryption is realized (because h-l(h(z) + h(y)) = h-'(h(z + y)) = z + y).

397 h is bijective on A and thus h is a permutation on A. Because of this h(p;) and Pi+l(h-l) are permutations too. There are +(M) different isomorphisms and n - 1 possible positions where an isomorphism can be inserted. Thus the key space is reduced by the factor f$( My-? The remaining keys are truly different. This is proved by the fact that the key can be deduced within a chosen ciphertext attack (discussed below) with the 'exception of the isomorphisms mentioned above. The number of usable keys is again reduced because the machine is self synchronizing when operating in deci- phering mode. It is useful to consider permutations as not significantly different if they can be reached by cyclic shifts. Thus the number of keys is reduced by the factor M,. The total number is: (Mn14(M)n-1 M!n (where C$ is the Euler phi-function) To characterize the deciphering mechanism we define a set of recursive functions as follows: fn(i) := c[i] fl(i) := PF1(f2(i)) - P2-l(fZ(i - 1)) f&) := P?(fl(i)) - PT1(fl(i - 1)) fp(i) deciphers the last n - T rotors and calculates the value a,[i]. There is one thing that should be mentioned: fr(i) dependson thelast n+l-r ciphertext bytes: c[i],c[i-11,..., ~[in + TI. The flowchart for the deciphering mechanism looks somewhat different because the feedback loops are substituted by delay elements:

398 It is easy to see, that the machine is self-synchronizing when operating in deci- phering mode. In the deciphering scheme one can also see what seems to be the main problem of the cipher: Constant ciphertext effect If the machine is fed with a constant ciphertext we have after n characters bj[i] = PT'(0) (j = 1,2,...,n - 1). Thus the machine can be forced into a well defined &ate only by a given ciphertext and without knowing the key (the per- mutations). Later we will show that this fact makes it possible to easily break the cipher with a chosen-ciphertext-attack. Proof of constant ciphertext effect: Because of the constant ciphertext for each j = 2,..., n the input to fi(i) is equal to the input of f,(i - 1). So we have: f,(i) = f3(i - 1) q-l(fj(i)) = y(f,(i - 1)) U Py1(fJ(i)) - P;'(f,(z - I)) = o = f3-1(z) = aj-l[z] = P;l(b,_,[z]) + f,w = 0 J = 1,2... n- 1 b,[i] = PJ-l(o) j = 1,2.....72-1. *

399 2 Attacks 2.1 Ciphertext-only-attack We suppose it is very difficult to break the cipher under this conditions. The easiest way we found is to make a statistical analysis over hp'*l different elements. Generally M"+l is very large and thus this attack will usually be impossible. 2.2 Given-plaintext-attack A solution using backtracking may be possible but we found that even for small M's and n's the searching tree is much too deep and too wide. Another possibility is a solution using equations. With a given plaintext au bl(i] are given too. We have: With bl[i] = b,ej] we get: WI = P;l(fl(i)) (1) Pc'(fl(i)) = PF1(fl(j)) e (Pc'is bijective) (2) fl(i> = fl(j) (3) with a little luck it is possible to find a position j with c[j] = c[j + 11 =... = cb + n - 11 (n constant ciphertext chars). Because of the constant ciphertext effect we have fi(j) = 0 and get: It can be easily shown that the above trick does not work a second time. We found no further way to simplify the equations. Thus (treating Pc1(f3(i)) as an unknown) a linear system with Mn-' unknowns has to be solved. It will usually be impossible to do this within an appropriate amount of time. This attack does not use the the internal structure of these 'unkowns'. Thus it may be possible to solve the equations much faster and much easier.

