80 likes | 91 Views
Explore differential cryptanalysis in DES, implement encryption, upcoming quizzes, and competition details in a hardware-efficient language like C.
E N D
DTTF/NB479: Dszquphsbqiz Day 14 • Announcements: • Quizzes returned at end of class • This week: • Mon-Thurs: Data Encryption Standard (DES) • Today: Differential Cryptanalysis on EDEN • HW 4 (assigned Thurs) is to implement DES • Friday: Computer quiz on breaking ciphers in ch 2 • Next week: • Rijndael, start RSA • Questions?
Recall EDEN The key, Ki for round iis derived from a 9-bit key K. Input (12 bits) L0 (6) R0 (6) Repeat for 8 rounds K1(8) f Round 1 L1 (6) R1 (6) K2(8) f Round 2 … L2 (6) R2 (6)
Differential Cryptanalysis • A chosen plaintext attack to find the key • We’ll work the process together for 3 rounds. Assume we can input L1R1 and view output L4R4. • This can be extended to 4 rounds
Extension to 4 Rounds • Exploits weaknesses in S-boxes. S1: 12/16 of input pairs with XOR = 0011 have output XOR 011 S2: 8/16 of input pairs with XOR = 1100 have output XOR 010 But we expect only 2/16 pairs in each case • We choose R0, R0* such that R0’ = 001100 • P(XOR of outputs = 011010) ~ 3/8. • If we also choose L0, L0* such that L0’ = 011010, then 3/8 of time, L1’R1’ = 001100 000000. • So we choose lots of pairs like this, and do the 3-round method with L1’ = 001100 and the known outputs. • We’ll get lots of garbage (random keys), since we aren’t sure that L1’ = 001100, but since it shows up so often, K4 will show up much more frequently than other keys! • Example on p. 122 gives key frequencies using an attack with 100 such inputs. K4 shows up ~50% more than others.
Extensions • What about more than 4 rounds? • What about stronger S-boxes? • Can do both, just require more inputs to gather statistics to find key. • Is this more efficient than brute forcing?
Summary Could the DES designers have anticipated diffy crypt attacks?
HW4: DES Implementation • I implemented EDEN in Java fairly quickly • DES is obviously more complicated • You’ll implement encryption and decryption. • Correctness: • Can use one to test the other. • Efficiency: • In addition, it’d be nice to use a language that closer to the hardware for efficiency, like C. • I’m planning a competition to see whose implementation is quickest!