multiple encryption new cryptanalytic algorithms and
play

Multiple Encryption New Cryptanalytic Algorithms and Applications - PowerPoint PPT Presentation

Dec 30, 2023 •384 likes •1.49k views

Multiple NewMITM Dissection Summary Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer Science Department University of Haifa 4th July, 2013 Orr Dunkelman Multiple Encryption 1/ 35 Multiple

  1. MitM PCS 2K3Enc Multiple NewMITM Dissection Summary Analysis ◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2 n chosen plaintexts (worst case). ◮ The time/memory complexities are 2 n . Orr Dunkelman Multiple Encryption 10/ 35

  2. MitM PCS 2K3Enc Multiple NewMITM Dissection Summary Analysis ◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2 n chosen plaintexts (worst case). ◮ The time/memory complexities are 2 n . ◮ The data complexity can be reduced in exchange for an increase in time complexity [BC12]. Orr Dunkelman Multiple Encryption 10/ 35

  3. MitM PCS 2K3Enc Multiple NewMITM Dissection Summary Analysis ◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2 n chosen plaintexts (worst case). ◮ The time/memory complexities are 2 n . ◮ The data complexity can be reduced in exchange for an increase in time complexity [BC12]. ◮ The splice-and-cut technique is very related to this attack (as well as all techniques built on top of splice-and-cut). Orr Dunkelman Multiple Encryption 10/ 35

  4. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analyzing 4-Encryption P 1 , P 2 , P 3 , P 4 Consider the case of 4-Encryption: E K 1 C = E K 4 ( E K 3 ( E K 2 ( E K 1 ( P )))) E K 2 X 2 1 E K 3 E K 4 C 1 , C 2 , C 3 , C 4 Orr Dunkelman Multiple Encryption 11/ 35

  5. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analyzing 4-Encryption P 1 , P 2 , P 3 , P 4 Standard MitM attack can take 2 3 n time with 2 n memory, or 2 2 n time with 2 2 n E K 1 memory. E K 2 X 2 1 E K 3 E K 4 Can we do better? C 1 , C 2 , C 3 , C 4 Orr Dunkelman Multiple Encryption 11/ 35

  6. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analyzing 4-Encryption 1 For any guess of X 2 1 , perform a MitM attack on E 2 ◦ E 1 . P 1 E K 1 E K 2 X 2 1 E K 3 E K 4 C 1 Orr Dunkelman Multiple Encryption 11/ 35

  7. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analyzing 4-Encryption 1 For any guess of X 2 1 , perform a MitM attack on E 2 ◦ E 1 . P 1 2 Obtain a list of 2 n possible pairs of keys ( K 1 , K 2 ). E K 1 E K 2 X 2 1 E K 3 E K 4 C 1 Orr Dunkelman Multiple Encryption 11/ 35

  8. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analyzing 4-Encryption 1 For any guess of X 2 1 , perform a MitM attack on E 2 ◦ E 1 . P 1 P 2 2 Obtain a list of 2 n possible pairs of keys ( K 1 , K 2 ). E E K 1 3 Encrypt P 2 under the obtained E E K 2 ( K 1 , K 2 ), and store in a table the X 2 X 2 values of ( X 2 2 , ( K 1 , K 2 )) in a table. 1 2 E K 3 E K 4 C 1 Orr Dunkelman Multiple Encryption 11/ 35

  9. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analyzing 4-Encryption 1 For any guess of X 2 1 , perform a MitM attack on E 2 ◦ E 1 . P 1 P 2 2 Obtain a list of 2 n possible pairs of keys ( K 1 , K 2 ). E E K 1 3 Encrypt P 2 under the obtained E E K 2 ( K 1 , K 2 ), and store in a table the X 2 X 2 values of ( X 2 2 , ( K 1 , K 2 )) in a table. 1 2 E K 3 4 Perform another MitM on E 4 ◦ E 3 , obtain the 2 n candidates for ( K 3 , K 4 ), E K 4 and compute the value of X 2 2 from C 2 . C 1 Orr Dunkelman Multiple Encryption 11/ 35