400 2.3 C hosen-plaint ext -att ack The idea is to feed the machine with a constant (zero) plaintext and to wait until the output becomes cyclic. To analyze the output we first consider the output of the first n - 1 rotors (~,-~[i]). Let m be the length of a cycle of un-l[i]. Let s be the sum over a cycle of ~,-~[i] : s := ~,-~[l] Suppose s and +... + ~,,-~[rn]. M are coprime. Then the length of a complete output cycle is s * M. We have c[i + j * m] = P,(b,-l[i] + j * s). Because s and M are coprime j * s covers whole A. Because of this c[i + j * rn] = Pn(b,-l[i] + j * s) covers A too. Now c[i + j * m] run through the same cycle for each i (except for the starting point). If we use s as the 1-element in A we get: Pn(0) = 411 Pn(l) = c[l f rn] P,(M - 1) = c[i + rn * (fir - 1)1 Now the last rotor is completely known (except for rotation identical rotors). This is only if s and M are coprime. If they are not coprime it is usually impossible to split the output into cycles covering A. Seeing a complete output cycle we can tell if it is possible to extract the last rotor. If it is impossible we have to restart the attack with a short random sequence before the zero plaintext to put the machine in an undefined state. The restart of the attack does not require the machine to be reset, because we simply want to put the machine into an undefined state. If the last rotor is known we can eliminate him from the equations and restart the whole attack to get the next rotor. After all rotors are known we need to compute the initial position b,[o] of each rotor. To do this we encipher a random sequence a[l],..., a[.] and get the ciphertext c[l],..., c[n]. Using the defining equations we now can compute the values in the following order:

40 1 bn [OI p,[ij = b,[i + 11 - an-l[i + i j) By applying cyclic shifts to the Permutations we can get to bk[o] = 0 to conform with the above definition. Unfortunately the period of the output will be about Mn-1. Hence, this attack will often not be realizable. There is still another possibility for a chosen plaintext attack: All previously discussed attacks tried to guess the last rotor. Piow we try to attack the first rotor at the beginning. We found that this attack has almost no chance to break the machine and so this will only be a short sketch of how the attack works. With a short random sequence we put the machine into an uadefined state. The w-e keep bl[i] = 2 constant and look for the length of an output cycle. After doing this several time we can try to classify Pi(.) and get gcd(m, Pl(z)). Having classified all numbers we can try to classify sums of two or more numbers. Continuing with these classifications u-e can compute the first rotor. The main problem of this attack is that we found no way to make any ciassifications if more than 4 rotors are used. Another problem is that the length of the output cycles is very big (about Mn-'). SO in most cases this attack will be useless.

402 2.4 Chosen-ciphertext-attack The basic idea for this attack is to turn the last rotor step by step. It is easy to see that it is sufficient to find a short plaintext sequence that does nothing but turn the last rotor. We will use the 'constant ciphertext effect' mentioned before to find such a sequence. It is sufficient to turn the last rotor for an amount of steps that is coprime to M, because every primitive element can be chosen as the '1' element. Method: We first decipher the ciphertext Onln and get a plaintext 411,..., d[2n]. The only difference in the state of the machine after deciphering 0" and O"1" is the position of the last rotor. Djow the newly constructed plaintext is: 411,..., d[n], (d[n + 11,..., d[2n])m-' After each n-character block the machine is in the same state with the exception that the last rotor has turned for a constant number of steps. The number of steps is s := P;'(O) -P;'(l). The output will be a sequence of the form: (Pn(z))"(P,(z +S))~(P~(Z + 2 ~ ) ).. ~ (Pn(i. + (M- l)s))", where z := P;'(O) If s is a unit in (ZM,+) the output will cover whole ZJ~ and give the last permutation (except for some isomorphisms as mentioned above). If s is not a unit in (ZM, +) the output will cover only a part of ZM. In this case we try an other ciphertext e.g. 0'2". After the last rotor is known we can attack the next rotor. Finally we compute the initial position of the rotors as shown above. This attack is very efficient and depends only polynomidy on the values of n and M. 3 Conclusion The implementation found in some operating systems uses n = 3 and A1 = 256; i.e. byte encryption with 3 rotors. It can be easily broken with a know-n plaintext using equations (256 unknowns). It seems that, if 3 ore more rotors are used, the only way to break the cipher is a choosen ciphertext attack. So this cipher is, in many environments, a tool to provide good (not optimal) security. il further advantage of this cipher is that it can be implemented very efficiently in both hardware and software.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback