impossible plaintext cryptanalysis and probable plaintext
play

Impossible plaintext cryptanalysis and probable-plaintext collision - PowerPoint PPT Presentation

Dec 17, 2022 •112 likes •554 views

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

  1. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast Software Encryption Workshop 2013 March 11-13, 2013

  2. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Outline Background 1 Collision attack on CBC and CFB 2 How it works Recovering plaintext Efficacy Rekeying Impossible plaintext cryptanalysis of CTR 3 Algorithms Conclusions 4

  3. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Block ciphers w -bit block cipher with a κ -bit key E : { 0 , 1 } w × { 0 , 1 } κ → { 0 , 1 } w , E − 1 : { 0 , 1 } w × { 0 , 1 } κ → { 0 , 1 } w such that E ( E − 1 ( x )) = E − 1 ( E ( x )) = x for all x ∈ { 0 , 1 } .

  4. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Block ciphers w -bit block cipher with a κ -bit key E : { 0 , 1 } w × { 0 , 1 } κ → { 0 , 1 } w , E − 1 : { 0 , 1 } w × { 0 , 1 } κ → { 0 , 1 } w such that E ( E − 1 ( x )) = E − 1 ( E ( x )) = x for all x ∈ { 0 , 1 } . Examples MISTY w = 64 κ = 128 KASUMI w = 64 κ = 128 Triple-DES w = 64 κ = 168 GOST 28147-89 w = 64 κ = 256 AES w = 128 κ = 128 , 192 , 256

  5. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Modes of operation

  6. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Modes of operation Modes  E − 1 ( C i ) ⊕ C i − 1 in CBC mode   P i = E ( C i − 1 ) ⊕ C i in CFB mode  E ( i ) ⊕ C i in CTR mode . 

  7. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions How it works Plaintext model

  8. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions How it works Indicator � C i in CBC mode I i = C i − 1 in CFB mode .

  9. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions How it works Indicator collisions reveal information When I i = I j for some i � = j then P i ⊕ P j = ∆ ij , where � C j − 1 ⊕ C i − 1 in CBC mode ∆ ij = C j ⊕ C i in CFB mode .

  10. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in theory Attacker’s knowledge about P j → knowledge about P i

  11. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in theory Attacker’s knowledge about P j → knowledge about P i P [ P j = x ⊕ ∆] P [ P i = x ] P [ P i = x | P i ⊕ P j = ∆] = � y P [ P j = y ⊕ ∆] P [ P i = y ]

  12. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in practice 10.0.*.* 0000101000000000 P i 172.16.*.* 1010110000010000 192.168.*.* 1100000010101000

  13. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in practice 10.0.*.* 0000101000000000 P i 172.16.*.* 1010110000010000 192.168.*.* 1100000010101000 P j ASCII 1*******1*******

  14. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Recovering plaintext Exploiting collisions in practice 10.0.*.* 0000101000000000 P i 172.16.*.* 1010110000010000 192.168.*.* 1100000010101000 P j ASCII 1*******1******* P i = 10.0.*.* 1*******1******* ∆ ij P i = 172.16.*.* 0*******1******* P i = 192.168.*.* 0*******0*******

  15. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Birthday bound for indicator collisions O ( n ) work and storage

  16. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Lemma Lemma The expected number of bits of unknown plaintext that are revealed in a collision attack with k blocks of known plaintext and u blocks of unknown plaintext is wku w ≤ n 2 2 w + 2 , 2 w where n = k + u.

