generic attacks on symmetric cipherspalash/talks/generic.pdf · top 24 bits loaded by the computer....

Generic Attacks on SymmetricCiphers

Palash Sarkar

Indian Statistical Institute

email: [email protected]

IndocryptThe 7th International Conference on Cryptology in India

Kolkata, India10th December, 2006.

Indocrypt 2006 – p.1/73

Symmetric Key Encryption

message ciphertext ciphertext

secret key K secret key K

public channelEncrypt Decrypt

message

Adversary

Adversary’s goal: To obtain secret key .


Generic Attacks

� Most basic of all attacks.

� Treats the algorithm as a black box.

� The same attack idea can be used for manyalgorithms.

� One can utilise a large amount of parallelism.

� Most feasible implementation in special purposehardware.

� There are some reported implementations.


Non-Generic Attacks

� Exploits special properties of an algorithm or aclass of algorithms.

� Examples: Linear and differential cryptanalysis,correlation attacks, algebraic attacks, etcetra.

� The literature abounds in such attacks and ideas.

� Very little (or no) work on

� hardware implementation of non-genericattacks;

� exploiting parallelism.


Presentation Outline

� Exhaustive search attacks.

� Exhaustive search on DES.

� DES Cracker by Electronics FrontierFoundation (EFF).

� Time/Memory trade-off (TMTO) attacks.

� Hellman’s algorithm.

� Rivest’s distinguished point method.

� Biryukov-Shamir multiple data method.

� Other variants.


Presentation Outline (contd.)

� A Cost Analysis of TMTO Attack.

� Strength of different key sizes.

� Non-Conventional Techniques for ExhaustiveSearch.

� Based on DNA computing.

� Based on photographic techniques.

� Rejewski’s Attack on Enigma.

� Unearthing some modern ideas in the oldattack.


Exhaustive SearchKnown Plaintext:

� A pair

�

�

�

is available.

� Attack: Decrypt by the possible keysone-by-one until is obtained.

Ciphertext Only:

� Only is available.

� Attack: Decrypt by the possible keysone-by-one until a “meaningful” message isobtained.

Parallelism:

� Decryptions by separate keys are unrelated.

� Efficiently parallelizable, subject to resourcerestrictions.


Exhaustive Search on DESDiffie-Hellman (1977):

Special purpose hardware;Estimated time 12-hours at a cost of USD

� �

M.

Wiener (1993):Special purpose hardware;Estimated time 3.5 hours at a cost of USD

�

.

Goldberg-Wagner (1996):FPGA based hardware;Estimated time one year at a cost of USD

��

� � �

.


Exhaustive Search on DESResponse to challenges announced at RSACryptographic Trade Shows.

1997:Software – using computers distributed on theinternet;Time required five months.

1998:Software – using computers distributed on theinternet;Time required 39 days.


Exhaustive Attacks on DESElectronic Frontier Foundation (EFF) (July 17,

1998): DES CrackerSpecial purpose hardware;Time required: Solved “DES Challenge II” inless than 3 days.Cost: USD

� � ��

� � �

(hardware + development)

Quisquater-Standaert (2005):Time/Memory Trade-Off;Estimated cost of USD

� ��

� � �

and online timehalf an hour.

Contrast: 100,000 British pounds to build onecryptanalytic machines to attack Engima ( � 1941).(“The Code Book” by Simon Singh, Page 174).


DES Cracker – Basic Design

� DES key space size =

� � �

.

� Ciphertext only attack.

� Hierarchical design.

� Parallel search units controlled by a singlecomputer.

� 24 search units fit inside a chip.

� 64 chips are mounted on a large board.

� 12 boards are mounted onto a chassis.

� 2 chassis are used.

� Total of 36,000 search units.


One Search Unit

� Includes a 32-bit counter to generate candidatekeys.

� Top 24 bits loaded by the computer.

� Total key size is 56 bits.

� A direct implementation of a 56-bit counterwas considered to be too costly.

� Interrupts the computer after searching

� ��

keys.

� Reports “interesting” plaintext to the computer.

� Final decision taken by the computer.


