Problem 1 k zero bits n bits IV Block Block Block Block - - PowerPoint PPT Presentation

Problem 1

Block Cipher Block Cipher Block Cipher Block Cipher IV

January 27, 2011 Practical Aspects of Modern Cryptography 2

n bits k zero bits removed

Inverse Cipher Inverse Cipher Inverse Cipher Inverse Cipher IV

January 27, 2011 Practical Aspects of Modern Cryptography 3

Problem 1

Missing bits

Problem 1

 Let b =

𝑜 𝑛 be the number of blocks.

 Plaintext 𝑄0, 𝑄

1, … , 𝑄𝑐, ciphertext 𝐷0, 𝐷1, … , 𝐷𝑐.

 We care about 𝐷𝑐−1, 𝐷𝑐, 𝑄𝑐−1 and 𝑄𝑐.  We know 𝑙, the number of bits removed from the

penultimate block, since 𝑙 = 𝑛 − (𝑜 mod 𝑛).

 Recall that for CBC decryption, we have plaintext block

𝑄𝑗 = Decrypt(𝐿, 𝐷𝑗) ⨂ 𝐷𝑗−𝑗

1/27/2011 Practical Aspects of Modern Cryptography

Problem 1

𝑄𝑗 = Decrypt(𝐿, 𝐷𝑗) ⨂ 𝐷𝑗−𝑗

1.

Compute 𝑌𝑐 = Decrypt(𝐿, 𝐷𝑐) (intermediate value of final block)

2.

We also know 𝑌𝑐 = 𝑄𝑐 𝑌𝑃𝑆 𝐷𝑐−1 if we have all the bits in 𝐷𝑐.

3.

Finally, we know the last 𝑙 bits of 𝑄𝑐 are 0 (pad).

4.

So for each of the padding bits 𝑄𝑐,𝑛−𝑙+1, … , 𝑄𝑐,𝑛 we have 𝑌𝑐,𝑗 = 𝑄𝑐,𝑗 XOR 𝐷𝑐−1,𝑗 for 𝑗 = 𝑛 − 𝑙 + 1, … , 𝑛

5.

Since 𝑄𝑐,𝑗 = 0, then 𝑌𝑐,𝑗 = 𝐷𝑐−1,𝑗

1/27/2011 Practical Aspects of Modern Cryptography

Problem 1: Ciphertext Stealing

Inverse Cipher Inverse Cipher Inverse Cipher Inverse Cipher

Plaintext Ciphertext

IV

110101 110101 00…0

Problem 2

 Decrypt a 𝑙-block segment in the middle of a long CBC-

encrypted ciphertext.

 What is the minimum number of blocks of ciphertext that

need to be decrypted?

 Which blocks do you need to decrypt and how will you

decrypt them?

1/27/2011 Practical Aspects of Modern Cryptography

Problem 2

 In CBC decryption, we have plaintext block

𝑄𝑗 = Decrypt(𝐿, 𝐷𝑗) ⨂ 𝐷𝑗−𝑗

 NOTE: Boundary case "𝐷−1" = IV.  Each plaintext block we want requires one decryption of

the corresponding plaintext plus one XOR.

 So the minimum number of ciphertext blocks to be

decrypted is 𝑙.

 If you want plaintext blocks 𝑄𝑗, 𝑄𝑗+1, … , 𝑄𝑗+𝑙−1, then you

need ciphertext blocks 𝐷𝑗−1, 𝐷𝑗, 𝐷𝑗+1, … , 𝐷𝑗+𝑙−1.

 If 𝑗 = 0, instead of 𝐷𝑗−1 you need the IV.

1/27/2011 Practical Aspects of Modern Cryptography

Problem 3

 𝐼 is a Merkle-Damgård hash function w/ compression

function 𝐺. Black box takes inputs 𝐽𝑊 and 𝑧 and outputs an 𝑦 such that 𝐺 𝐽𝑊, 𝑦 = 𝑧.

 Show how by using the black box at most 2𝑙 times you

can find a set of 2𝑙 messages that all have the same hash value when input into the full hash function 𝐼.

1/27/2011 Practical Aspects of Modern Cryptography

Problem 3 – Solution 1

 Basic idea: find pairs of messages 𝑦𝑗, 𝑦𝑗

′ satisfying

𝐺 𝐽𝑊

𝑗, 𝑦𝑗 = 𝐺 𝐽𝑊 𝑗, 𝑦𝑗 ′ = 𝑧𝑗, 𝑗 = 1, . . , 𝑙

𝑧𝑗 = 𝐽𝑊

𝑗+1

𝐽𝑊

1 = 𝐽𝑊

 Start at the end. Choose a random target output value 𝑧𝑙

and a random input value 𝑧𝑙−1 = 𝐽𝑊

𝑙. Call the black box

twice with 𝐽𝑊

𝑙, 𝑧𝑙 to generate 𝑦𝑙, 𝑦𝑙 ′ .

