logging in or signing up Jorge Nakahara Jr A Linear Analysis of Blowfish an Danielle Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 599 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 11, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript A Linear Analysis of Blowfish and Khufu: A Linear Analysis of Blowfish and Khufu Jorge Nakahara Jr Unisantos, Brazil jorge_nakahara@yahoo.com.brOutline: Outline The Khufu and Blowfish Block Ciphers Linear Cryptanalysis Linear Attacks on Blowfish Linear Attacks on Khufu ConclusionsThe Khufu Block Cipher: The Khufu Block Cipher Block cipher with Feistel Network structure Designed by R.C.Merkle in 1989 64-bit blocks (plaintext/ciphertext) Variable-length key: up to 512 bits 8r rounds (1≤ r ≤ 8), where r is called octet (originally r = 2 was suggested) One key-dependent 8x32-bit S-box per octetThe Khufu Block Cipher: The Khufu Block CipherThe Blowfish Block Cipher: The Blowfish Block Cipher Cipher with Feistel Network structure Designed by B. Schneier in 1993 64-bit blocks (plaintext/ciphertext) Variable-length key: 32 bits up to 448 bits 16 rounds Key-dependent 8x32-bit S-boxes and a P-tableThe Blowfish Block Cipher: The Blowfish Block CipherLinear Cryptanalysis: Linear Cryptanalysis Developed by Mitsuru Matsui (Mitsubishi Corp.) Initially applied against DES (1990), FEAL-4 and FEAL-8 (1989) Known-plaintext (KP) attack setting Distinguisher tool: linear relation involving plaintext, key and ciphertext bits with non-uniform parity (away from ½) (nonzero) bias of linear relationsLinear Cryptanalysis: Linear Cryptanalysis number of known-plaintexts for high success rate attack is proportional to bias-2 general attack technique (applied to block and stream ciphers) variant techniques: differential-linear, multiple linear relations, linear hulls Linear Attacks on Blowfish: Linear Attacks on Blowfish - unlike previous DC, our LC attacks do not require the S-boxes to be non-injective mappings - 8x32-bit S-boxes are key-dependent, but always non-surjective mappings we exploit linear relations of the form 0 across the S-boxes, where is a non-zero bit mask. we choose = 1 due to mixing of modular addition and exclusive-or in the round function, Linear Attacks on Blowfish: Linear Attacks on Blowfish exploit the least significant bit positions (to avoid decreasing the bias due to carry and borrow bits) extend linear relations to full rounds, and to multiple rounds: iterative linear relations we have found 2-round iterative linear relations construction of the linear distinguishers was heavily influenced by the design of BlowfishLinear Attacks on Blowfish: Linear Attacks on Blowfish we derive one-bit of information on the key-dependent P-table: (L0 + L2t).1 = (P1 + P2 + ...+ P2t+1).1 (R0 + R2t).1 = (P2 + P4 + ...+ P2t).1 where (Li, Ri) are the left and right halves of the i-th round block, and + is xor.Linear Attacks on Blowfish: Linear Attacks on Blowfish the bias of linear relations depends on the key since the four S-boxes are key-dependent: weak (user) keys Linear Attacks on Khufu: Linear Attacks on Khufu 8x32-bit key-dependent S-boxes again, S-boxes are non-surjective: the bit mask has the form 0, with non-zero bit-rotation in each round is by a multiple of 8 bits this fact inspired rotation-invariant bit masks: <<< 8t = Linear Attacks on Khufu: Linear Attacks on Khufu thus, the masks do not change if they are rotated by 8-bit amounts (in either direction) more precisely, = mmmm, m *256 we have looked for iterative linear relations we have found 2-round and 8-round iterative linear relations for rotation-symmetric masks Linear Attacks on Khufu: Linear Attacks on KhufuLinear Attacks on Khufu: Linear Attacks on Khufu ciphertext-only (CO) attacks: exploit linear relations of the form 80000000x, 00800000x, .... 