impossible plaintext cryptanalysis and probable plaintext
play

Impossible plaintext cryptanalysis and probable-plaintext collision - PowerPoint PPT Presentation

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast


  1. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast Software Encryption Workshop 2013 March 11-13, 2013

  2. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Outline Background 1 Collision attack on CBC and CFB 2 How it works Recovering plaintext Efficacy Rekeying Impossible plaintext cryptanalysis of CTR 3 Algorithms Conclusions 4

  3. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Block ciphers w -bit block cipher with a κ -bit key E : { 0 , 1 } w × { 0 , 1 } κ → { 0 , 1 } w , E − 1 : { 0 , 1 } w × { 0 , 1 } κ → { 0 , 1 } w such that E ( E − 1 ( x )) = E − 1 ( E ( x )) = x for all x ∈ { 0 , 1 } .

  4. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Block ciphers w -bit block cipher with a κ -bit key E : { 0 , 1 } w × { 0 , 1 } κ → { 0 , 1 } w , E − 1 : { 0 , 1 } w × { 0 , 1 } κ → { 0 , 1 } w such that E ( E − 1 ( x )) = E − 1 ( E ( x )) = x for all x ∈ { 0 , 1 } . Examples MISTY w = 64 κ = 128 KASUMI w = 64 κ = 128 Triple-DES w = 64 κ = 168 GOST 28147-89 w = 64 κ = 256 AES w = 128 κ = 128 , 192 , 256

  5. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Modes of operation

  6. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Modes of operation Modes  E − 1 ( C i ) ⊕ C i − 1 in CBC mode   P i = E ( C i − 1 ) ⊕ C i in CFB mode  E ( i ) ⊕ C i in CTR mode . 

  7. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions How it works Plaintext model

  8. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions How it works Indicator � C i in CBC mode I i = C i − 1 in CFB mode .

  9. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions How it works Indicator collisions reveal information When I i = I j for some i � = j then P i ⊕ P j = ∆ ij , where � C j − 1 ⊕ C i − 1 in CBC mode ∆ ij = C j ⊕ C i in CFB mode .

  10. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in theory Attacker’s knowledge about P j → knowledge about P i

  11. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in theory Attacker’s knowledge about P j → knowledge about P i P [ P j = x ⊕ ∆] P [ P i = x ] P [ P i = x | P i ⊕ P j = ∆] = � y P [ P j = y ⊕ ∆] P [ P i = y ]

  12. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in practice 10.0.*.* 0000101000000000 P i 172.16.*.* 1010110000010000 192.168.*.* 1100000010101000

  13. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in practice 10.0.*.* 0000101000000000 P i 172.16.*.* 1010110000010000 192.168.*.* 1100000010101000 P j ASCII 1*******1*******

  14. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in practice 10.0.*.* 0000101000000000 P i 172.16.*.* 1010110000010000 192.168.*.* 1100000010101000 P j ASCII 1*******1******* P i = 10.0.*.* 1*******1******* ∆ ij P i = 172.16.*.* 0*******1******* P i = 192.168.*.* 0*******0*******

  15. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Birthday bound for indicator collisions O ( n ) work and storage

  16. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Lemma Lemma The expected number of bits of unknown plaintext that are revealed in a collision attack with k blocks of known plaintext and u blocks of unknown plaintext is wku w ≤ n 2 2 w + 2 , 2 w where n = k + u.

  17. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy expected number of bits leaked due to collisions

  18. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy expected number of bits leaked due to collisions

  19. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Network traffic with one-day rekeying Bits leaked per day w 1 Mbit/s 1 Gbit/s 1 Tbit/s 6 . 3 × 10 6 bits 6 . 3 × 10 12 bits 64 6.3 bits 1 . 7 × 10 − 19 bits 1 . 7 × 10 − 13 bits 1 . 7 × 10 − 7 bits 128

  20. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Rekeying Rekying to limit leakage Idea: limit number of blocks encrypted under each distinct key Corollary The expected number of bits of unknown plaintext that are leaked when a total t blocks are encrypted, changing keys every c blocks, is less than or equal to tcw 2 − w − 2

  21. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Rekeying Rekying to limit leakage Idea: limit number of blocks encrypted under each distinct key Corollary The expected number of bits of unknown plaintext that are leaked when a total t blocks are encrypted, changing keys every c blocks, is less than or equal to tcw 2 − w − 2 Example: n = 2 20 , t ≤ 2 w − 18 − lg ( w ) = 2 40

  22. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext inferences Given P i = E ( i ) ⊕ C i

  23. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext inferences Given P i = E ( i ) ⊕ C i P j = E ( j ) ⊕ C j

  24. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext inferences Given P i = E ( i ) ⊕ C i P j = E ( j ) ⊕ C j E ( i ) � = E ( j ) for i � = j

  25. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext inferences Given P i = E ( i ) ⊕ C i P j = E ( j ) ⊕ C j E ( i ) � = E ( j ) for i � = j We know P i � = P j ⊕ C i ⊕ C j

  26. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Extending across multiple known plaintexts

  27. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Extending across multiple known plaintexts Lemma part 1 For any ciphertext block C i : i / ∈ K the corresponding plaintext block P i / ∈ ( E ⊕ C i ) , where E = { E ( j ) : j ∈ K} = { P j ⊕ C j : j ∈ K} .

  28. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext model

  29. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext model

  30. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext model

  31. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext model

  32. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Extending across repeated target values Lemma part 2 An unknown repeated target value p corresponding to the set R satisfies φ / ∈ E ⊕ G , where G = { C j : j ∈ R} .

  33. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Estimate An impossible plaintext attack against an unknown repeated value with repetition r , a possible plaintext set of size #Φ = s , and k = # E known plaintext blocks succeeds when kr ≥ ( ln ( s ) + 1 ) 2 w ≥ ( w + 1 ) 2 w

  34. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Estimate An impossible plaintext attack against an unknown repeated value with repetition r , a possible plaintext set of size #Φ = s , and k = # E known plaintext blocks succeeds when kr ≥ ( ln ( s ) + 1 ) 2 w ≥ ( w + 1 ) 2 w Heuristic #( E ⊕ G ) = kr

  35. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Estimate An impossible plaintext attack against an unknown repeated value with repetition r , a possible plaintext set of size #Φ = s , and k = # E known plaintext blocks succeeds when kr ≥ ( ln ( s ) + 1 ) 2 w ≥ ( w + 1 ) 2 w Heuristic #( E ⊕ G ) = kr Collecting s coupons

  36. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Algorithms Algorithms for finding p Sieving for ǫ ∈ E do for i ∈ R do remove C i ⊕ ǫ from Φ end for end for return Φ

  37. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Algorithms Algorithms for finding p Sieving for ǫ ∈ E do for i ∈ R do remove C i ⊕ ǫ from Φ end for end for return Φ O ( kr ) operations, O ( s ) storage

Recommend


More recommend