 Now move back a block. We have 𝑧𝑙−1, choose random

𝐽𝑊

𝑙−1 = 𝑧𝑙−2. Run the box twice, get 𝑦𝑙−1, 𝑦𝑙−1 ′

.

1/27/2011 Practical Aspects of Modern Cryptography

Problem 3 – Solution 1

 We now have 4 two-block messages that hash to the

same value when F is the compression function: 𝑦𝑙−1𝑦𝑙, 𝑦𝑙−1𝑦𝑙

′ , 𝑦𝑙−1 ′

𝑦𝑙, 𝑦𝑙−1

′

𝑦𝑙

′

 Repeat this procedure 𝑙 times and you’ll have made 2𝑙

calls to the black box to generate 𝑙 pairs 𝑦𝑗, 𝑦𝑗

′.

 To generate 2𝑙 messages that hash to the same value,

make 𝑙-block messages where the 𝑗th block is either 𝑦𝑗 or 𝑦𝑗

′. Two choices per block, 𝑙 blocks == 2𝑙.

1/27/2011 Practical Aspects of Modern Cryptography

Problem 3 – Solution 2

 The “fixed point” solution  Choose a fixed value for 𝐽𝑊. Now call the black box to

find an 𝑦 such that 𝐺 𝐽𝑊, 𝑦 = 𝐽𝑊.

 Concatenate 𝑦 as many times as you want, the hash will

still be 𝐽𝑊. So to get 2𝑙 messages:

 𝑦, 𝑦𝑦, 𝑦𝑦𝑦, 𝑦𝑦𝑦𝑦, … , 𝑦𝑦𝑦 … 𝑦𝑦𝑦 (2𝑙 total times)

1/27/2011 Practical Aspects of Modern Cryptography

Problem 4

 𝐻(𝑦) = 𝐼(𝑦) ∥ 𝐼′(𝑦), 𝐼(𝑦) and 𝐼′(𝑦) are hash

functions with 𝑜-bit outputs, so 𝐻(𝑦) has 2𝑜-bit outputs.

 Normally, with a birthday attack we would expect to have

to generate 22𝑜/2 = 2𝑜 messages to find a collision.

 However, 𝐼(𝑦) is badly broken (as in Prob. 3) so assume

we can generate 2𝑜/2 messages that all have the same hash value in 𝐼 𝑦 .

1/27/2011 Practical Aspects of Modern Cryptography

Problem 4

 Now compute 𝐼′(𝑦) for each of the 2𝑜/2 that have the

same hash value in 𝐼(𝑦).

 By the birthday attack we expect to find a collision from

those 2𝑜/2 messages.

1/27/2011 Practical Aspects of Modern Cryptography

Problem 4

 Was it a good idea to construct 𝐻(𝑦) = 𝐼(𝑦) ∥ 𝐼′(𝑦)?

1/27/2011 Practical Aspects of Modern Cryptography

Problem 4

 Was it a good idea to construct 𝐻(𝑦) = 𝐼(𝑦) ∥ 𝐼′(𝑦)?  Well, it depends…

1/27/2011 Practical Aspects of Modern Cryptography

Problem 4

 Was it a good idea to construct 𝐻(𝑦) = 𝐼(𝑦) ∥ 𝐼′(𝑦)?  Well, it depends…  YES: At the cost of computing two hashes vs. one, you get

resistance if one of 𝐼, 𝐼′ breaks.

1/27/2011 Practical Aspects of Modern Cryptography

Problem 4

 Was it a good idea to construct 𝐻(𝑦) = 𝐼(𝑦) ∥ 𝐼′(𝑦)?  Well, it depends…  YES: At the cost of computing two hashes vs. one, you get

resistance if one of 𝐼, 𝐼′ breaks, but…

 NO: However, 𝐻(𝑦) doesn’t have the security margin

you’d expect of a 2𝑜-bit hash function. It’s only as strong as the better of its two components

1/27/2011 Practical Aspects of Modern Cryptography

Problem 5

 Alice  Bob: 𝑛 = “please pay the bearer $1”, 𝐼(𝑙, 𝑛).  𝑛 is an exact multiple of 𝐼’𝑡 block size (so you don’t need

to do any padding).

 What can Bob do?

1/27/2011 Practical Aspects of Modern Cryptography

Problem 5

 Note that 𝑙 is only an input to the first application of 𝐼′𝑡

compression function (e.g. it’s the 𝐽𝑊 to the hash of the first block of 𝑛)

 Bob can append data to 𝑛, create 𝑛′ = 𝑛 ∥ “,000,000”,

and compute 𝐼 𝑙, 𝑛′ from 𝐼(𝑙, 𝑛).

1/27/2011 Practical Aspects of Modern Cryptography