Suggested Improvement

� Use of 56-bit LFSR to generate candidate keys.

� Easy to partition total key space into disjoint sets.

� Parallel generation of the subsets is easy.

� Each search unit has a separate implementationof the LFSR.

� Advantages:

� Next key in one clock cycle.

� Avoids the

� � �

interrupts made by the searchunits to the computer.

� Leads to a simpler, smaller and faster design.

Recent: Mukhopadhyay-Sarkar, 2006.Earlier: Wiener, 1993; Goldberg-Wagner 1996.


Time/Memory Trade-Off

� Introduced by Hellman in 1980.

� Basic idea:

� Perform an exhaustive search (or a little morecomputation) once.

� Store some of the results of intermediatecomputations.

� At a later stage use the stored results to obtainsecrets significantly faster than exhaustivesearch.

� In its general form, a TMTO inverts a one-wayfunction.


Basic Hellman Method

� Define

� � � ��

for a fixed . Inverting

� �

on � ��

yields .

� Pre-Computation:

� Compute � tables of size � � �each.

� For each table, store only the first and the lastcolumn, sorted on the last column.

� Online Search:

� Given �, we have to find � such that

� � � � �.

� Perform some computations and look-ups onthe stored tables to find �.

� Success depends on proper choice of theparameters �

�

�

and �.


Single Table ComputationThe domain and range of are same and of size .

� Chain: Given �, the chain starting at � is

��

� � �

�

��

�

��

��

� � � �

� Choose � points � ��

��

� �� randomly.

� Construct chains (rows of the table) starting atthese points.

� The start points and the end points are stored,sorted on the end points.


A Hellman Tablex1,0 x x x xf f f f f

1,1 1,2 1,t−1 1,t......

x x x x xf f f f f......



2,0 2,1 2,2 2,t−1 2,t

3,0 3,1 3,2 3,t−1 3,t

m,0 m,1 m,2 m,t−1 m,t

.................

.................

.................

.................

.................

Start Points End Points


Set of Tables

� One table cannot have too many rows, as thenrepetition will occur.

� Let �� be very simple functions.

� Define � � � � .

� We assume that the � ’s behave as independentrandom functions.

� Construct � tables using the functions �� .

� We wish to have � � � � .


Online SearchSearch for � in the

�

th table. Repeat for each table.

� Let � � ��

.

� If � is in the

�

th table, then its predecessor in thechain (row) is a pre-image of �.

� Compute

� � � ��

� � � ��

��

�

��

�

�

��

��

� � �

��

�

��

� Look-up each �� among the end-points of the

�

thtable.

� If found, then from the corresponding start-point,generate the chain upto � �.

� The predecessor of � � is a pre-image of �.Indocrypt 2006 – p.19/73

Coverage and Analysis

� Constants are ignored.

� � ��

(birthday paradox).

� � � � � (total coverage).

� Pre-Computation: Number of invocations =(exhaustive search).

� Memory: � � � �.

� Online search: � � �;

Max number of invocations = � �

;Max number of table look-ups = � �

.

�

�

�

�

(the trade-off curve).( � �

� � �

.)


Distinguished PointsIntroduced by Rivest.

Distinguished point (DP): A string with a fixednumber of bits 0.

Pre-Computation: Generate a chain only upto a DP,or of length

�

whichever occurs earlier.

Online Search: Perform a look-up only afterencountering a DP.

� Only one look-up for each table required.

� Total number of look-up comes down to �.

Chains are of variable length.

Trade-off curve does not change.


TMTO With Multiple DataBiryukov-Shamir, 2000.

� Given: � ��

� � .Requirement: Invert any of the � � ’s.

� Choose � � � �

.

� Coverage � � � � �

. Birthday paradox assuresa constant success probability.

� Trade-off curve:� �

�

�

.

Biryukov-Mukhopadhyay-Sarkar (2005) presents adetailed analysis.


Rainbow MethodOechslin, 2003.

� It is a variant of the Hellman method.

� Rainbow chain: � � � �.

� � � ��

�

� � � ��

��

� � � ��

Recall: ��

is obtained from

� �

by a simpleoutput modification.

