Cryptanalysis of Ladder-DES

Similar documents
DES Data Encryption standard

Generic Attacks on Feistel Schemes

Generic Attacks on Feistel Schemes

Chapter 4 The Data Encryption Standard

Block Ciphers Security of block ciphers. Symmetric Ciphers

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

TMA4155 Cryptography, Intro

Explaining Differential Fault Analysis on DES. Christophe Clavier Michael Tunstall

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

ElGamal Public-Key Encryption and Signature

Triple-DES Block of 96 Bits: An Application to. Colour Image Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

High Diffusion Cipher: Encryption and Error Correction in a Single Cryptographic Primitive

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Classical Cryptography

DUBLIN CITY UNIVERSITY

Differential Cryptanalysis of REDOC III

Classification of Ciphers

DUBLIN CITY UNIVERSITY

CRYPTANALYSIS OF THE PERMUTATION CIPHER OVER COMPOSITION MAPPINGS OF BLOCK CIPHER

An enciphering scheme based on a card shuffle

Network Security: Secret Key Cryptography

V.Sorge/E.Ritter, Handout 2

Dr. V.U.K.Sastry Professor (CSE Dept), Dean (R&D) SreeNidhi Institute of Science & Technology, SNIST Hyderabad, India. P = [ p

Keywords: dynamic P-Box and S-box, modular calculations, prime numbers, key encryption, code breaking.

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

A Novel Encryption System using Layered Cellular Automata

The number theory behind cryptography

Some Cryptanalysis of the Block Cipher BCMPQ

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Diffie-Hellman key-exchange protocol

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

EE 418 Network Security and Cryptography Lecture #3

Differential Cryptanalysis of Round-Reduced PRINTcipher: Computing Roots of. permutations

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

Introduction to Cryptography

Cryptanalysis on short messages encrypted with M-138 cipher machine

Card-Based Protocols for Securely Computing the Conjunction of Multiple Variables

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Introduction to Cryptography

Bijective Function with Domain in N and Image in the Set of Permutations: An Application to Cryptography

Meet-in-the-Middle Attacks on Reduced-Round Midori-64

Cryptology and Graph Theory

Fermat s little theorem. RSA.

Image Encryption Based on the Modified Triple- DES Cryptosystem

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

EE 418: Network Security and Cryptography

Bit Permutation Instructions for Accelerating Software Cryptography

Recommendations for Secure IC s and ASIC s

Random Bit Generation and Stream Ciphers

Hardware Bit-Mixers. Laszlo Hars January, 2016

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

Lecture 1: Introduction

Primitive Roots. Chapter Orders and Primitive Roots

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

Stream Ciphers And Pseudorandomness Revisited. Table of contents

A Cryptosystem Based on the Composition of Reversible Cellular Automata

4. Design Principles of Block Ciphers and Differential Attacks

Number Theory and Public Key Cryptography Kathryn Sommers

arxiv: v1 [nlin.cd] 29 Oct 2007

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

Minimum key length for cryptographic security

Investigations of Power Analysis Attacks on Smartcards

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

Introduction to Cryptography CS 355

Colored Image Ciphering with Key Image

II. RC4 Cryptography is the art of communication protection. This art is scrambling a message so it cannot be clear; it

SOME OBSERVATIONS ON AES AND MINI AES. Hüseyin Demirci TÜBİTAK UEKAE

On Permutation Operations in Cipher Design

RSA hybrid encryption schemes

Proceedings of Meetings on Acoustics

Permutation Operations in Block Ciphers

Proposal of New Block Cipher Algorithm. Abstract

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

Image Encryption with Dynamic Chaotic Look-Up Table

Diffie s Wireless Phone: Heterodyning-Based Physical-Layer Encryption

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Online Cryptography Course. Odds and ends. Key Deriva1on. Dan Boneh

Challenge 2. uzs yfr uvjf kay btoh abkqhb khgb tv hbk lk t tv bg akwv obgr

Data security (Cryptography) exercise book

RSA hybrid encryption schemes

Vernam Encypted Text in End of File Hiding Steganography Technique

A STENO HIDING USING CAMOUFLAGE BASED VISUAL CRYPTOGRAPHY SCHEME

Quality of Encryption Measurement of Bitmap Images with RC6, MRC6, and Rijndael Block Cipher Algorithms

Dedicated Cryptanalysis of Lightweight Block Ciphers

Simple And Efficient Shuffling With Provable Correctness and ZK Privacy

Multi-Instance Security and its Application to Password- Based Cryptography

Image Steganography with Cryptography using Multiple Key Patterns

CHAPTER 2. Modular Arithmetic

Image Encryption using Pseudo Random Number Generators

Available online at ScienceDirect. Procedia Computer Science 65 (2015 )

Sometimes-Recurse Shuffle

How to Implement a Random Bisection Cut

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

Chapter 4 MASK Encryption: Results with Image Analysis

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Transcription:

