A New Class Of Weak Keys for Blowfish Orhun KARA and Cevat MANAP T¨ UB˙ ITAK - UEKAE (National Research Institute of Electronics and Cryptology) 1
Redefining Blowfish Key XORs in Blowfish can be moved around to generate two building blocks K 2 and U 2 . x y x y P i 1 F F P i 2 P i 3 F F P i 4 x ′ y ′ x ′ y ′ K 2 U 2 U 2 is an involution and has 2 32 fixed points of the form ( x, F ( x ) ⊕ x ). K − 1 is same as K 2 with a different ordering of the subkeys. 2 2
P 1 P 1 P 1 P 2 F F P 3 K 2 F P 2 P 2 F F P 4 0 F P 3 P 4 F F K 2 P 3 U 2 F P 4 P 5 F F F U 2 F P 13 F P 15 K 2 P 14 P 14 P 14 F F F P 16 P 16 K 2 P 15 P 15 F F F 0 U 2 P 16 F F F P 18 P 17 P 18 P 17 P 18 P 17 Standard Description Type II Type III
Weak Keys Type III definition can be summarised as: plaintext → initW → F → S → K 2 → S → U 2 → S → K 2 → S → U 2 → S → K 2 → S → U 2 → S → K 2 → S → F → finalW → ciphertext 4
Weak Keys Type III definition can be summarised as: plaintext → initW → F → S X 0 X 0 → K 2 → S → U 2 → S → K 2 → S → U 2 → S → K 2 → S → U 2 → S → K 2 → S → F → finalW → ciphertext X 0 is a fixed point of U 2 . 5
Weak Keys Type III definition can be summarised as: plaintext → initW → F → S X 2 X 1 X 0 X 0 X 1 X 2 → K 2 → S → U 2 → S → K 2 → S → U 2 → S → K 2 → S → U 2 → S → K 2 → S → F → finalW → ciphertext X 0 is a fixed point of U 2 . Conditions on subkeys used in K 2 . 6
Weak Keys Type III definition can be summarised as: X 8 X 7 plaintext → initW → F → S X 6 X 5 X 4 X 3 X 2 X 1 X 0 X 0 X 1 X 2 X 3 X 4 X 5 X 6 → K 2 → S → U 2 → S → K 2 → S → U 2 → S → K 2 → S → U 2 → S → K 2 → X 7 X 8 → finalW → ciphertext S → F X 0 is a fixed point of U 2 . Conditions on subkeys used in K 2 . Definition: A key is called weak if the encryption function has 2 32 fixed points in the middle step. 7
Detecting Weak Keys • Fixed points occur with probability 2 32 2 64 = 2 − 32 . • For a fixed point plaintext ⊕ initW = X 8 = ciphertext ⊕ finalW initW ⊕ finalW = plaintext ⊕ ciphertext • For 2 34 known plaintexts, calculate plaintext ⊕ ciphertext. – on average 4 fixed points occur, giving initW ⊕ finalW. – random 64 bit values for non-fixed points. Detect weak keys by looking at “plaintext ⊕ ciphertext.” 8
First Attack • Detecting a weak key gives P 1 ⊕ P 18 and P 2 ⊕ P 17 for free. • Conditions on subkeys of K 2 dictate P 3 = P 16 , P 4 = P 15 , P 5 = P 14 , P 6 = P 13 , P 7 = P 12 , P 8 = P 11 and P 9 = P 10 . (Hence, expected number of weak keys : 2 k − 7 ∗ 32 = 2 k − 224 ) • 9 equations in 18 variables. • Guess 9 variables, determine remaining 9 variables. 2 9 ∗ 32 = 2 288 guesses total. • Check if a guess is valid by 9 encryptions. 9 ∗ 2 288 encryptions ≈ 2 282 . 1 exhaustive search steps. (1 Exhaustive search step is 512+9 encryptions.) 9
Second Attack • Exhaustively search and store all weak keys, sorting them w.r.t. ( P 1 ⊕ P 18 , P 2 ⊕ P 17 ). • Pre-computation costs ≈ 2 k − 7 exhaustive search steps. • Weak keys occupy 2 k − 224 spaces in memory. k − 224 • Online phase costs 2 exhaustive search steps. 64 10
Attacks On Weak Keys For some attack working on weak keys, • W workload of identification, w total number of weak keys. • Given a set of 2 k w keys, expect one weak key on average, • Run identification on the set, with complexity W 2 k w . • Successful attack requires W 2 k w < 2 k ,i.e. W < w. 11
Thanks. 12
Recommend
More recommend