Exhaustive Key Search for DES:

Updates and refinements

Exhaustive Key Search for DES:

Updates and refinements Jean-Jacques QuisquaterUCL Crypto GroupLouvain-la-NeuveBelgium

François-Xavier Standaert(UCL, Columbia, MIT)

jjq@dice.ucl.ac.behttp://uclcrypto.org

keylength.comannouncement

• cryptosavvy.com is down• A new active web site run by UCL Crypto Group• Gives length of keys for the future (till 2050)

based on (adjustable by you) criteria• Secret key, public key (RSA, ECC), hash

functions• Based on papers by Lenstra and Verheul• Approved and reviewed by Arjen Lenstra• Your comments?

The beginning of the story

• Brute force attack: try all keys (possibilities)

• Brute force people: Yahoo (see Jonathan Swift)

• What is it possible today?

Jonathan Swift(Gulliver’s travels)

Power andSieving

By Monks(Monkeys?)

Introduction

- Brute-force attacks : often the most realistic

- Basic scenarios : exhaustive search or

precomputation tables

- Hellman (1980) : trade time for memory

time, memory, precomputation

- Rivest (1982) : use of distinguished points (Denning’s book)

More realistic attacks

)( 3/2NO )(NO)( 3/2NO

Exhaustive search: Basic algorithm

• Given m and c, try all keys k in K,– Test if E(m, k) = c

• If yes, output k

• k is the key with high probability

Basic algorithm (in //)

• Split K in K1, K2, K3, …

• Distribute m, c and Ki to node i

• Each node i do– Given m and c, try all keys k in Ki,– Test if E(m, k) = c– If yes, output k

• k is the key with high probability

Key search: Bombe

IEEE Computer - November 1991 Crypto 87 - rump session

RFC 3607Network Working Group M. Leech Request for Comments: 3607 Nortel Networks Category: Informational September 2003

Chinese Lottery Cryptanalysis Revisited: The Internet as a Codebreaking Tool

Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract This document revisits the so-called Chinese Lottery massively-parallel cryptanalytic attack. It explores Internet-based analogues to the Chinese Lottery, and their potentially-serious consequences.

1. Introduction In 1991, Quisquater and Desmedt proposed an esoteric, but technically sound, attack against DES or similar ciphers. They termed this attack the Chinese Lottery. It was based on a …

Other paradigm (Chinese Lotto)

• Broadcast (download) m and c

• Each computing node is doing when possible:– Choose a random key r in K– Given m and c, try r,

• Test if E(m, r) = c

– If yes, output k (low communication)

• k is the key with high probability

Other Paradigm(the Chinese Lotto)

• Advantages (Daniel Bernstein :-):– Low cost– No control– No communication– No wire– Efficient (the price of anarchy – see Papadimitriou – is

only 2)– Automatic redundancy at low cost– Trade-offs are possible– Not used?– See also book by Tanenbaum

DES and exhaustive key search machines

- 1977 : Diffie & Hellman, US$ 20M, (predicted DES totally

insecure by the 1990s)

- 1987 : 512 000 DES / second in one chip

- 1993 : Wiener, US$ 1M, success in 3.5 hours (prediction)

- 1997, 1998, RSA : DES cryptograms broken by computer

consortiums in resp. 5 months and 39 days

- 1998 : EFF DES cracker hardware, US$ 200 000, 3 days

- Recent FPGAs ???

EFF DES Cracker:Paul Kocher

TODAY?

- Spartan 3S1000 : US$ 12

- Optimized FPGA implementations of the DES :

XC2V8000: 93184 LUT (22 DES in //): 233 DES/sec/chip

3S1000: 15360 LUT (4 DES in //): 229 DES/sec/chip

US$ 12 000 to crack a DES key in about 3 days

First conclusions

• Pure exhaustive search: 255 keys • Using existing implementations (UCL) with today

technology (Xilinx):– Simplest attack: one chip in 222 sec (2 months)

NSA?

Long keys today?

• One year (225 seconds)

• One million of Xilinx8000 (better?)

• That is– 225 sec x 220 chips x 233 DES/sec = 278 keys

• Conclusion: 80 bits is NOT enough at all for long term security (112-128-256 bits?).

Hellman’s time-memory tradeoff

- Let P be a fixed chosen plaintext

- Let g be a function that maps ciphertexts to keys

we define

=> ~ encryption , <= cryptanalysis

a) Precomputation :

(r tables)

(store extreme points)

))(()( PEgKf K

b) Online attack :

- Let C be the intercepted ciphertext :

Compute g(C)=f(K)

Start chaining and check for every point if it is the table ?

)(PEC K

iEPY iEPY

1, tiXK 1, tiXK )(YfY

)(YfY

Lots of memory accesses (t for each table)

Fixed chain length

Simple analysis

Time-memory tradeoffs using distinguished points

- Variable chain length but detectable extreme points

- Distinguished points have d bits fixed to zero

a) Precomputation :

DES DES DES DES DES

chosen plaintext

EPSP

b) Online attack :

=> Table lookups reduced from t to 1

DES DES DES DES

chosen plaintext

interceptedciphertext

EP

precomputationtableDES DES DES

?

?

