Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2
Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher Missing bits January 27, 2011 Practical Aspects of Modern Cryptography 3
Problem 1 π ο Let b = π be the number of blocks . ο Plaintext π 0 , π 1 , β¦ , π π , ciphertext π· 0 , π· 1 , β¦ , π· π . ο We care about π· πβ1 , π· π , π πβ1 and π π . ο We know π , the number of bits removed from the penultimate block, since π = π β (π mod π). ο Recall that for CBC decryption, we have plaintext block π π = Decrypt( πΏ, π· π ) β¨ π· πβπ 1/27/2011 Practical Aspects of Modern Cryptography
Problem 1 π π = Decrypt( πΏ, π· π ) β¨ π· πβπ Compute π π = Decrypt( πΏ, π· π ) (intermediate value of final 1. block) We also know π π = π π πππ π· πβ1 2. if we have all the bits in π· π . Finally, we know the last π bits of π π are 0 (pad). 3. So for each of the padding bits π π,πβπ+1 , β¦ , π π,π 4. we have π π,π = π π,π XOR π· πβ1,π for π = π β π + 1, β¦ , π Since π π,π = 0 , then π π,π = π· πβ1,π 5. 1/27/2011 Practical Aspects of Modern Cryptography
Problem 1: Ciphertext Stealing Plaintext 110101 00β¦0 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher 110101 Ciphertext
Problem 2 ο Decrypt a π -block segment in the middle of a long CBC- encrypted ciphertext. ο What is the minimum number of blocks of ciphertext that need to be decrypted? ο Which blocks do you need to decrypt and how will you decrypt them? 1/27/2011 Practical Aspects of Modern Cryptography
Problem 2 ο In CBC decryption, we have plaintext block π π = Decrypt( πΏ, π· π ) β¨ π· πβπ ο NOTE: Boundary case "π· β1 " = IV. ο Each plaintext block we want requires one decryption of the corresponding plaintext plus one XOR. ο So the minimum number of ciphertext blocks to be decrypted is π. ο If you want plaintext blocks π π , π π+1 , β¦ , π π+πβ1 , then you need ciphertext blocks π· πβ1 , π· π , π· π+1 , β¦ , π· π+πβ1 . ο If π = 0 , instead of π· πβ1 you need the IV. 1/27/2011 Practical Aspects of Modern Cryptography
Problem 3 ο πΌ is a Merkle-DamgΓ₯rd hash function w/ compression function πΊ . Black box takes inputs π½π and π§ and outputs an π¦ such that πΊ π½π, π¦ = π§. ο Show how by using the black box at most 2 π times you can find a set of 2 π messages that all have the same hash value when input into the full hash function πΌ . 1/27/2011 Practical Aspects of Modern Cryptography
Problem 3 β Solution 1 β² satisfying ο Basic idea: find pairs of messages π¦ π , π¦ π β² = π§ π , π = 1, . . , π πΊ π½π π , π¦ π = πΊ π½π π , π¦ π π§ π = π½π π+1 π½π 1 = π½π ο Start at the end. Choose a random target output value π§ π and a random input value π§ πβ1 = π½π π . Call the black box β² . twice with π½π π , π§ π to generate π¦ π , π¦ π ο Now move back a block. We have π§ πβ1 , choose random β² π½π πβ1 = π§ πβ2 . Run the box twice, get π¦ πβ1 , π¦ πβ1 . 1/27/2011 Practical Aspects of Modern Cryptography
Problem 3 β Solution 1 ο We now have 4 two-block messages that hash to the same value when F is the compression function: β² , π¦ πβ1 β² β² β² π¦ πβ1 π¦ π , π¦ πβ1 π¦ π π¦ π , π¦ πβ1 π¦ π ο Repeat this procedure π times and youβll have made 2π β² . calls to the black box to generate π pairs π¦ π , π¦ π ο To generate 2 π messages that hash to the same value, make π -block messages where the π th block is either π¦ π or β² . Two choices per block, π blocks == 2 π . π¦ π 1/27/2011 Practical Aspects of Modern Cryptography
Problem 3 β Solution 2 ο The βfixed pointβ solution ο Choose a fixed value for π½π. Now call the black box to find an π¦ such that πΊ π½π, π¦ = π½π. ο Concatenate π¦ as many times as you want, the hash will still be π½π. So to get 2 π messages: ο π¦, π¦π¦, π¦π¦π¦, π¦π¦π¦π¦, β¦ , π¦π¦π¦ β¦ π¦π¦π¦ ( 2 π total times) 1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 ο π»(π¦) = πΌ(π¦) β₯ πΌβ²(π¦) , πΌ(π¦) and πΌβ²(π¦) are hash functions with π -bit outputs, so π»(π¦) has 2π -bit outputs. ο Normally, with a birthday attack we would expect to have to generate 2 2π/2 = 2 π messages to find a collision. ο However, πΌ(π¦) is badly broken (as in Prob. 3) so assume we can generate 2 π/2 messages that all have the same hash value in πΌ π¦ . 1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 ο Now compute πΌβ²(π¦) for each of the 2 π/2 that have the same hash value in πΌ(π¦) . ο By the birthday attack we expect to find a collision from those 2 π/2 messages. 1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 ο Was it a good idea to construct π»(π¦) = πΌ(π¦) β₯ πΌβ²(π¦) ? 1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 ο Was it a good idea to construct π»(π¦) = πΌ(π¦) β₯ πΌβ²(π¦) ? ο Well, it dependsβ¦ 1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 ο Was it a good idea to construct π»(π¦) = πΌ(π¦) β₯ πΌβ²(π¦) ? ο Well, it dependsβ¦ ο YES: At the cost of computing two hashes vs. one, you get resistance if one of πΌ, πΌβ² breaks. 1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 ο Was it a good idea to construct π»(π¦) = πΌ(π¦) β₯ πΌβ²(π¦) ? ο Well, it dependsβ¦ ο YES: At the cost of computing two hashes vs. one, you get resistance if one of πΌ, πΌβ² breaks, butβ¦ ο NO: However, π»(π¦) doesnβt have the security margin youβd expect of a 2π - bit hash function. Itβs only as strong as the better of its two components 1/27/2011 Practical Aspects of Modern Cryptography
Problem 5 ο Alice ο Bob: π = βplease pay the bearer $1β, πΌ(π, π) . ο π is an exact multiple of πΌβπ‘ block size (so you donβt need to do any padding). ο What can Bob do? 1/27/2011 Practical Aspects of Modern Cryptography
Problem 5 ο Note that π is only an input to the first application of πΌ β² π‘ compression function (e.g. itβs the π½π to the hash of the first block of π ) ο Bob can append data to π , create π β² = π β₯ β,000,000β, and compute πΌ π, π β² from πΌ(π, π) . 1/27/2011 Practical Aspects of Modern Cryptography
Recommend
More recommend