80808080x and assuming the plaintext is ASCII text. CO attack is possible because of exclusive-or (diffusion is poor!) Conclusions: Conclusions linear attacks on Blowfish and Khufu weak-key assumption (distinct from DC attack assumption) old, known attack technique on old ciphers, but new and better (known-plaintext and ciphertext-only) results, compared to previous attacks (DC, ID) that worked in a chosen-plaintext setting.Conclusions: Conclusions You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Jorge Nakahara Jr A Linear Analysis of Blowfish an Danielle Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 599 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 11, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript A Linear Analysis of Blowfish and Khufu: A Linear Analysis of Blowfish and Khufu Jorge Nakahara Jr Unisantos, Brazil jorge_nakahara@yahoo.com.brOutline: Outline The Khufu and Blowfish Block Ciphers Linear Cryptanalysis Linear Attacks on Blowfish Linear Attacks on Khufu ConclusionsThe Khufu Block Cipher: The Khufu Block Cipher Block cipher with Feistel Network structure Designed by R.C.Merkle in 1989 64-bit blocks (plaintext/ciphertext) Variable-length key: up to 512 bits 8r rounds (1≤ r ≤ 8), where r is called octet (originally r = 2 was suggested) One key-dependent 8x32-bit S-box per octetThe Khufu Block Cipher: The Khufu Block CipherThe Blowfish Block Cipher: The Blowfish Block Cipher Cipher with Feistel Network structure Designed by B. Schneier in 1993 64-bit blocks (plaintext/ciphertext) Variable-length key: 32 bits up to 448 bits 16 rounds Key-dependent 8x32-bit S-boxes and a P-tableThe Blowfish Block Cipher: The Blowfish Block CipherLinear Cryptanalysis: Linear Cryptanalysis Developed by Mitsuru Matsui (Mitsubishi Corp.) Initially applied against DES (1990), FEAL-4 and FEAL-8 (1989) Known-plaintext (KP) attack setting Distinguisher tool: linear relation involving plaintext, key and ciphertext bits with non-uniform parity (away from ½) (nonzero) bias of linear relationsLinear Cryptanalysis: Linear Cryptanalysis number of known-plaintexts for high success rate attack is proportional to bias-2 general attack technique (applied to block and stream ciphers) variant techniques: differential-linear, multiple linear relations, linear hulls Linear Attacks on Blowfish: Linear Attacks on Blowfish - unlike previous DC, our LC attacks do not require the S-boxes to be non-injective mappings - 8x32-bit S-boxes are key-dependent, but always non-surjective mappings we exploit linear relations of the form 0 across the S-boxes, where is a non-zero bit mask. we choose = 1 due to mixing of modular addition and exclusive-or in the round function, Linear Attacks on Blowfish: Linear Attacks on Blowfish exploit the least significant bit positions (to avoid decreasing the bias due to carry and borrow bits) extend linear relations to full rounds, and to multiple rounds: iterative linear relations we have found 2-round iterative linear relations construction of the linear distinguishers was heavily influenced by the design of BlowfishLinear Attacks on Blowfish: Linear Attacks on Blowfish we derive one-bit of information on the key-dependent P-table: (L0 + L2t).1 = (P1 + P2 + ...+ P2t+1).1 (R0 + R2t).1 = (P2 + P4 + ...+ P2t).1 where (Li, Ri) are the left and right halves of the i-th round block, and + is xor.Linear Attacks on Blowfish: Linear Attacks on Blowfish the bias of linear relations depends on the key since the four S-boxes are key-dependent: weak (user) keys Linear Attacks on Khufu: Linear Attacks on Khufu 8x32-bit key-dependent S-boxes again, S-boxes are non-surjective: the bit mask has the form 0, with non-zero bit-rotation in each round is by a multiple of 8 bits this fact inspired rotation-invariant bit masks: <<< 8t = Linear Attacks on Khufu: Linear Attacks on Khufu thus, the masks do not change if they are rotated by 8-bit amounts (in either direction) more precisely, = mmmm, m *256 we have looked for iterative linear relations we have found 2-round and 8-round iterative linear relations for rotation-symmetric masks Linear Attacks on Khufu: Linear Attacks on KhufuLinear Attacks on Khufu: Linear Attacks on Khufu ciphertext-only (CO) attacks: exploit linear relations of the form 80000000x, 00800000x, .... 80808080x and assuming the plaintext is ASCII text. CO attack is possible because of exclusive-or (diffusion is poor!) Conclusions: Conclusions linear attacks on Blowfish and Khufu weak-key assumption (distinct from DC attack assumption) old, known attack technique on old ciphers, but new and better (known-plaintext and ciphertext-only) results, compared to previous attacks (DC, ID) that worked in a chosen-plaintext setting.Conclusions: Conclusions