1 / 8

Announcements: Quizzes returned at end of class This week:

DTTF/NB479: Dszquphsbqiz Day 14. Announcements: Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Today: Differential Cryptanalysis on EDEN HW 4 (assigned Thurs) is to implement DES Friday: Computer quiz on breaking ciphers in ch 2 Next week:

callum-kramer
Download Presentation

Announcements: Quizzes returned at end of class This week:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DTTF/NB479: Dszquphsbqiz Day 14 • Announcements: • Quizzes returned at end of class • This week: • Mon-Thurs: Data Encryption Standard (DES) • Today: Differential Cryptanalysis on EDEN • HW 4 (assigned Thurs) is to implement DES • Friday: Computer quiz on breaking ciphers in ch 2 • Next week: • Rijndael, start RSA • Questions?

  2. Recall EDEN The key, Ki for round iis derived from a 9-bit key K. Input (12 bits) L0 (6) R0 (6) Repeat for 8 rounds K1(8) f Round 1 L1 (6) R1 (6) K2(8) f Round 2 … L2 (6) R2 (6)

  3. Differential Cryptanalysis • A chosen plaintext attack to find the key • We’ll work the process together for 3 rounds. Assume we can input L1R1 and view output L4R4. • This can be extended to 4 rounds

  4. Lots of calculations done on whiteboard…

  5. Extension to 4 Rounds • Exploits weaknesses in S-boxes. S1: 12/16 of input pairs with XOR = 0011 have output XOR 011 S2: 8/16 of input pairs with XOR = 1100 have output XOR 010 But we expect only 2/16 pairs in each case • We choose R0, R0* such that R0’ = 001100 • P(XOR of outputs = 011010) ~ 3/8. • If we also choose L0, L0* such that L0’ = 011010, then 3/8 of time, L1’R1’ = 001100 000000. • So we choose lots of pairs like this, and do the 3-round method with L1’ = 001100 and the known outputs. • We’ll get lots of garbage (random keys), since we aren’t sure that L1’ = 001100, but since it shows up so often, K4 will show up much more frequently than other keys! • Example on p. 122 gives key frequencies using an attack with 100 such inputs. K4 shows up ~50% more than others.

  6. Extensions • What about more than 4 rounds? • What about stronger S-boxes? • Can do both, just require more inputs to gather statistics to find key. • Is this more efficient than brute forcing?

  7. Summary Could the DES designers have anticipated diffy crypt attacks?

  8. HW4: DES Implementation • I implemented EDEN in Java fairly quickly • DES is obviously more complicated • You’ll implement encryption and decryption. • Correctness: • Can use one to test the other. • Efficiency: • In addition, it’d be nice to use a language that closer to the hardware for efficiency, like C. • I’m planning a competition to see whose implementation is quickest!

More Related