Computer Security Lecture 13 - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Computer Security Lecture 13

Description:

Looking at the Motorola 680x0 Assembly versions of TEA on line are ... 2 x 106 or 2 million instantiations of the TEA decryption algorithm every second ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 22
Provided by: pgb8
Category:

less

Transcript and Presenter's Notes

Title: Computer Security Lecture 13


1
Computer Security Lecture 13
  • Phillip G. Bradford
  • Computer Science
  • University of Alabama

2
Lecture Outline
  • Review Last Lecture
  • Feistel Ciphers
  • TEA (Tiny Encryption Algorithm)

3
Objectives
  • Work with Feistel Networks
  • Understand their mechanics
  • Understand their importance
  • Understand a small Feistel Network Based Cipher
    TEA
  • Cryptanalysis of TEA

4
Feistel Networks
  • Design Structure of Many Important Symmetric
    Ciphers
  • At ith step
  • Left side Li
  • Right side Ri
  • Li Ri-1
  • Ri Li-1 xor f(Ri-1,ki)
  • Or just say Ri Li-1 xor fi(Ri-1)

5
Feistel Networks
  • Important Property from XOR
  • Li-1 xor fi(Ri-1) xor fi(Ri-1) Li-1
  • If G(f1, f2, , ft) is a Feistel Network
  • Then G-1(f1, f2, , ft) G(ft, ft-1, , f1)
  • Why is this property important?
  • The functions may even be one-way
  • Hardware decryption

6
Feistel Ciphers
Plain Text 2n bits
n high bits
n low bits
F
Key
XOR
Swap Sides
F
Key
XOR
Swap Sides
7
TEATiny Encryption Algorithm
  • By David Wheeler and Roger Needham
  • See http//vader.brad.ac.uk/tea/tea.shtml
  • D. Wheeler and R. Needham, TEA, a Tiny
    Encryption Algorithm, Fast Software Encryption,
    Second International Workshop Proceedings,
    Springer-Verlag, 97110, 1995.

8
TEA is a Feistel Network
  • Assumes 32-bit words (calcs mod 232)
  • Key k0,,k3 a total of 128 bits
  • Authors mention, 6 cycles may be sufficient for
    OK security
  • The value delta sqrt(5) -1231
  • Recall a gtgt b is the same as a/2b
  • And a ltlt b is a2b

9
Encryption with TEA http//vader.brad.ac.uk/tea/t
ea.shtml
  • yv0, zv1, sum0, delta0x9E3779B9, ak0,
    bk1, ck2, dk3, n32
  • while(n--gt0)
  • sum delta
  • y (z ltlt 4)a zsum (z gtgt 5)b
  • z (y ltlt 4)c ysum (y gtgt 5)d
  • w0y w1z

10
TEA
  • Uses addition/subtraction in place of xor
  • For combining sides
  • Plaintext L0R0
  • yz
  • Encryption
  • Li Ri-1
  • Ri Li-1 fi(Ri-1)
  • The fis are distinguished by sum

11
TEA
  • More precisely
  • All calcs are mod 232
  • fi(Ri-1)
  • ((z ltlt 4)a
  • xor ((z gtgt 5)b
  • xor z sum

12
TEA
  • Decryption
  • Ri Li-1
  • Li Ri-1 - fi(Li-1)
  • The fis are distinguished by sum

13
Decryption with TEA http//vader.brad.ac.uk/tea/t
ea.shtml
  • yv0, zv1, sum0xC6EF3720, delta0x9E3779B9,
    ak0, bk1, ck2, dk3, n32
  • / sum deltaltlt5, in general sum delta n /
  • while(n--gt0)
  • z - (y ltlt 4)c ysum (y gtgt 5)d
  • y - (z ltlt 4)a zsum (z gtgt 5)b
  • sum - delta
  • w0y w1z

14
How Good is TEA?
  • How big is the key space?
  • There can be 2128 keys k0, , k3
  • How many are equivalent?
  • If they were all distinct in that for any message
    m, TEAk1m TEAk2m iff k1 k2
  • Then is running 2128 TEA decryptions infeasible?
  • Do we have computational security?

15
How Good is TEA?
  • Well, 2128 is about 3.4 x 1038
  • Looking at the Motorola 680x0 Assembly versions
    of TEA on line are
  • About 32 instructions run in 16 rounds
  • Or 29 or 512 or about 5 x 102 instructions
  • Say we can process 1 Gig instructions per second
    109 instructions/sec

16
How Good is TEA?
  • This means, we can run about
  • 2 x 106 or 2 million instantiations of the TEA
    decryption algorithm every second
  • But, if all keys are distinct, then in the worst
    case we must run
  • 3.4 x 1038 / 2 x 106
  • About 1.7 x 1032 seconds

17
How Good is TEA?
  • There are about
  • 606024365 3.2 x 107 seconds in a year
  • Thus, we need 1.7 x 1032 / 3.2 x 107
  • Or about 5 x 1024 years for a worst case
    exhaustive search!
  • I think it is fair to say, if only restricted to
    this attack all keys are distinct,
  • Then TEA is computationally secure

18
Examining our Assumptions
  • Key assumption 2128 distinct keys
  • In fact, this is false !
  • We will follow Mirzas paper and show that the
    key space is of size 2126
  • Well, not a great improvement, but something

19
Examining our Assumptions
  • TEA is implemented in 32-bit words
  • All computation is mod 232
  • So, 231 231 0
  • Now, it is claimed that
  • X Y (X xor 231) (Y xor 231)
  • In cases
  • If X 231 and Y 231, then holds
  • If X 231 and Y lt 231, then holds, symmetric
    case
  • If X lt 231 and Y lt 231, then holds

20
Examining our Assumptions
  • fi(Ri-1)
  • ((z ltlt 4)a
  • xor ((z gtgt 5)b
  • xor z sum
  • ((z ltlt 4)(a xor 231)
  • xor ((z gtgt 5)(b xor 231)
  • xor z sum

21
To Be Continued!
  • Friday
Write a Comment
User Comments (0)
About PowerShow.com