  10. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analyzing 4-Encryption 1 For any guess of X 2 1 , perform a MitM attack on E 2 ◦ E 1 . P 1 P 2 2 Obtain a list of 2 n possible pairs of keys ( K 1 , K 2 ). E E K 1 3 Encrypt P 2 under the obtained E E K 2 ( K 1 , K 2 ), and store in a table the X 2 X 2 values of ( X 2 2 , ( K 1 , K 2 )) in a table. 1 2 E E K 3 4 Perform another MitM on E 4 ◦ E 3 , obtain the 2 n candidates for ( K 3 , K 4 ), E E K 4 and compute the value of X 2 2 from C 2 . C 1 C 2 Orr Dunkelman Multiple Encryption 11/ 35

  11. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analyzing 4-Encryption 1 For any guess of X 2 1 , perform a MitM attack on E 2 ◦ E 1 . P 1 P 2 2 Obtain a list of 2 n possible pairs of keys ( K 1 , K 2 ). E E K 1 3 Encrypt P 2 under the obtained E E K 2 ( K 1 , K 2 ), and store in a table the X 2 X 2 values of ( X 2 2 , ( K 1 , K 2 )) in a table. 1 2 E E K 3 4 Perform another MitM on E 4 ◦ E 3 , obtain the 2 n candidates for ( K 3 , K 4 ), E E K 4 and compute the value of X 2 2 from C 2 . 5 Verify the suggested key C 1 C 2 ( K 1 , K 2 , K 3 , K 4 ) using P 3 and P 4 . Orr Dunkelman Multiple Encryption 11/ 35

  12. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analysis 1 guess, we did two MitM attacks of 2 n time ◮ For each X 2 and memory. ◮ Then, we had another MitM of 2 n time and memory. ◮ So in total — time complexity is 2 2 n , and memory complexity is 2 n . Orr Dunkelman Multiple Encryption 12/ 35

  13. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Analysis 1 guess, we did two MitM attacks of 2 n time ◮ For each X 2 and memory. ◮ Then, we had another MitM of 2 n time and memory. ◮ So in total — time complexity is 2 2 n , and memory complexity is 2 n . Orr Dunkelman Multiple Encryption 12/ 35

  14. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Extending the Basic Attack ◮ Obviously, enjoying the 2 n gain when attacking r -encryption with r ≥ 4. Orr Dunkelman Multiple Encryption 13/ 35

  15. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Extending the Basic Attack ◮ Obviously, enjoying the 2 n gain when attacking r -encryption with r ≥ 4. ◮ Just guess the r − 4 last keys, and apply the 4-encryption attack. Orr Dunkelman Multiple Encryption 13/ 35

  16. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Extending the Basic Attack ◮ Obviously, enjoying the 2 n gain when attacking r -encryption with r ≥ 4. ◮ Just guess the r − 4 last keys, and apply the 4-encryption attack. ◮ Of course, the question is whether we can do better. . . Orr Dunkelman Multiple Encryption 13/ 35

  17. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Extending the Basic Attack ◮ Obviously, enjoying the 2 n gain when attacking r -encryption with r ≥ 4. ◮ Just guess the r − 4 last keys, and apply the 4-encryption attack. ◮ Of course, the question is whether we can do better. . . ◮ Namely, can we gain more given that we already gained something? Orr Dunkelman Multiple Encryption 13/ 35

  18. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. ◮ When attacking r -encryption, we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  19. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  20. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. 2 ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  21. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. 2 ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  22. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. 2 ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  23. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. 2 ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  24. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. 2 ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  25. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. 2 ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. 4 . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  26. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. 2 ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. 4 . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  27. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The LogLayer Algorithm ◮ A straightforward extension is . . . P 1 P 2 P 3 P 8 the LogLayer algorithm. 2 ◮ When attacking r -encryption, 4 we guess r / 2 − 1 internal states just after round r / 2, and attack each half independently. ◮ With 2 n memory, the running time is 2 n ( r − log( r )) . 4 ◮ The “gain” sequence is: 2,4,8,16,32,. . . . . . . C 1 C 2 C 3 C 8 Orr Dunkelman Multiple Encryption 14/ 35

  28. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Square Algorithm . . . P 1 P 2 P 3 P 16 ◮ A different improvement that relies on symmetry. ◮ Consider 16-Encryption: . . . C 1 C 2 C 3 C 16 Orr Dunkelman Multiple Encryption 15/ 35