� A single rainbow table of size � � � �

is used.

� Online search time is one-half of Hellman’smethod.

� Trade-off curve:

�

�

��

Biryukov-Mukhopadhyay-Sarkar (2005).Indocrypt 2006 – p.23/73

Rainbow Crack

� A software implementation of the rainbowmethod.

� Pre-computed tables available on the net.

� Using these, the program can crack Windowspasswords in a few seconds of online time.

� A vindication of the TMTO method.

The following website provides a real-life demo.

http://lasecwww.epfl.ch/

�

oechslin/projects/ophcrack/


Theoretical Issues

� Hellman’s assumption:

� is a random function.

� ��

� are independently chosen randomfunctions.

� Fiat-Naor (1991) counter-example :

� �

� � �

points induce a permutation.

� Other keys map to zero.

� Hellman’s method on such results in a lot ofzeros in the tables.

� Success probability drops.


Inverting Any FunctionFiat-Naor 1991.

� Store high in-degree images in a single table.

� For the other points use a variant of Hellman’sstrategy.

� Can provably invert any function.

� Trade-off Curve:

�

�

�

.

� Worse trade-off compared to Hellman’s method.


An Easy Solution

� Output modifications.

� Hellman: Permute output bits.

� Oechslin: ��

.

� For both methods, it is possible to constructFiat-Naor type examples.

� A new output modifier (Mukhopadhyay-Sarkar2005).

� Randomly choose a maximal length LFSR.

� Suppose LFSR states are ��

�� .

� Define ��

� .

� Difficult to construct a Fiat-Naor typeexample for this construction.


Applying TMTOIdentifying one-way functions in cryptographicalgorithms.

� Hellman: Block ciphers. For a fixed

� � � ��

� Babbage, Golic, Biryukov-Shamir: Streamciphers.

internal state � keystream-segment map.

� Biryukov-Shamir-Wagner: A5/1 stream cipher.

� A variant of distinguished point method.

� Introduces a new technique called BSWsampling.


Applying TMTO

� Hong-Sarkar:

� Stream ciphers.

(Key, IV) � keystream-segment map.

� Several modes of operations of block ciphers.

� A general method of applying TMTO.

� Biryukov-Mukhopadhyay-Sarkar:

� Unix password.

� Other applications are known.


Parallelism

� DES Cracker uses a large amount of parallelism.

� Hardware designs for TMTO are parallel.

� Bernstein 2005.

� Points out that a clever but sequential attackcan be inferior to brute force but parallelsearch.

� Writes Hellman+DP and rainbow methods asexhaustive search attacks.


Processors and Bounds

� Amirazizi-Hellman 1988: Introducedtime/memory/processor trade-offs.

� Uses a number of processors.

� Uses a large shared memory.

� Uses a switching/sorting network.

� Wiener 2004: Notion of full cost (Lenstra et al2002, Bernstein 2001).

number of components � duration of their use

� A bound of� �

��

on the interconnectioncost for connecting � processors to � memoryblocks.


TMTO Architecture

� FPGA implementations:

� Standaert et al (2002): 40-bit DES keys.

� Mentens et al (2006): 48-bit UNIXpasswords.

� Use of counters for start point generation.

� Special purpose hardware: (Top-level design.)Mukhopadhyay-Sarkar 2006.

� A different architecture for avoiding lowerbound on interconnection cost.

� Use of LFSRs for start point generation andfunction masking.

� Store one table on a DVD.


Pre-Computation: Basic BlocksFreshMemory

Completed Table

SortingChain

Computation

UnsortedTable

Sorted Table

SCC

sgc1 sgc2

startsignal

And

Assembly line processing.


Chain Computation

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .PMS1

PMSn

WB1WBn

P1

Pn

LR

SC

CTtag

2s 2sr1

22s r2

s

r1

r2s

. . . . .

