Jorge Nakahara Jr A Linear Analysis of Blowfish an

Uploaded from authorPOINTLite
Views:
 
Category: Entertainment
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

A Linear Analysis of Blowfish and Khufu: 

A Linear Analysis of Blowfish and Khufu Jorge Nakahara Jr Unisantos, Brazil jorge_nakahara@yahoo.com.br

Outline: 

Outline The Khufu and Blowfish Block Ciphers Linear Cryptanalysis Linear Attacks on Blowfish Linear Attacks on Khufu Conclusions

The Khufu Block Cipher: 

The Khufu Block Cipher Block cipher with Feistel Network structure Designed by R.C.Merkle in 1989 64-bit blocks (plaintext/ciphertext) Variable-length key: up to 512 bits 8r rounds (1≤ r ≤ 8), where r is called octet (originally r = 2 was suggested) One key-dependent 8x32-bit S-box per octet

The Khufu Block Cipher: 

The Khufu Block Cipher

The Blowfish Block Cipher: 

The Blowfish Block Cipher Cipher with Feistel Network structure Designed by B. Schneier in 1993 64-bit blocks (plaintext/ciphertext) Variable-length key: 32 bits up to 448 bits 16 rounds Key-dependent 8x32-bit S-boxes and a P-table

The Blowfish Block Cipher: 

The Blowfish Block Cipher

Linear Cryptanalysis: 

Linear Cryptanalysis Developed by Mitsuru Matsui (Mitsubishi Corp.) Initially applied against DES (1990), FEAL-4 and FEAL-8 (1989) Known-plaintext (KP) attack setting Distinguisher tool: linear relation involving plaintext, key and ciphertext bits with non-uniform parity (away from ½) (nonzero) bias of linear relations

Linear Cryptanalysis: 

Linear Cryptanalysis number of known-plaintexts for high success rate attack is proportional to bias-2 general attack technique (applied to block and stream ciphers) variant techniques: differential-linear, multiple linear relations, linear hulls

Linear Attacks on Blowfish: 

Linear Attacks on Blowfish - unlike previous DC, our LC attacks do not require the S-boxes to be non-injective mappings - 8x32-bit S-boxes are key-dependent, but always non-surjective mappings we exploit linear relations of the form 0 across the S-boxes, where  is a non-zero bit mask. we choose  = 1 due to mixing of modular addition and exclusive-or in the round function,

Linear Attacks on Blowfish: 

Linear Attacks on Blowfish exploit the least significant bit positions (to avoid decreasing the bias due to carry and borrow bits) extend linear relations to full rounds, and to multiple rounds: iterative linear relations we have found 2-round iterative linear relations construction of the linear distinguishers was heavily influenced by the design of Blowfish

Linear Attacks on Blowfish: 

Linear Attacks on Blowfish we derive one-bit of information on the key-dependent P-table: (L0 + L2t).1 = (P1 + P2 + ...+ P2t+1).1 (R0 + R2t).1 = (P2 + P4 + ...+ P2t).1 where (Li, Ri) are the left and right halves of the i-th round block, and + is xor.

Linear Attacks on Blowfish: 

Linear Attacks on Blowfish the bias of linear relations depends on the key since the four S-boxes are key-dependent: weak (user) keys

Linear Attacks on Khufu: 

Linear Attacks on Khufu 8x32-bit key-dependent S-boxes again, S-boxes are non-surjective: the bit mask has the form 0, with  non-zero bit-rotation in each round is by a multiple of 8 bits this fact inspired rotation-invariant bit masks:  <<< 8t = 

Linear Attacks on Khufu: 

Linear Attacks on Khufu thus, the masks do not change if they are rotated by 8-bit amounts (in either direction) more precisely,  = mmmm, m  *256 we have looked for iterative linear relations we have found 2-round and 8-round iterative linear relations for rotation-symmetric masks

Linear Attacks on Khufu: 

Linear Attacks on Khufu

Linear Attacks on Khufu: 

Linear Attacks on Khufu ciphertext-only (CO) attacks: exploit linear relations of the form 80000000x, 00800000x, .... 80808080x and assuming the plaintext is ASCII text. CO attack is possible because of exclusive-or (diffusion is poor!)

Conclusions: 

Conclusions linear attacks on Blowfish and Khufu weak-key assumption (distinct from DC attack assumption) old, known attack technique on old ciphers, but new and better (known-plaintext and ciphertext-only) results, compared to previous attacks (DC, ID) that worked in a chosen-plaintext setting.

Conclusions: 

Conclusions