  29. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Square Algorithm . . . P 1 P 2 P 3 P 16 ◮ A different improvement that relies on symmetry. 4 ◮ Consider 16-Encryption: 4 4 4 . . . C 1 C 2 C 3 C 16 Orr Dunkelman Multiple Encryption 15/ 35

  30. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Square Algorithm . . . P 1 P 2 P 3 P 16 ◮ A different improvement that 4-Encryption Attack relies on symmetry. 4 Time 2 2 n 2 n Remaining Keys ◮ Consider 16-Encryption: 4 4 4 . . . C 1 C 2 C 3 C 16 Orr Dunkelman Multiple Encryption 15/ 35

  31. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Square Algorithm . . . P 1 P 2 P 3 P 16 ◮ A different improvement that 4-Encryption Attack relies on symmetry. 4 Time 2 2 n 2 n Remaining Keys ◮ Consider 16-Encryption: 4-Encryption Attack 4 Time 2 2 n 2 n Remaining Keys 4-Encryption Attack 4 Time 2 2 n 2 n Remaining Keys 4-Encryption Attack 4 Time 2 2 n 2 n Remaining Keys . . . C 1 C 2 C 3 C 16 Orr Dunkelman Multiple Encryption 15/ 35

  32. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Square Algorithm . . . P 4 P 5 P 6 P 16 ◮ A different improvement that relies on symmetry. 4 2 n Keys ◮ Consider 16-Encryption: 4 2 n Keys 4 2 n Keys 4 2 n Keys . . . C 4 C 5 C 6 C 16 Orr Dunkelman Multiple Encryption 15/ 35

  33. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Square Algorithm . . . P 4 P 5 P 6 P 16 ◮ A different improvement that relies on symmetry. “ E ” 2 n Keys ◮ Consider 16-Encryption: ◮ Now, we need to attack “ E ” 2 n Keys “4-Encryption” again. “ E ” 2 n Keys “ E ” 2 n Keys . . . C 4 C 5 C 6 C 16 Orr Dunkelman Multiple Encryption 15/ 35

  34. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Square Algorithm . . . P 4 P 5 P 6 P 16 ◮ A different improvement that relies on symmetry. “ E ” 2 n Keys ◮ Consider 16-Encryption: ◮ Now, we need to attack “ E ” 2 n Keys “4-Encryption” again. ◮ The complexity is 2 n ( r −√ r +1) . “ E ” 2 n Keys ◮ The “gain” sequence is: 2,4,9,12,16,25,36,. . . . “ E ” 2 n Keys . . . C 4 C 5 C 6 C 16 Orr Dunkelman Multiple Encryption 15/ 35

  35. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Why Asymmetry is Important in Symmetric-Key Attacks ◮ The shared characteristic of both LogLayer and Square is the fact that they are “symmetric” in nature. ◮ They do not distinguish between the “forward” direction stored in the table, and the “backward” direction which is checked in the table. ◮ In reality, they are different. The “backward” direction can be generated “on-the-fly”. Orr Dunkelman Multiple Encryption 16/ 35

  36. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Best Algorithm (we could find) ◮ A different improvement relies on symmetry. . . . P 1 P 2 P 3 P 7 ◮ Consider 7-Encryption: . . . C 1 C 2 C 3 C 7 Orr Dunkelman Multiple Encryption 17/ 35

  37. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Best Algorithm (we could find) ◮ A different improvement relies on symmetry. . . . P 1 P 2 P 3 P 7 ◮ Consider 7-Encryption: 3 4 . . . C 1 C 2 C 3 C 7 Orr Dunkelman Multiple Encryption 17/ 35

  38. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Best Algorithm (we could find) ◮ A different improvement relies on symmetry. . . . P 1 P 2 P 3 P 7 ◮ Consider 7-Encryption: 3-Encryption MitM 3 2 2 n time 2 n keys left 4 . . . C 1 C 2 C 3 C 7 Orr Dunkelman Multiple Encryption 17/ 35

