1 / 11

An Optimal Attack on Cryptosystems Using Pre/Post Whitening Keys

An Optimal Attack on Cryptosystems Using Pre/Post Whitening Keys. Orr Dunkelman and Adi Shamir Computer Science Dept The Weizmann Institute Israel. Whitening Keys. A cheap way to increase the key size of block ciphers:. Key size in DES: 56 bits. DES. C. P. K. Whitening Keys.

onella
Download Presentation

An Optimal Attack on Cryptosystems Using Pre/Post Whitening Keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Optimal Attack on CryptosystemsUsing Pre/Post Whitening Keys Orr Dunkelman and Adi Shamir Computer Science Dept The Weizmann Institute Israel

  2. Whitening Keys A cheap way to increase the key size of block ciphers: Key size in DES: 56 bits DES C P K

  3. Whitening Keys Add independent prewhitening key K1 and postwhitening key K2: Key size in DESX: 184 bits + + C DES P K2 K3 K1

  4. An Extreme Example: The Even-Mansour Scheme (Asiacrypt 1991) Replace the middle part by a single publicly known keyless permutation F: Key size: 2n bits + + C F P K2 K1

  5. The Main Question: How much security is actually added by these 2n new key bits? If the inner encryption is bad (e.g., a linear mapping), both the original and modified scheme can be totally insecure The model we consider: Assume that the inner encryption is a collection (indexed by K) of unrelated truly random permutations

  6. In The Even-Mansour Cryptosystem Given D=2 known plaintext/ciphertext pairs, we can break the scheme in time T=2n What happens when you have more pairs? The Even-Mansour paper proved the following lower bound: DT >= 2n This lower bound is information theoretic, and does not care if the plaintexts are known or chosen

  7. Previous Results: At Asiacrypt 1992, Joan Daemen described a differential attack with any D,T satisfying DT = 2n, which matched the lower bound curve, but required chosen plaintexts At Eurocrypt 2000, Biryukov and Wagner described an advanced slide attack against Even-Mansour, which used only known plaintexts, but matched the lower bound curve only at one point: D=2n/2and T=2n/2

  8. Can you exploit a smaller number of known plaintext/ciphertext pairs? Since data is much harder to get than time, D=T=2n/2 is not the ideal point on the tradeoff curve DT = 2n A slide attack (like many other cryptanalytic attacks) can not effectively exploit a small number of known plaintexts, since it has to wait for some lucky event to happen by chance, and only then start the attack

  9. Our New Attack Is Extremely Simple: Given any number D of known pairs (pi, ci), search for one tripletd, p1, p2 satisfying: c1+F(p1+d)=c2+F(p2+d) The number of random values d you have to try is expected to be about 2n/D2 Let e be the common value above. Then with high probability the keys K1 and K2 are: K1=p1+p2+d K2=c1+c2+e

  10. The SLIDEX Cryptanalytic Technique:

  11. Concluding Remarks: The SLIDEX known plaintext attack can also be applied to keyed schemes such as DESX, and completely solves the 20-year old open problem of the security of schemes with pre/post whitening keys In the case of Even-Mansour with n=80, the scheme has 160 key bits, but we can break it in practical 256 time if we have 224 known plaintext blocks(about the size of the wikileak archive…)

More Related