(O , O )1 sg1O3

sg2

sg3

sg4

5sg

2

startsignal

sgc1

Memory


Architecture of each �

O3

SPG

s

PUnit

Out2

Out3

In2In1

C2

TSC2

r2

sg1

sg2

Output to R

Input from L

Out4O1Out1

O2


Architecture of Punit

MUXMUX MUXMUXMUXMUX

0 0

RF1

SPC1s

SPR 1

R21s

r1

DP?

p s

R3 R4

R5

s s

s

SPRq

sSPR2

RF

s

RF

s

RFqs

R

Rs

22 s

s

...

s

2

q−1

2q

SPC2

r

s

s

. . .

. . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

C1

r1

SC1

SPC

+1

1

r1

r1

r1

. . .

. . .

. . .

.

q

Out1

Out4

Out

Out2

3

s

In1 In2

SPRq+1

ss

Architecture when is an iterated round function.Indocrypt 2006 – p.36/73

Online Search

SC

SCHEDULER

DB1

DBn

RB 1

RBn

P1

Pn

R

. . .

. .

. . .

. .

. . .

. .

. . .

. .

. . .

. .

L

s

s

s

s

new table

Table. . .

. .

3s 3s

. . . . . . . .

. . .

. . .

. .

B

move table

n

Q 1

1(mask, y’ , DP)

(mask, y’, SP)

(mask, y’, SP)

Q k

SCHEDULER 2

Output memory block (OMB)

Search in a single table for multiple data points.


Online Search P-processor

from DBInput

y/

MR

DR PUnit

Out 3

Out2

TSC2

r

PC

3

1

Input from L

signal to RB

Output to R

new table

Out4Out1

DPpsig

mask


Finding the Key

SCHEDULER

STOP. .

. . .

. . .

.

. . .

. . .

. . .

. . .

. . .

. . .

RB1

RBn

P1

Pn

OMB

false alarm

false alarm

Key

Key

(mask, y’, SP)


Approximate Cost Analysis

� Assumption: For an �-bit cipher, with �

� � �

,the throughput and area will be the same as thatof the best AES-128 implementation.

� AES-128 implementation.

� Good and Benaissa (CHES 2005) proposed anew FPGA design using Xilink Spartan III(XC3S2000).

� Cost: USD 12.00 per Xilink Spartan IIIFPGA device.

� 25 Gbps =��

� � � ��

AES-128 encryptions/sec


How Accurate is the Analysis?

� It is an initial study based on one particulararchitecture.

� Under estimates?

� Time for DVD load/unload.

� Time for parallel sorting.

� Power consumption, circuit failures, ...

� Over estimates?

� Cost of processor, memory and othercomponents.

� Speed of encryption.

� Development cost: Very difficult to estimate.


Is the Analysis Meaningful?

� It provides some idea about the relative strengthof different key sizes.

� Costs should scale only by small factors.

� Provides an outline of how to perform a costanalysis.

� A more detailed cost analysis will be welcome.

� Different architectures are welcome.


Parameters

� � �� : Pre-computation time in seconds.

� � � �� : Online time in seconds.

� �: cost of processors in USD.

�

�: cost of memory in USD.

�

�

: number of DVD readers.

� � : cost of DVD readers in USD.

Note: Estimates based on Mukhopadhyay-Sarkar(2006).


Table 1: Trade-off for different values of � with � �

.

� � � � ��

56

� � � � � � � ��

64

� � � � � � � ��

80

� � � � � � � � � � � � � � � � � ��

86

� ��

96

� � � � � � � � � � � ��

1

� ��

80

128

� � � � � � � � � � ��

1

� ��

80


Analysis

� 56-bit and 64-bit keys are completely insecure.

� 80-bit keys: One-year of pre-computation time;cost of USD 500M; online time less than asecond.

� 96-bit keys: Pre-computation time is more than4000 years and cost around USD 1 billion.


Table 2: Trade-off for different values of � and� � �

� .

� � � � � � ��

80

� ��

1

� ��

845

86

� �� 1

� ��

776

96

� � � � � � �� 1

� ��

320

96

� � � � � � � � � � � ��

1

� ��

128

� � ��

1

� ��

128

� � � � � � � � � � � � � ��

128

� � � � � � � � � � � � � � � � � �

1

� ��


Analysis for �

��

� 80-bit: Attack becomes much easier.