  39. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Best Algorithm (we could find) ◮ A different improvement relies on symmetry. . . . P 1 P 2 P 3 P 7 ◮ Consider 7-Encryption: 3 4 . . . C 1 C 2 C 3 C 7 Orr Dunkelman Multiple Encryption 17/ 35

  40. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Best Algorithm (we could find) ◮ A different improvement relies on symmetry. . . . P 1 P 2 P 3 P 7 ◮ Consider 7-Encryption: 3 4-Encryption MitM 2 2 n time 4 2 2 n keys left . . . C 1 C 2 C 3 C 7 Orr Dunkelman Multiple Encryption 17/ 35

  41. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Best Algorithm (we could find) ◮ A different improvement relies on symmetry. . . . P 1 P 2 P 3 P 7 ◮ Consider 7-Encryption: ◮ We access the table with the 2 2 n 3 suggested keys. 4 . . . C 1 C 2 C 3 C 7 Orr Dunkelman Multiple Encryption 17/ 35

  42. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Best Algorithm (we could find) ◮ A different improvement relies on symmetry. . . . P 1 P 2 P 3 P 7 ◮ Consider 7-Encryption: ◮ We access the table with the 2 2 n 3 suggested keys. ◮ The idea is to balance the complexity of the attack (on the second half) with the number of 4 “solutions”. ◮ The “gain” sequence is: 2,4,7,11,16,22,29,. . . . . . . C 1 C 2 C 3 C 7 Orr Dunkelman Multiple Encryption 17/ 35

  43. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Attacking r -Encryption 1 Guess as many keys as needed to reduce the scheme to a “magic number” (from the gain list). 2 Dissect the remaining encryptions: 1 For the i th magic number, guess i − 1 internal states after round i . 2 Attack the first i rounds, obtain 2 n keys, and construct a table. 3 Attack the remaining rounds, and access the table to find full key candidates. We call this technique “ Dissection ”. Orr Dunkelman Multiple Encryption 18/ 35

  44. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Dissection using Parallel Collision Search ◮ Just like in the PCS algorithm for double-encryption, to use the PCS we need to divide the full encryption function into two. ◮ This is done be defining F upper : ( K 1 , . . . , K r / 2 ) �→ ( X r / 2 , . . . , X r / 2 r / 2 ) and 1 F lower : ( K r / 2+1 , . . . , K r ) �→ ( X r / 2 , . . . , X r / 2 r / 2 ) . 1 ◮ Given Floyd’s algorithm (or Nivasch’s or Brent’s or . . . ), find collisions between the two functions. ◮ Actually, we can use Hellman’s TMTO attacks to find 2 n collisions simultaneously in time 2 ( r / 4+1 / 2) n . ◮ After 2 ( r / 2) n such collisions, we expect the right one to show up. Orr Dunkelman Multiple Encryption 19/ 35

  45. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Dissection using Parallel Collision Search (cont.) ◮ The key idea is to compute the functions F upper and F lower using dissection Orr Dunkelman Multiple Encryption 20/ 35

  46. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Dissection using Parallel Collision Search (cont.) ◮ The key idea is to compute the functions F upper and F lower using dissection and the extra available memory. ◮ Namely, we “agree” on the output of the functions, thus, restricting them to a smaller space. Orr Dunkelman Multiple Encryption 20/ 35

  47. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Dissection using Parallel Collision Search (cont.) ◮ The key idea is to compute the functions F upper and F lower using dissection and the extra available memory. ◮ Namely, we “agree” on the output of the functions, thus, restricting them to a smaller space. ◮ For 8-Encryption: F upper : ( K 1 , K 2 , K 3 , K 4 ) �→ X 4 1 , X 4 2 , X 4 3 , X 4 4 Uses P 1 , . . . P 4 F upper : ( K 5 , K 6 , K 7 , K 8 ) �→ X 4 1 , X 4 2 , X 4 3 , X 4 4 Uses C 1 , . . . C 4 Takes O (1) to evaluate Generate 2 3 . 5 n “collisions”, in time 2 1 . 5 n each. Orr Dunkelman Multiple Encryption 20/ 35

