A Linear Analysis of Blowfish and Khufu - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

A Linear Analysis of Blowfish and Khufu

Description:

... Blowfish ... linear distinguishers was heavily influenced by the design of Blowfish ... linear attacks on Blowfish and Khufu. weak-key assumption (distinct from ... – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 19
Provided by: csCit
Category:

less

Transcript and Presenter's Notes

Title: A Linear Analysis of Blowfish and Khufu


1
A Linear Analysis of Blowfish and Khufu
Jorge Nakahara Jr Unisantos, Brazil jorge_nakah
ara_at_yahoo.com.br
2
Outline
  • The Khufu and Blowfish Block Ciphers
  • Linear Cryptanalysis
  • Linear Attacks on Blowfish
  • Linear Attacks on Khufu
  • Conclusions

3
The Khufu Block Cipher
  • Block cipher with Feistel Network structure
  • Designed by R.C.Merkle in 1989
  • 64-bit blocks (plaintext/ciphertext)
  • Variable-length key up to 512 bits
  • 8r rounds (1 r 8), where r is called octet
    (originally r 2 was suggested)
  • One key-dependent 8x32-bit S-box per octet

4
The Khufu Block Cipher
5
The Blowfish Block Cipher
  • Cipher with Feistel Network structure
  • Designed by B. Schneier in 1993
  • 64-bit blocks (plaintext/ciphertext)
  • Variable-length key 32 bits up to 448 bits
  • 16 rounds
  • Key-dependent 8x32-bit S-boxes and a P-table

6
The Blowfish Block Cipher
7
Linear Cryptanalysis
  • Developed by Mitsuru Matsui (Mitsubishi Corp.)
  • Initially applied against DES (1990), FEAL-4 and
    FEAL-8 (1989)
  • Known-plaintext (KP) attack setting
  • Distinguisher tool linear relation involving
    plaintext, key and ciphertext bits with
    non-uniform parity (away from ½)
  • (nonzero) bias of linear relations

8
Linear Cryptanalysis
  • number of known-plaintexts for high success rate
    attack is proportional to bias-2
  • general attack technique (applied to block and
    stream ciphers)
  • variant techniques differential-linear, multiple
    linear relations, linear hulls

9
Linear Attacks on Blowfish
  • - unlike previous DC, our LC attacks do not
    require the S-boxes to be non-injective mappings
  • - 8x32-bit S-boxes are key-dependent, but always
    non-surjective mappings
  • we exploit linear relations of the form 0??
    across the S-boxes, where ? is a non-zero bit
    mask.
  • we choose ? 1 due to mixing of modular addition
    and exclusive-or in the round function,

10
Linear Attacks on Blowfish
  • exploit the least significant bit positions (to
    avoid decreasing the bias due to carry and borrow
    bits)
  • extend linear relations to full rounds, and to
    multiple rounds iterative linear relations
  • we have found 2-round iterative linear relations
  • construction of the linear distinguishers was
    heavily influenced by the design of Blowfish

11
Linear Attacks on Blowfish
  • we derive one-bit of information on the
    key-dependent P-table
  • (L0 L2t).1 (P1 P2 ... P2t1).1
  • (R0 R2t).1 (P2 P4 ... P2t).1
  • where (Li, Ri) are the left and right halves
    of the
  • i-th round block, and is xor.

12
Linear Attacks on Blowfish
  • the bias of linear relations depends on the key
    since the four S-boxes are key-dependent weak
    (user) keys

13
Linear Attacks on Khufu
  • 8x32-bit key-dependent S-boxes
  • again, S-boxes are non-surjective the bit mask
    has the form 0??, with ? non-zero
  • bit-rotation in each round is by a multiple of 8
    bits
  • this fact inspired rotation-invariant bit masks
    ? ltltlt 8t ?

14
Linear Attacks on Khufu
  • thus, the masks do not change if they are rotated
    by 8-bit amounts (in either direction)
  • more precisely, ? mmmm, m ? ?256
  • we have looked for iterative linear relations
  • we have found 2-round and 8-round iterative
    linear relations for rotation-symmetric masks

15
Linear Attacks on Khufu
16
Linear Attacks on Khufu
  • ciphertext-only (CO) attacks exploit linear
    relations of the form 80000000x, 00800000x, ....
    80808080x and assuming the plaintext is ASCII
    text.
  • CO attack is possible because of exclusive-or
    (diffusion is poor!)

17
Conclusions
  • linear attacks on Blowfish and Khufu
  • weak-key assumption (distinct from DC attack
    assumption)
  • old, known attack technique on old ciphers,
  • but new and better (known-plaintext and
    ciphertext-only) results, compared to previous
    attacks (DC, ID) that worked in a
    chosen-plaintext setting.

18
Conclusions
Write a Comment
User Comments (0)
About PowerShow.com