� 96-bit: Attack becomes reasonable.

� 128-bit: At least one of the parameters among

�

� ��

��

�

become infeasible.

Currently 128-bit seems to be secure, until a newtechnological revolution invalidates the analysisperformed here.


Desirable Goals

� Exhaustive search.

� 80-bit keys: Borderline of feasibility.

� 96-bit keys: Does not look possible.

� TMTO.

� 56-bit, 64-bit: Methodology validation.

� 80-bit: With � � � ��

� � �. Feasible.

� 96-bit: With � � � ��

� � ��

� � �

. Ambitious.

� A5/3: 64-bit key, 22-bit IV:

� Used in practice.

� TMTO or exhaustive search? Both are doable.


Breaking in the Future“Today’s crypto systems must resist

attack by tomorrow’s computers.Nanotechnology explores the limits of whatwe can make.”

Ralph Merkle, 15 August 2005(IACR Distinguished Lecture, CRYPTO).


Processor Technology

� Current technology is CMOS based.

� Speed of light; clock speed; channel length(of MOSFET).

� 50 nanometers channel length can producearound 20GHz clock speed.

� This hits the physical barrier.

� Geobacter.

� Certain bacteria uses metal for respiration.

� Can be used to construct conductingnanowires.

� Quisquater at rump session of Crypto 2005.


Memory Technology

� Blu-ray technology

� paper disc

� capability to store several hundred Gb on asingle disc.

� Holographic-memory discs:

� theoretical possibility of one terabyte datastorage at an access speed of 120megabits/sec.

� Non-volatile memory technology.


Interconnection Network

� Connecting many processors to many memoryunits is a major problem.

� How to bypass the problem?

� Optical connections?

� Any other possibilities?


Non-Conventional Technology

� Already proposed attacks on DES.

� DNA computing – Boneh-Dunworth-Lipton(1995).

� Photographic techniques – Shamir (1998).

� Other candidates.

� Quantum computing.

� Optical computing.


General Idea

� Known plaintext attack. A pair

�

�

�

is known.

� Define

� � � ��

.Goal: Find .

� Basic idea.

� For each key , generate all possible pairs

�

�

� � �

.

� Pick out the pairs�

�

� � �

such that

� � �

.

� Parallelism: Single instruction multiple data(SIMD) architecture.

� Exploit denseness of the medium to represent“all possible states”.


General Idea

� Initial state: All possible keys.

� Intermediate state: All possible partial resultsobtained by encrypting with all possible keys.

� Final state: All possible ciphertexts obtained byencrypting with all possible keys.

� Change of state: Effected by performing one step(of DES).

� Total number of operations equals total numberof steps of DES.

� Execution of each operation is time consuming.

� Some operations can be executed in parallel, butthis kind of parallelism is restricted.


General Idea

� Representation of bit strings in the medium.

� Applying binary operations on bit strings.

� Applying domain specific operations toimplement binary operations.

� DNA computing: Look-up tables can beimplemented.

� Photographic techniques: Converts look-uptables into Boolean functions.


DNA Computing

� DNA strand: An “oriented” string over thealphabet

�

� � �

�

.

� Binary string representation.

� Let length of the string be �.

� Let ��

�

��

be 30-mers used to representthe fact that the

�

th position is

�

or

�

respectively.

� Let

��

��

�� be 30-mers used as separators.

� Let � � � � � � � � �. Representation

��

� � ��

� � ��

� � � �

��

� � ��

�

��

�

��

’s are distinct and have no longcommon substrings.


DNA Operations

� Extract: From a solution, separate out strandswith a specific substring.

� Can be used to perform operations onconsecutive bits of a binary string.

� A DES step is either a XOR gate or a tablelook-up.

� Suitably defined extract can be used toperform both.

� Amplify: Create duplicates of all DNA strands inthe solution.

� Tag: Append a short new sequence onto allstrands in the solution.


Analysis

� One litre of solution can contain

� � � �

DNAstrands.

� This can just about represent all

� � �

possible keysof DES.

� Each extract operation is time consuming.

� Estimates.

� About 10 extract operations in a day.