Cryptanalysis of Ladder-DES Computer Science Department Technion - srael nstitute of Technology Haifa 32000, srael Email: biham@cs.technion, ac.il WWW: http://www.cs.technion.ac.il/-biham/ Abstract. Feistel ciphers are very common and very important in the design and analysis of blockciphers, especially due to four reasons: (1) Many (DES-like) ciphers are based on Feistel's construction. (2) Luby and Rackoff proved the security of a four-round Feistel construction when the round functions are random. (3)Recently several provably secure ciphers were suggested, which use other (assumed secure) ciphers as the round function. (4) Other such ciphers use this construction as attempts to improve the security of other ciphers (e.g., to improve the security of DES). n this paper we cryptanalyze Ladder-DES, a four-rounds Feistel cipher using DES in the round function, and show that its security is smaller than expected. 1 ntroduction Feistel ciphers are very common and well known. n particular, Feistel's construction is used in the Data Encryption Standard8], Lucifer12] and their many successors (such as Fealll,7], GDES10], and many others). This construction was studied from the theoretical point of view by Luby and Rackoff4], who concluded that four rounds suffice to prove its security when the round function is random. Many suggested cryptosystems were designed with this construction, using another cipher as the round function: some examples are Bear and Lion2], Beast6], and Ladder-DES9]. Many other works had generalized or adopted the Feistel/Luby-Rackoff construction (some of them are 5,1]). n this paper we cryptanalyze Ladder-DES, a four-round Feistel cipher, whose aim is to increase the security of DES, using DES in the round function. We describe the attack on Ladder-DES, and show that the security of Ladder-DES is smaller than expected. This attack can be generalized to many similar Feistel ciphers whose two parts (halves) are of the same size and whose round functions are permutations. This attack uses a novel application of the birthday paradox.

Cryptanalysis of Ladder-DES 2 Description 135 Of Ladder-DES First we describe ladder-des. t consists of four Feistel rounds, each applies DES as the round function. The four keys of the four DES applications serve as the key of Ladder-DES. The following figure describes Ladder-DES: A=L_O i kl v F_ v XOR <- DES..... B=L_ 1 l L_ k2 v F_2 v L 2.... DES2 -> X0R k3 J v F_3 v X0R <- DES3.... L_3 k4 v F_4 v L_4... DES4 -> XOR V V C=L_4 D=L_5 The rounds are numbered f r o m 1 to 4, Li is the 64-bit input of DES in round i, and Fi is the output of DES in round i. L0 and L5 are the left halves of the plaintext and the ciphertext, respectively. 3 A chosen Plaintext Attack The main tool of the attack is the birthday paradox, which is used in a very unusual way. Usually the birthday paradox is used to find a collision (two equal values) in a set of v ~ random values. Our attack uses the birthday paradox to identify whether given values are calculated by a pseudo-random function or a pseudo-random permutation. n the first case, the birthday paradox predicts the existence of a collision given x/~ values. n the later case, collision cannot occur even given all the n values. n our attack the key is found only when we identify that there is no collision. This is the only use of the birthday paradox in this way which we are aware of.

136 n the attack we choose 236 plaintexts of the form (A,B) where B is your favorite (or random) 64-bit fixed constant, and A gets 236 different 64-bit values. n this context, L1 is fixed in all the 236 encryption runs, and L0 gets 236 different values in the 236 encryption runs. for simplicity, we will call this property of L0 a permutation (i.e., there is no collision; this property holds even in all the 264 possible plaintexts with a fixed B). F1 is L1 encrypted under a fixed (but unknown) key, thus it is fixed in all the runs. A permutation XORed with a fixed value is also a permutation, and thus L2 is a permutation, and F2 is also a permutation. L] is fixed, and thus L3 and F3 are permutations as well. L4 is not a permutation: it is a mix of two permutation, which behaves like a pseudo-random function. Our aim is to find the permutation in L3, given the ciphertext (C, D) = (L4, Ls). When the 236 ciphertexts are given, we try all the 256 possible keys k4, one by one, using the following algorithm: for each possible key k4 (in range 0 to 256-1) for each ciphertext (Ci, Di) (i = 1,..., 236) compute Lw'k4 = DESk4z (C,) @ D, if a collision occurs (i.e., Lw'k4 = -3rJ'k4 for some j < i) conclude that k4 is wrong, and try next k4 end for - We reach here only when k4 is the right key!! conclude that k4 is the key end for When we decrypt the ciphertext with a wrong candidate for k4, the one-round decryption function (that computes L3) is expected to behave like a random function. For each candidate key we decrypt the fourth round of all the 236 ciphertexts, or till we get two equal values of L3. f two equal values of L3 are found, L3 is not a permutation, and thus the candidate for k4 is not the key. n average about 232 candidates are required to discard a wrong candidate. The real value of k4 does not imply any collision of L3 even if all the 264 possible ciphertexts are decrypted by one round, and thus it can be identified. Later, the values of k3 can be found with the same data, because L2 is a permutation, but if a wrong value of k3 is used during decryption, the resultant value of L2 would not be a permutation. A simpler method to find k3 takes two of the plaintexts, compute the difference of the output of F3 as the XOR of the differences of L0 and of L4. Then, it searches exhaustively for the key k3 which satisfies this difference. False alarms can be identified and discarded using a third plaintext.