  48. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary Dissection using Parallel Collision Search (cont.) ◮ The key idea is to compute the functions F upper and F lower using dissection and the extra available memory. ◮ Namely, we “agree” on the output of the functions, thus, restricting them to a smaller space. ◮ For 8-Encryption: F upper : X 2 ˜ 1 �→ X 4 4 Uses P 1 , . . . P 4 and X 4 1 , X 4 2 , X 4 3 F upper : X 6 ˜ 1 �→ X 4 4 Uses C 1 , . . . C 4 and X 4 1 , X 4 2 , X 4 3 Takes O (2 n ) to evaluate Generate 2 0 . 5 n “collisions”, in time 2 0 . 5 n each × 2 3 n . Orr Dunkelman Multiple Encryption 20/ 35

  49. 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Gains of the Algorithms Gain 12 Compared with standard MitM 11 with 2 n mem. 10 9 8 7 6 5 4 3 2 1 r 0 0 3 6 9 12 15 18 21 24 27 30 33 36 39 42 Orr Dunkelman Multiple Encryption 21/ 35

  50. b b b b 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Gains of the Algorithms Gain 12 Compared with standard MitM 11 with 2 n mem. 10 b LogLayer 9 8 7 6 5 4 3 2 1 r 0 0 3 6 9 12 15 18 21 24 27 30 33 36 39 42 Orr Dunkelman Multiple Encryption 21/ 35

  51. b b b b b b b b b b 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Gains of the Algorithms Gain 12 Compared with standard MitM 11 with 2 n mem. 10 b LogLayer 9 b Square 8 7 6 5 4 3 2 1 r 0 0 3 6 9 12 15 18 21 24 27 30 33 36 39 42 Orr Dunkelman Multiple Encryption 21/ 35

  52. b b b b b b b b b b b b b b b b b b 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Gains of the Algorithms Gain 12 Compared with standard MitM 11 with 2 n mem. 10 b LogLayer 9 b Square 8 b Dissect 7 6 5 4 3 2 1 r 0 0 3 6 9 12 15 18 21 24 27 30 33 36 39 42 Orr Dunkelman Multiple Encryption 21/ 35

  53. b b b b b b b b b b b b b b b b b b b b b b b b b b b b 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Gains of the Algorithms Gain 12 Compared with standard MitM 11 with 2 n mem. 10 b PCS 9 8 b Dissect 7 6 5 4 3 2 1 r 0 0 3 6 9 12 15 18 21 24 27 30 33 36 39 42 Orr Dunkelman Multiple Encryption 21/ 35

  54. b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Gains of the Algorithms Gain 12 Compared with standard MitM 11 with 2 n mem. 10 b PCS 9 b Dissect & Collide 8 7 6 5 4 3 2 1 r 0 0 3 6 9 12 15 18 21 24 27 30 33 36 39 42 Orr Dunkelman Multiple Encryption 21/ 35

  55. b b b b b b b b b b b b b b b b b b b b b b b b b b b b 4Enc Extensions Asymmetric PCS Multiple NewMITM Dissection Summary The Gains of the Algorithms Gain 12 Compared with standard MitM 11 with 2 n mem. 10 9 b Dissect & Collide 8 b Dissect 7 6 5 4 3 2 1 r 0 0 3 6 9 12 15 18 21 24 27 30 33 36 39 42 Orr Dunkelman Multiple Encryption 21/ 35

  56. Knapsack Permutation Multiple NewMITM Dissection Summary Bicomposite Problems ◮ Actually, multiple-encryption is a specific case of bicomposite problems . ◮ A bicomposite problem is a problem that can be dissected in two orthogonal ways. ◮ For example, in the case of multiple encryption, we can dissect the problem into different plaintext/ciphertext blocks or into different keys. Orr Dunkelman Multiple Encryption 22/ 35

  57. Knapsack Permutation Multiple NewMITM Dissection Summary The Knapsack Problem ◮ The knapsack problem (AKA “subset sum” problem) is a well known NP-complete problem. ◮ Many knapsack cryptosystems were proposed (and broken) over the years. Orr Dunkelman Multiple Encryption 23/ 35

  58. Knapsack Permutation Multiple NewMITM Dissection Summary The Knapsack Problem ◮ The knapsack problem (AKA “subset sum” problem) is a well known NP-complete problem. ◮ Many knapsack cryptosystems were proposed (and broken) over the years. ◮ In the knapsack problem, a set of constants { a i } n i =1 is given as well as a target value S . ◮ The problem is to find a set of coefficients { ǫ i } n i =1 , ǫ i ∈ { 0 , 1 } such that n � ǫ i · a i = S . i =1 ◮ We shall deal with the modular variant (mod 2 n ). Orr Dunkelman Multiple Encryption 23/ 35

  59. Knapsack Permutation Multiple NewMITM Dissection Summary The Knapsack Problem (cont.) ◮ It is possible to write this problem as a “multiple encryption” problem. Orr Dunkelman Multiple Encryption 24/ 35

  60. Knapsack Permutation Multiple NewMITM Dissection Summary The Knapsack Problem (cont.) ◮ It is possible to write this problem as a “multiple encryption” problem. ◮ The plaintext is 0, and each encryption is keyed by one bit, Orr Dunkelman Multiple Encryption 24/ 35

  61. Knapsack Permutation Multiple NewMITM Dissection Summary The Knapsack Problem (cont.) ◮ It is possible to write this problem as a “multiple encryption” problem. ◮ The plaintext is 0, and each encryption is keyed by one bit, ǫ i . In other words, every “encryption” either adds a i or not. ◮ The ciphertext is selected to be S . Orr Dunkelman Multiple Encryption 24/ 35

  62. Knapsack Permutation Multiple NewMITM Dissection Summary The Knapsack Problem (cont.) ◮ It is possible to write this problem as a “multiple encryption” problem. ◮ The plaintext is 0, and each encryption is keyed by one bit, ǫ i . In other words, every “encryption” either adds a i or not. ◮ The ciphertext is selected to be S . What is so bicomposite in this problem? Orr Dunkelman Multiple Encryption 24/ 35

  63. Knapsack Permutation Multiple NewMITM Dissection Summary The Knapsack Problem as a Bicomposite Problem ◮ We just split the knapsack into smaller chunks. 0 0 0 0 0 ǫ i ◮ Namely, we treat each chunk as ǫ i a few bits. ◮ Each chunk has as a plaintext ǫ i the value 0, and as ciphertext ǫ i the respective part of S . ǫ i ◮ Of course, we need to deal with ǫ i carries. ◮ Which is easy if you solve the S S S S S knapsack from LSB to MSB. Orr Dunkelman Multiple Encryption 25/ 35

  64. Knapsack Permutation Multiple NewMITM Dissection Summary Breaking Knapsacks as Bicomposites 0 0 0 0 0 0 0 ◮ We can dissect the { ǫ i } problem any way we { ǫ i } want, plaintext-wise { ǫ i } and encryption-wise. { ǫ i } ◮ For example, we can { ǫ i } divide { ǫ } n i =1 into 7 { ǫ i } subsets, to look as if it is a 7-encryption. { ǫ i } S S S S S S S Orr Dunkelman Multiple Encryption 26/ 35

  65. Knapsack Permutation Multiple NewMITM Dissection Summary Breaking Knapsacks as Bicomposites 0 0 0 0 0 0 0 ◮ We can dissect the { ǫ i } problem any way we { ǫ i } want, plaintext-wise { ǫ i } and encryption-wise. { ǫ i } ◮ For example, we can { ǫ i } divide { ǫ } n i =1 into 7 { ǫ i } subsets, to look as if it is a 7-encryption. { ǫ i } S S S S S S S Orr Dunkelman Multiple Encryption

  66. Knapsack Permutation Multiple NewMITM Dissection Summary Breaking Knapsacks as Bicomposites 0 0 0 0 0 0 0 ◮ We can dissect the { ǫ i } problem any way we { ǫ i } want, plaintext-wise { ǫ i } and encryption-wise. { ǫ i } ◮ For example, we can { ǫ i } divide { ǫ } n i =1 into 7 { ǫ i } subsets, to look as if it is a 7-encryption. { ǫ i } S S S S S S S Orr Dunkelman Multiple Encryption

  67. Knapsack Permutation Multiple NewMITM Dissection Summary Breaking Knapsacks as Bicomposites 0 0 0 0 0 0 0 ◮ We can dissect the { ǫ i } problem any way we { ǫ i } want, plaintext-wise { ǫ i } and encryption-wise. { ǫ i } ◮ For example, we can { ǫ i } divide { ǫ } n i =1 into 7 { ǫ i } subsets, to look as if it is a 7-encryption. { ǫ i } S S S S S S S Orr Dunkelman Multiple Encryption

  68. Knapsack Permutation Multiple NewMITM Dissection Summary Breaking Knapsacks as Bicomposites 0 0 0 0 0 0 0 ◮ We can dissect the { ǫ i } problem any way we { ǫ i } want, plaintext-wise { ǫ i } and encryption-wise. { ǫ i } ◮ For example, we can { ǫ i } divide { ǫ } n i =1 into 7 { ǫ i } subsets, to look as if it is a 7-encryption. { ǫ i } S S S S S S S Orr Dunkelman Multiple Encryption

  69. Knapsack Permutation Multiple NewMITM Dissection Summary Breaking Knapsacks as Bicomposites 0 0 0 0 0 0 0 ◮ We can dissect the { ǫ i } problem any way we { ǫ i } want, plaintext-wise { ǫ i } and encryption-wise. { ǫ i } ◮ For example, we can { ǫ i } divide { ǫ } n i =1 into 7 { ǫ i } subsets, to look as if it is a 7-encryption. { ǫ i } S S S S S S S Orr Dunkelman Multiple Encryption

  70. Knapsack Permutation Multiple NewMITM Dissection Summary Breaking Knapsacks as Bicomposites 0 0 0 0 0 0 0 ◮ We can dissect the { ǫ i } problem any way we { ǫ i } want, plaintext-wise { ǫ i } and encryption-wise. { ǫ i } ◮ For example, we can { ǫ i } divide { ǫ } n i =1 into 7 { ǫ i } subsets, to look as if it is a 7-encryption. { ǫ i } S S S S S S S Orr Dunkelman Multiple Encryption 26/ 35

  71. Knapsack Permutation Multiple NewMITM Dissection Summary Comparison with Previous Results ◮ Some specific cases of knapsacks are easy (superincreasing). ◮ Some can be solved by LLL (when the knapsack is sparse). ◮ Previous attacks for general knapsacks: ◮ Schroeppel-Shamir, 1981 — O (2 n / 2 ) time and O (2 n / 4 ) memory. ◮ Howgrave-Graham and Joux, 2010 — O (2 0 . 337 n ) time and O (2 0 . 256 n ) memory. ◮ Becker, Coron, Joux, 2011 — 2 0 . 72 n time (no-memory) or O (2 0 . 291 n ) time and memory + some tradeoffs. Orr Dunkelman Multiple Encryption 27/ 35

  72. Knapsack Permutation Multiple NewMITM Dissection Summary Comparison with Previous Results Orr Dunkelman Multiple Encryption 28/ 35

  73. Knapsack Permutation Multiple NewMITM Dissection Summary Generalizing Knapsacks ◮ Schroeppel-Shamir needs “monotonicity” to work. ◮ [HGJ10,BCJ11] heavily use properties of modular addition. Orr Dunkelman Multiple Encryption 29/ 35

  74. Knapsack Permutation Multiple NewMITM Dissection Summary Generalizing Knapsacks ◮ Schroeppel-Shamir needs “monotonicity” to work. ◮ [HGJ10,BCJ11] heavily use properties of modular addition. ◮ However, what happens when the knapsack is of the form: ǫ 1 a 1 + ( ǫ 2 a 2 ⊕ ǫ 3 a 3 + . . . )? Orr Dunkelman Multiple Encryption 29/ 35

  75. Knapsack Permutation Multiple NewMITM Dissection Summary Generalizing Knapsacks ◮ Schroeppel-Shamir needs “monotonicity” to work. ◮ [HGJ10,BCJ11] heavily use properties of modular addition. ◮ However, what happens when the knapsack is of the form: ǫ 1 a 1 + ( ǫ 2 a 2 ⊕ ǫ 3 a 3 + . . . )? ◮ Luckily for us, we can apply our algorithm for any series of T -functions. Orr Dunkelman Multiple Encryption 29/ 35