� Around 4 months to prepare a solutioncontaining all possible

�

�

� � �

pairs.

� Finding from such a solution can becompleted in a few hours.

� Assumes an error-free model.Indocrypt 2006 – p.59/73

Photographic Technique

� Each pixel represents a bit.

� Operations:

�

�

-film: Develop a unexposed film.

�

�

-film: Develop a film exposed under stronglight.

� Random film: Photograph a random pattern.

� NOT: Contact print to another film.

� NOR: Contact print two stacked films toanother film.

� NAND, XOR: Little more complicated.


Representation of Keys

� Stack

� �

random films.

� A vertical line through the films represent aparticular key.

� All possible vertical lines represent a set of keys.

� Keys cannot be individually operated upon.

� Problem: Number of possible keys can greatlyexceed the number of pixels.


Representation of States

� Initial state:

� Multiple copies of the message.

� Stack

� �

single colour (all 0 or all 1) films.

� Number of copies equals number of pixels.

� Intermediate state: Result of partial encryption ofunder the represented keys.

� Final state: Result of encryption of under therepresented keys.


DES Operations

� Bit permutations and expansions:

� Easy to perform.

� Permute films and make copies of films.

� Bitwise XOR.

� Requires three photographic operations.

� S-box look-up:

� Can be defined as Boolean functions.

� Implemented using multi-input NAND, NORgates and two-input XOR gates.


Can 128-bit Keys be Attacked?

� Storage.

� This will require the representation of all the

� � � �

keys.

� DNA Computing: The volume of solutionbecomes impractical.

� Photo film: The film area becomesimpractical.

� Operations.

� Each operation (DNA operation or photoprinting) is time consuming.

� Conclusion: It is unlikely that AES-128 is goingto be meaningfully attacked by such techniques.


A Historical PerspectiveThis part of the talk is based on “The Code Book” bySimon Singh.

� Enigma: Mechanization of secrecy.

� Extensively used by the Germans during thesecond world war.

� Polish attack – Rejewski.

� Exploits double encryption of the messagekey.

� A ciphertext only attack.

� An attack on the mode of operation.

� British attack – Turing.

� A known plaintext attack.Indocrypt 2006 – p.65/73

Enigma Components

� Scramblers.

� Time varying permutations of the alphabet,i.e., the permutation changes as the encryptionproceeds.

� The order of the scramblers can be changed.

� Initial setting of the scramblers and their orderconstitutes the scrambler part of the key.

� Plugboard.

� A permutation introduced before thescramblers.

� Not time varying.

� Settings are part of the key.

� Other components: Reflector, ring.Indocrypt 2006 – p.66/73

Mode of Operation

� Day Key:

� Pre-distributed to all concerned parties.

� Specified the scrambler and plugboardsettings.

� Message Key:

� Choose a scrambler setting – three letters.

� Encrypt the message key twice with the daykey.

� Transmit the double encryption of themessage key.

� Encrypt the message with the message key.


Rejewski’s Attack

� Weakness: Double encryption of a (unknown)message.

� Observation:

� This defines a permutation of the alphabetwhich can be constructed only from theciphertext.

� Change of plugboard settings gives rise to aconjugate permutation.

� The cycle structure is independent of theplugboard settings.


Attack Techniques

� Divide and conquer.

� Time/Memory trade-off.


Divide and Conquer

� First find the scrambler settings for the day key.

� Next find the plugboard settings for the day key.

� This is relatively easier.

� A trial and error method can be used.


Time/Memory Trade-OffPre-computation:

� For each possible scrambler setting, compute thecorresponding permutation and its cycle structure.

� Store (scrambler setting, cycle structure) in atable.

� Initially required one year hand computation byexperts.

� Later mechanized (bombes).


Time/Memory Trade-Off

� Online search:

� Construct the permutation from the ciphertext.

� Compute its cycle structure.

� Use table look-up to find the correspondingscrambler setting.

� Memory: Required to store the table.


Thank you for your attention!


generic attacks on symmetric cipherspalash/talks/generic.pdf · top 24 bits loaded by the computer....

Documents