Cryptanalysis of Ladder-DES 137 The remaining key kl and k2 can then be found by exhaustive search, which would require only one plaintext/ciphertext sample, taken from the data we already have. Each of kl and k2 would be found with complexity 256, after k3 and k4 are known. Some notes on the birthday paradox: About X/2. log~ 2.264 -- 1.177.232 ~ 232 random values are required to find two equal 64-bit values with probability 1/2, and X/2-log~ 2.264. m = x/-m. 1.177-232 random values are required to find such a pair with probability 1-2 -m. n particular, in the interesting case when m=56, and we have an error probability of 2-56, we need only v/-~ 9 1.177 9 232 -- 8.1 9 232 -- 235 values to identify whether they are the result of a random function or a permutation. Thus given 235 ciphertexts we can identify the key almost without mistakes, and with 236 ciphertexts we can be almost ensured to have no mistakes (error probability about e-128 = 2-185, which causes probability 2-129 for a false alarm). n average we need only 232 trys, and only in a few cases we need more than 234 trys for a key (except for the real key). Complexity: We try 256 keys, for each we calculate in average 232 single DES's before we discard it. Thus our complexity is about 288 to find k4. The complexity to find k3 is 257. kl and k2 can then be found with complexity 256 each. Thus, the total complexity is about 288. Only 235-236 chosen plaintexts are required. This complexity is much less than the expected 2112 complexity of a meet in the middle attack3], which was claimed for this cryptosystem. 4 A Known Plaintext Attack The complexity and number of required plaintexts of this known plaintext attack are about the same as of the chosen plaintext attack (290 complexity, 236 known plaintexts). The amount of required memory is however much larger than the chosen plaintext attack requires. When the plaintexts/ciphertexts are given, we try all the 256 possible keys k4 one by one. For each k4 we search for collisions in L3 as in the chosen ciphertext attack, but this time collisions should occur for all the keys. We keep the first two collisions we find (in lexicographic order of the index of the plaintexts) in a table (of size 2 9 256, each keeps only the index of the pair). Similarly, we try all the values of kl and search for collisions in F3 (F3 = A @ C @ DESK1 (B)). Clearly, a pair collides in L3 iff it collides in F3. We then search for pairs in the first table which have the same indices as pairs in the second table: only such pairs can suggest the right kl and k4. t is expected that only the right kl and k4 will

138 collide in two same pairs (average of 2-16 false alarms; additional safety margins can be added by keeping three colliding pairs in the tables, which reduces the rate of false alarms to 2-80). The remaining k2 and k3 are easily found later with complexity 2 st. This attack requires 236 known plaintext, 290 work (in average to find the first two colliding pairs for each key) and requires 2 ~7 space (about 260-261 bytes). 5 Acknowledgements We are very grateful to Don Coppersmith for his various comments which improved the results of this paper. This research was supported by the fund for the promotion of research at the Technion. References 1. William Aiello, Ramarathnam Venkatesan, Foiling Birthday Attacks in LengthDoubling Transformations, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'96, pp. 307-320, 1996. 2. Ross Anderson,, Two Practical and Provably Secure Block C~phers: BEAR and LON, proceedings of Fast Software Encryption, Cambridge, Lecture Notes in Computer Science, pp. 113-120, 1996. 3. W. Diffie, M. E. Hellman, Exhaustive Cryptanalysis of the NBS Data Encryptzon Standard, Computer, Vol. 10, No. 6, pp. 74-84, June 1977. 4. M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseduorandom functions, SAM Journal on Computing, Vol. 17, No. 2, pp. 373386, 1988. 5. Stefan Lucks, Faster Luby-Rackoff Ciphers, proceedings of Fast Software Encryption, Cambridge, Lecture Notes in Computer Science, pp. 189-203, 1996. 6. Stefan Lucks, BEAST: A Fast Block Cipher for Arbitrary Blocksizes, 1996. 7. Shoji Miyaguchi, Akira Shiraishi, Akihiro Shimizu, Fast Data Encryption Algorithm FEAL-8, Review of electrical communications laboratories, Vol. 36, No. 4, pp. 433-437, 1988. 8. National Bureau of Standards, Data Encryption Standard, U.S. Department of Commerce, FPS pub. 46, January 1977. 9. Terry Ritter, Ladder-DES: A Proposed Candidate to Replace DES, appeared in the Usenet newsgroup sci.crypt, February 1994. 10. ngrid Schaumuller-Bichl, On the Design and Analysis of New Cipher Systems Related to the DES, technical report, Linz university, 1983. 11. Akihiro Shimizu, Shoji Miyaguchi, Fast Data Encryption Algorithm FEAL, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'87, pp. 267-278, 1987. 12. Arthur Sorkin, Lucifer, a Cryptographic Algorithm, Cryptologia, Vol. 8, No. 1, pp. 22-41, January 1984.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback