Session 6: Introduction to cryptanalysis part 1 - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Session 6: Introduction to cryptanalysis part 1

Description:

This deviation is denominated linear probability bias. Symmetric systems. Denominate the probability that the equation holds with pL. ... – PowerPoint PPT presentation

Number of Views:128
Avg rating:3.0/5.0
Slides: 40
Provided by: slobodan4
Category:

less

Transcript and Presenter's Notes

Title: Session 6: Introduction to cryptanalysis part 1


1
Session 6 Introduction to cryptanalysispart 1
2

Contents

  • Problem definition
  • Symmetric systems cryptanalysis
  • Particularities of block ciphers cryptanalysis
  • Asymmetric systems cryptanalysis

3


Problem definition

4
Problem definition
  • The problem of cryptanalysis
  • Given some information related to the
    cryptosystem (at least the ciphertext), determine
    plaintext and/or the key.
  • The goal of the designer is to make this problem
    as difficult as possible for the cryptanalyst.

5
Problem definition
  • General assumption all the details of the
    cryptosystem are known to the cryptanalyst.
  • The only unknown is the key.

6

Problem definition
  • Types of attack
  • Ciphertext-only attack
  • Known plaintext attack
  • Chosen plaintext attack
  • Chosen ciphertext attack.
  • The ciphertext-only attack is the most difficult
    one for the cryptanalyst (in general).
  • The more information known to the cryptanalyst,
    the easier the attack.

7

Problem definition
  • The brute force attack
  • Elementary attack no knowledge about
    cryptanalysis is necessary.
  • Assumptions
  • The cryptosystem is known.
  • The ciphertext is known.
  • The goal
  • Determine the key/plaintext.
  • The means
  • Trying all the possible keys.

8

Problem definition
  • Complexity of the brute force attack
  • Extremely high, if there are many possible keys
    impractical.
  • Key space the total number of keys possible in
    a cryptosystem.

9

Problem definitionExamples of key space size
Key space 40 bits 1?1012
Key space 56 bits (DES) 7?1016
Key space 128 bits 3?1038
Key space 256 bits 1?1077
Number of 256-bit primes 1?1072
Age of the Sun in seconds 1?1016
Number of clock pulses of a 3GHz computer clock through the Suns age 5.4?1026

10
Problem definition
  • A cryptosystems security is ultimately
    determined by the size of its key space.
  • However, this is the upper limit of this security
    measure.
  • There may be a problem in the system design that
    may cause a significant reduction of the
    effective key space.
  • The task of the cryptanalyst to find this
    pitfall and to use it to attack the system.

11

Symmetric systems
  • Basic attack methods against stream and block
    ciphers
  • Algebraic
  • Statistical
  • Algebraic attack
  • The key symbols (e.g. bits) are the unknowns in
    the system of equations assigned to the PRNG.

12

Symmetric systems
  • Algebraic attack (cont.)
  • Given all the details of the PRNG to be
    cryptanalyzed (except the key bits), determine
    the system of equations that relates the bits of
    the output sequence with the bits of the key.
  • The designers goal
  • To make this system as non-linear as possible.
  • The reason non-linear systems are difficult to
    solve there is no general method other than
    trying all the possible values of the variables
    2n possibilities for a system with n variables.

13

Symmetric systems
  • The problem of solving a non-linear system in
    GF(2) the satisfiability problem (SAT).
  • Cooks theorem (1971)
  • SAT is NP-complete
  • However, some instances of the SAT problem may be
    easier to solve.
  • The designer should check the system assigned to
    the PRNG.

14
Symmetric systems
  • Example consider the PRNG below

15
Symmetric systems
  • The system of equations
  • (1) y1(x1x4)(x5x7)
  • x1x5x1x7x4x5x4x7
  • (2) y2(x1x4x3)(x5x7x6)
  • x1x5x1x7x1x6x4x5x4x7x4x6
  • x3x5x3x7x3x6
  • (we need 7 independent equations)

16
Symmetric systems
  • Methods of solving the system
  • The brute force method try all the possible 27-1
    solutions (all zeros are not permitted).
  • The linearization method
  • Replace all the products by new variables
  • Solve the obtained linear system (e.g. by
    Gaussian algorithm)
  • Try to guess the variables that were included in
    the products, given the values of the new
    variables, in such a way that the overall system
    is consistent.

17
Symmetric systems
  • Example (cont.)
  • y1z1z2z3z4
  • y2z1z2z5z3z4z6z7z8z9

18
Symmetric systems
  • There are many other methods of solving systems
    assigned to PRNGs
  • Linear consistency test (LCT)
  • Methods of computational commutative algebra
    (Groebner bases etc.)
  • etc.
  • Cryptanalysis of a seriously designed system
    always includes search.