  76. Knapsack Permutation Multiple NewMITM Dissection Summary Solving Combinatorial Search Problems ◮ Assume we are given a set of permutations σ 1 , σ 2 , . . . , σ t . ◮ We are given a series of input/output pairs: � � C i = σ k r ◦ σ k r − 1 ◦ . . . ◦ σ 1 ( P i ) Orr Dunkelman Multiple Encryption 30/ 35

Recommend

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

1.53k views • 130 slides
Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should not reveal the persons height Shafi Goldwasser and Silvio Micali, 1982 1 Design of Encryption Algorithms Encryption algorithms are

421 views • 7 slides
So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way Eike Ritter Cryptography 2014/15 39 Several

1.18k views • 12 slides
CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record

CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record

Implementing scalable CAN Security with CANcrypt by Olaf Pfeiffer CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record and re-play messages Can trigger desired actions Re-engineering

320 views • 21 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Block Ciphers Fall 2010 CS 334: Computer Security 1 Recall: Private-Key Encryption Algorithms

Block Ciphers Fall 2010 CS 334: Computer Security 1 Recall: Private-Key Encryption Algorithms

Block Ciphers Fall 2010 CS 334: Computer Security 1 Recall: Private-Key Encryption Algorithms Also called single-key or symmetric key algorithms Both parties share the key needed to encrypt and decrypt messages, hence both parties are

916 views • 48 slides
Week 7 Video 3 Advanced Clustering Algorithms Today Multiple advanced algorithms for

Week 7 Video 3 Advanced Clustering Algorithms Today Multiple advanced algorithms for

Week 7 Video 3 Advanced Clustering Algorithms Today Multiple advanced algorithms for clustering Gaussian Mixture Models Often called EM-based clustering Kind of a misnomer in my opinion What distinguishes this algorithm

681 views • 21 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic

SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic

Syntax A symmetric encryption scheme SE = ( K , E , D ) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1 / 116 2 / 116 Correct decryption requirement Example:

430 views • 29 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D ) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct decryption requirement More

1.19k views • 53 slides
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic Techniques Summer school 2007 1

706 views • 57 slides
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack Square Attack D.

305 views • 16 slides
Encryption and Network Security Cryptography is widely used to protect networks Relies on

Encryption and Network Security Cryptography is widely used to protect networks Relies on

Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols discussed previously Can be applied at different places in the network stack With different effects and

525 views • 21 slides
Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption

Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption

Overview Goals of Cryptography Cryptographic Technologies Encryption and Decryption Algorithms Symmetric Algorithms: DES and AES Asymmetric Algorithm: RSA Pretty Good Privacy (PGP) Chapter 5 Symmetric vs. Asymmetric

363 views • 8 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Algorithms in Bioinformatics: A Practical Introduction Multiple Sequence Alignment Multiple

Algorithms in Bioinformatics: A Practical Introduction Multiple Sequence Alignment Multiple

Algorithms in Bioinformatics: A Practical Introduction Multiple Sequence Alignment Multiple Sequence Alignment Given k sequences S = { S 1 , S 2 , , S k } . A multiple alignment of S is a set of k equal- length sequences { S 1 ,

652 views • 47 slides
The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on

784 views • 55 slides
MA/CSSE 473 Day 11 Data Encryption MA/CSSE 473 Day 11 HW 5 is due tomorrow. HW 6 due

MA/CSSE 473 Day 11 Data Encryption MA/CSSE 473 Day 11 HW 5 is due tomorrow. HW 6 due

MA/CSSE 473 Day 11 Data Encryption MA/CSSE 473 Day 11 HW 5 is due tomorrow. HW 6 due Friday Poll results: Tomorrow I hope to discuss the Knuth interview, and Brute Force Algorithms Student Questions Cryptography

523 views • 7 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an ARM and a Leg Latincrypt 2017, 21st September 2017 1/19 Thom Wiggers Outline Introduction Building a cheap cluster The Cortex-A53 Breaking ECC

741 views • 70 slides
Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF, Lausanne Invited Talk to ASK 2019 14th December 2019 Outline Introduction Sprout (FSE15) Previous Work Attack by Esgin/Kara (SAC 2015)

597 views • 46 slides

More recommend