SP

chosen plaintext

here is the secret key

Problems:

- Chains can merge (=> use different g functions)

- Chains can collide

The probability of success depends of how well the

computed chains cover the key space

FPGA Designs

- Nearly as simple as

exhaustive key search

- If n pipeline stages, deal

with n start points in parallel

DESchosenplaintext

Kp

Kp-1

Kp-2

K3

K2

K1

new SP

MASK

test DP? EP

'1'

01

01

Theoretical analysis

• keys• DP condition of order d.• m start points.• r mask functions.• : the minimum chain length.• : the maximum chain length.

k2

mint

maxt

a) Average chain length:

b) Cover g : percentage of chains included in the region [ ; ] = P( ) – P( -1).mint maxt

1. Probability to reach a DP in less than l iterations:

lk

dkl

ik

dk

iilP )

2

21(1)

2

21(1)(

1

0

maxt mint

)(

)(.

lP

lPl

2. Previous proposals for the success rate SR:

1)2

1()..( jkijit

newisKP

m

itj

jkk

itSR 1 1

1)2

1(2

1

• OK for Hellman’s tradeoff• Suggest to stop precomputations at mt²=

• number of chains – mean length of a chain •Not for the DP variant: we store chains, not keys.

k2

3. A prediction of the mergers using a storage function s(j) and the probability to find a new chain after storage s(j): p(j). • j = g m = number of chains in region [ ; ]

•

•

mint maxt

)1()1()( jpjsjs

1

0 2

)(2)(

lk

k ljsjp

)2

)(1()()1(

k

jsjsjs

Linear approximation Euler methods

)()

21()1(

2

jsjsk

)

2

)(1(

)('k

jsjs

Conclusions:• Precedent evaluations of the success rate are not

directly applicable to the DP variant. We propose:

k

msSR

2

)(

• Linear approximation: too conservative.• The condition mt²= is not always optimal

linear approximation (too conservative)

2

2)(

kms

similar to mt² = k2

k2

p(j)

4. Average chain length after sort :

Let be the number of chains of length l, evaluated using the storage function with non-zero initial conditions:

Practically evaluated with length intervals.

ln

max

min

max

min.

mod tt l

tt l

n

nl

mod

5. Final probability of success and complexities:

rSRPS )1(1

rms

Cmem mod

)(

mrC prec

modrC proc

Practical experiments

• Against DES-40: mt²= is not optimal and we optimize the online attack.• Against DES-56: critical precomputation.

Both confirmed our theoretical predictions

k2

DES-40 : precomputation task

19.4430.4110.9711.2123.42

s(m)m

19.4430.4110.9711.2123.42

s(m)m modmod

)(

ms

19.6430.4410.8011.2124

19.3830.2710.8811.2123

19.0830.0510.9711.2122

18.7229.7611.0411.2121

s(m)m

19.6430.4410.8011.2124

19.3830.2710.8811.2123

19.0830.0510.9711.2122

18.7229.7611.0411.2121

s(m)m modmod

)(

ms

EXP

THEORY

Note that mt²= would mean to stop precomputations at m= .

k257.172

DES-40 : online attack

- Presented at the rump session of CRYPTO 2001

- Performed on a single PC (256MbRAM, 350Mhz)

- Breaks a 40-bit key in ~10 sec

- An exhaustive key search on the same PC would have

taken ~50 days.

- PS = 72% (theory predicted 73.7%).

- HW useful for larger keys.

DES-56 : precomputation task

21.6438.9417.301823

20.9938.6117.621822

20.3038.1317.821821

19.5537.3817.831820

s(m)m

21.6438.9417.301823

20.9938.6117.621822

20.3038.1317.821821

19.5537.3817.831820

s(m)m modmod

)(

ms

21.1438.5517.411823

20.6938.2717.581822

20.1437.8617.721821

19.4737.3017.831820

s(m)m

21.1438.5517.411823

20.6938.2717.581822

20.1437.8617.721821

19.4737.3017.831820

s(m)m modmod

)(

ms

EXP

THEORY

DES-56 : online attack predictions

2464824

222561222

2010241620

1840962018

rCmem (CDROMS)Nbr chains/mask

2464824

222561222

2010241620

1840962018

rCmem (CDROMS)Nbr chains/mask

=> With a reasonable encryption rate ( enc/sec)and 4096 CDROM’s, we could break DES-56 in about:

seconds = 4.2 min.with PS = 75%.

282

828

1818

22

22

A lot of other parameters are possible…

Other example (in the paper):

Hellman’s parameters:

~ 2048 CDROMS of memory

Attack in ~ 20 minutes (< half an hour)

192192r

Prospects

- Practical attacks against « real » systems:

- Bond 2002, attack against IBM 4758 CCA (used in retail

banking to protect the ATM infrastructure)

- Oechslin 2003, MS-Windows instant crack

- KULeuven paper of this morning

Both based on time-memory tradeoff techniques

- Rainbow tables (better for the precomputations), see Philippe Oechslin

Conclusions

- Time-memory tradeoff using distinguished points revisited

- Practical consequences (by far) more dramatic than

exhaustive key search

- Practical implementations are possible up to 56 bits

- Rainbow tables are simpler to build and analyze

- Distinguished points have a more theoretical interest

and can be used to detect collisions (e.g. hash functions)

(see Q. and Delescaille, at Eurocrypt and Crypto).