19
Symmetric systems
  • Statistical methods
  • In the previous example, the majority of the
    output symbols will be zero, due to the AND
    combining function.
  • The non-linearity of the assigned system of
    equations is the highest possible.
  • However, it is possible to make use of bad
    statistical properties of the output sequence to
    determine the plaintext sequence.

20
Symmetric systems
  • Example
  • With the AND output combiner, the probability of
    zero in the output sequence will be ¾.
  • This means that, upon enciphering with this
    sequence as the keystream, the probability that
    the plaintext bit is equal to the ciphertext bit
    is ¾.
  • Consequence easy reconstruction of the
    plaintext.

21
Symmetric systems
  • Correlation The output sequence coincides too
    much with one or more internal sequences this
    enables correlation attacks a kind of
    statistical attack.
  • Correlation attacks
  • It is possible to divide the task of the
    cryptanalyst into several less difficult tasks
    Divide and conquer.

22
Symmetric systems
  • Typical example the Geffes generator

F balanced good statistical properties
23
Symmetric systems
  • Problem Correlation!

24
Symmetric systems
  • Since the output sequence is correlated with both
    input sequences, we can independently guess the
    input sequences bits with high probability if
    the output sequence is known.

25


Symmetric systems
  • Two most important attacks against block ciphers
  • Linear cryptanalysis
  • Differential cryptanalysis
  • Modern block ciphers are designed in such a way
    that these attacks have no chance of success
    (Rijndael, Kasumi, etc.)

26


Symmetric systems
  • Linear cryptanalysis
  • Known plaintext attack
  • the cryptanalyst has a set of plaintexts and the
    corresponding ciphertexts
  • The cryptanalyst has no way of guessing which
    plaintext and the corresponding ciphertext were
    used.


27
Symmetric systems
  • Linear cryptanalysis tries to take advantage of
    high probability occurrences of linear
    expressions involving plaintext bits, ciphertext
    bits (or round output bits) and subkey bits.
  • The basic idea is to approximate the operation of
    a portion of the cipher with a linear expression.
  • The approach is to determine such expressions
    with high or low probability of occurrence.

28
Symmetric systems
  • Example
  • Here, i and j are the numbers of the rounds from
    which the bits of the input vector X and the
    output vector Y are taken, respectively.
  • u bits from the vector X and v bits from the
    vector Y are taken.

29
Symmetric systems
  • If a block cipher displays a tendency for such
    linear equations to hold with a probability much
    higher (or much lower) than ½, this is evidence
    of the ciphers poor randomization abilities.
  • The deviation (bias) from the probability of ½
    for such an expression to hold is exploited in
    linear cryptanalysis.
  • This deviation is denominated linear probability
    bias.

30
Symmetric systems
  • Denominate the probability that the equation
    holds with pL.
  • The higher the magnitude of the probability bias
    ?pL-1/2?, the better the applicability of linear
    cryptanalysis with fewer known plaintexts
    required in the attack.
  • pL1 catastrophic weakness there is always a
    linear relation in the cipher.
  • pL0 catastrophic weakness there is an affine
    relationship in the cipher (a complement of a
    linear relationship).

31
Symmetric systems
  • Consider two random variables, X1 and X2.
  • X1?X20 a linear expression equivalent to
    X1X2.
  • X1?X21 an affine expression equivalent to
    X1?X2.
  • Assume the following probability distributions

32
Symmetric systems
  • If X1 and X2 are independent, then

33


Symmetric systems

  • It can be shown that

34

Symmetric systems
  • With probability bias introduced
  • p11/2?1
  • p21/2?2
  • -1/2? ?1, ?2 ?1/2
  • we have


35

Symmetric systems
  • Extension to n random binary variables the
    piling-up lemma Matsui, 1993
  • For n independent random binary variables, X1,
    X2, , Xn
  • or equivalently


36
Symmetric systems
  • If pi0 or 1 for all i, then
    or 1.
  • If only one pi1/2, then
  • In developing the linear approximation of a
    cipher, the Xi values actually represent linear
    approximations of the S-boxes.

37
Symmetric systems
  • Example
  • Four random binary variables, X1, X2, X3 and X4.
  • Let and
  • Let us derive the expression for the sum of X1
    and X3 by adding

38
Symmetric ciphers
  • Since we may consider X1?X2 and X2?X3 to be
    independent, we can use the piling-up lemma to
    determine
  • and consequently

39
Symmetric systems
  • The expressions X1?X20 and X2?X30 are analogous
    to linear approximations of S-boxes
  • The expression X1?X30 is analogous to a cipher
    approximation where the intermediate bit X2 is
    eliminated.
  • A real analysis is much more complex, involving
    many S-box approximations.
Write a Comment
User Comments (0)
About PowerShow.com