  17. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy expected number of bits leaked due to collisions

  18. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy expected number of bits leaked due to collisions

  19. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Network traffic with one-day rekeying Bits leaked per day w 1 Mbit/s 1 Gbit/s 1 Tbit/s 6 . 3 × 10 6 bits 6 . 3 × 10 12 bits 64 6.3 bits 1 . 7 × 10 − 19 bits 1 . 7 × 10 − 13 bits 1 . 7 × 10 − 7 bits 128

  20. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Rekeying Rekying to limit leakage Idea: limit number of blocks encrypted under each distinct key Corollary The expected number of bits of unknown plaintext that are leaked when a total t blocks are encrypted, changing keys every c blocks, is less than or equal to tcw 2 − w − 2

  21. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Rekeying Rekying to limit leakage Idea: limit number of blocks encrypted under each distinct key Corollary The expected number of bits of unknown plaintext that are leaked when a total t blocks are encrypted, changing keys every c blocks, is less than or equal to tcw 2 − w − 2 Example: n = 2 20 , t ≤ 2 w − 18 − lg ( w ) = 2 40

  22. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext inferences Given P i = E ( i ) ⊕ C i

  23. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext inferences Given P i = E ( i ) ⊕ C i P j = E ( j ) ⊕ C j

  24. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext inferences Given P i = E ( i ) ⊕ C i P j = E ( j ) ⊕ C j E ( i ) � = E ( j ) for i � = j

  25. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext inferences Given P i = E ( i ) ⊕ C i P j = E ( j ) ⊕ C j E ( i ) � = E ( j ) for i � = j We know P i � = P j ⊕ C i ⊕ C j

  26. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Extending across multiple known plaintexts

  27. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Extending across multiple known plaintexts Lemma part 1 For any ciphertext block C i : i / ∈ K the corresponding plaintext block P i / ∈ ( E ⊕ C i ) , where E = { E ( j ) : j ∈ K} = { P j ⊕ C j : j ∈ K} .

  28. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext model

  29. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext model

  30. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext model

  31. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Plaintext model

  32. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Extending across repeated target values Lemma part 2 An unknown repeated target value p corresponding to the set R satisfies φ / ∈ E ⊕ G , where G = { C j : j ∈ R} .

  33. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Estimate An impossible plaintext attack against an unknown repeated value with repetition r , a possible plaintext set of size #Φ = s , and k = # E known plaintext blocks succeeds when kr ≥ ( ln ( s ) + 1 ) 2 w ≥ ( w + 1 ) 2 w

  34. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Estimate An impossible plaintext attack against an unknown repeated value with repetition r , a possible plaintext set of size #Φ = s , and k = # E known plaintext blocks succeeds when kr ≥ ( ln ( s ) + 1 ) 2 w ≥ ( w + 1 ) 2 w Heuristic #( E ⊕ G ) = kr

  35. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Efficacy Estimate An impossible plaintext attack against an unknown repeated value with repetition r , a possible plaintext set of size #Φ = s , and k = # E known plaintext blocks succeeds when kr ≥ ( ln ( s ) + 1 ) 2 w ≥ ( w + 1 ) 2 w Heuristic #( E ⊕ G ) = kr Collecting s coupons

  36. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Algorithms Algorithms for finding p Sieving for ǫ ∈ E do for i ∈ R do remove C i ⊕ ǫ from Φ end for end for return Φ

  37. Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Algorithms Algorithms for finding p Sieving for ǫ ∈ E do for i ∈ R do remove C i ⊕ ǫ from Φ end for end for return Φ O ( kr ) operations, O ( s ) storage

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3 ciphertext as numbers: 28 17 17 ciphertext: C R R Groupwork 1. Log into our discord server. 2. Leave yourself muted on the main zoom call; I

434 views • 31 slides
Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

1 / 22 Introduction SAC 2012 Cryptanalysis of the Kindle Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . .

556 views • 29 slides
ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It

ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It

ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It was always possible, but uncommon, to subvert that stub-resolver-auth resolution model Snowden revelations led to RFC7258 Encrypting DNS

346 views • 9 slides
Classical Cryptography Monoalphabetic ciphers: letters of the plaintext Classical Ciphers

Classical Cryptography Monoalphabetic ciphers: letters of the plaintext Classical Ciphers

Classical Cryptography Monoalphabetic ciphers: letters of the plaintext Classical Ciphers alphabet are mapped into unique ciphertext letters Polyalphabetic ciphers: letters of the plaintext P l l h b i i h alphabet

315 views • 13 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1 , David Derler 2 , Daniel Slamanig 2 , Raphael

345 views • 21 slides
General Letter Substitution Algorithm: Substitute 1 letter for another Key PLAINTEXT LETTER A

General Letter Substitution Algorithm: Substitute 1 letter for another Key PLAINTEXT LETTER A

General Letter Substitution Algorithm: Substitute 1 letter for another Key PLAINTEXT LETTER A B C D E F G H I J K L M CIPHERTEXT LETTER G J A O U N E Z Y P H S T PLAINTEXT LETTER N O P Q R S T U V W X Y Z

509 views • 6 slides
Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm; keys; Ciphertext; Resources are encapsulated by process; Decryption algorithm users access them through processs interface. Three

565 views • 7 slides
7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published

7.3. Cryptographic algorithms Message M (plaintext, a sequence of bits); key K; published encryption functions E, D; {M} K is the ciphertext (another sequence of bits) Symmetric (secret key) cryptography E(K, M) = {M} K D(K, E(K, M)) = M

571 views • 30 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and

Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and

AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and Nilanjan Datta and Avijit Dutta and Bart Mennink and Mridul Nandi and Somitra Sanadhya and

849 views • 53 slides
Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems

Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias Schulz, Adrian Loch, Matthias Hollick Practical Known-Plaintext Attacks against Physical Layer Security in Wireless MIMO Systems Matthias

607 views • 22 slides
Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original

Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original

IN3210/4210 Network and Communications Security Symmetric Cryptography Nils Nordbotten August 2020 1 Terminology plaintext (P) - original message/data ciphertext (C)- coded message/data cipher - algorithm for transforming

672 views • 17 slides
Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

University of Amsterdam System and Network Engineering Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel Why? There is no open source implementation Source Code available for PkCrack by

837 views • 19 slides
Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal

Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal

Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London The 21st International Workshop on Fast Software Encryption March 4th, 2014 jacob.schuldt@rhul.ac.uk Agenda

684 views • 37 slides
Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore?

Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore?

Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore? Store sensitive parameters of an Ada server : Database connection passwords API secret keys Tool to store sensitive information :

266 views • 24 slides
A Perfect CRIME? TIME Will Tell Tal Beery, Web research TL Agenda BEAST + Modes of

A Perfect CRIME? TIME Will Tell Tal Beery, Web research TL Agenda BEAST + Modes of

A Perfect CRIME? TIME Will Tell Tal Beery, Web research TL Agenda BEAST + Modes of operation CRIME + Gzip compression + Compression + encryption leak data TIME + Timing + compression leak data Attacking responses 2

425 views • 41 slides
The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of Computer Science University of California at Davis 2 Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security

1.19k views • 105 slides
Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine,

Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine,

Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine, Oncology, and Health Sciences Informatics Vice Chair of Medicine for Data Integrity and Analytics Johns Hopkins Medical Institutions sray@jhmi.edu

576 views • 25 slides
CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization and country in the chat Function: Example: Peter Pan, Office of the Auditor General, Never Never Land Please use the chat function to communicate

373 views • 34 slides
Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting?

Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting?

Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting? Kenny Paterson Information Security Group Overview Introduction to TLS (and why YOU

1.25k views • 76 slides
Update on Diagnosis of Myelodysplastic Syndromes Jay L. Patel, MD Disclosure None

Update on Diagnosis of Myelodysplastic Syndromes Jay L. Patel, MD Disclosure None

Update on Diagnosis of Myelodysplastic Syndromes Jay L. Patel, MD Disclosure None Objectives Review current diagnostic criteria pertaining to myelodysplastic syndromes Understand the relevance of selected somatic gene mutations

737 views • 25 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides

More recommend