Dmitry Khovratovich, Gaëtan Leurent, and Christian Rechberger. 2012. NarrowBicliques: cryptanalysis of full IDEA. In Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques (EUROCRYPT'12), David Pointcheval and Thomas Johansson (Eds.). SpringerVerlag, Berlin, Heidelberg, 392410. 1 Rifad MMM (138229C) Mumtaz MAM (138218R)
Narrow bicliquesppt
Jan 13, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Dmitry Khovratovich, Gaëtan Leurent, and Christian Rechberger. 2012. NarrowBicliques:
cryptanalysis of full IDEA. In Proceedings of the 31st Annual international conference on Theory
and Applications of Cryptographic Techniques (EUROCRYPT'12), David Pointcheval and
Thomas Johansson (Eds.). SpringerVerlag,
Berlin, Heidelberg, 392410.
1
Rifad MMM (138229C)Mumtaz MAM (138218R)
The biclique attack framework was recently introduced as a way to add more rounds to a Meet in the middle attack while potentially keeping the same time complexity.
2
Given: A block cipher
Goal: find the single unknown key
Cryptanalyst is allowed to choose plaintexts
and ask for their ciphertexts (CPA)
3
The Meet in the Middle attack attempts to find a value using both of the range (ciphertext) and domain (plaintext) of the composition of several functions.
Key guesses faster than brute force
4
International Data Encryption Standard
Designed by Lai and Massey, 91
64-bit blocks, 128-bit key
Widely implemented
5
Crypto 2011 Rump Session, Biham et al.:
MITM attacks on up to 6 (middle) rounds
Example: variant with 2 plaintext/ciphertext
pairs
– Time: about 2-123
6
A biclique is a set of internal states, which are constructed in the first or in the last rounds of a cipher and mapped to each other by specifically chosen keys.
7
The idea behind this attack is to break the block cipher key sets into set of keys, where each key in the group is tested using meet in the middle technique.
The key space is partitioned as three sets of key bits: Kb, Kf , and Kg.
8
Let f be the mapping describing the first cipher rounds, then a biclique for a group Kg is a set of states {Pi}, {Sj} such that
9
Keys in a group are tested as follows. A cryptanalyst asks for the encryption of plaintexts Pi and gets ciphertexts Ci.
Then he checks if
where g maps states Sj to ciphertexts.
A biclique is said to have dimension d, if both Kb and Kf have d bits.
10
To test the keys within a group, a variable v is calculated in both directions as depicted by the following equations. In this case the mapping function is called as chunks (g1 and g2).
11
The following figure depicts key testing with biclique of three plaintexts and three internal states.
12
A narrow biclique technique limits the length of a biclique to the number of rounds needed for the full diffusion.
Efficiently, for every key group, find internal state variables such that resulting plaintexts collide in as many bits as possible
13
14
Related Documents
