Informational Constraints We are to attack a cipher which enciphers plaintext into ciphertext or deciphers the opposite way, under control of a key.. Attack Strategies The goal of an a
Trang 122 16 ^V SYN 54 36 6 86 56 V 118 76 v
23 17 ^W ETB 55 37 7 87 57 W 119 77 w
24 18 ^X CAN 56 38 8 88 58 X 120 78 x
25 19 ^Y EM 57 39 9 89 59 Y 121 79 y
26 1a ^Z SUB 58 3a : 90 5a Z 122 7a z
27 1b ^[ ESC 59 3b ; 91 5b [ 123 7b {
28 1c ^\ FS 60 3c < 92 5c \ 124 7c |
29 1d ^] GS 61 3d = 93 5d ] 125 7d }
30 1e ^^ RS 62 3e > 94 5e ^ 126 7e
31 1f ^_ US 63 3f ? 95 5f _ 127 7f DEL
Associative
A dyadic operation in which two sequential operations on three arguments can first operate on either the first two or the last two arguments, producing the same result in either case: (a + b) + c = a + (b + c)
Also see: commutative and distributive
Asymmetric Cipher
A public key cipher
Attack
General ways in which a cryptanalyst may try to "break" or penetrate the secrecy of a cipher These are not algorithms; they are just approaches as a starting place for constructing specific algorithms
Classically, attacks were neither named nor classified; there was just: "here
is a cipher, and here is the attack." And while this gradually developed into named attacks, there is no overall attack taxonomy Currently, attacks are
often classified by the information available to the attacker or constraints on
the attack, and then by strategies which use the available information Not only ciphers, but also cryptographic hash functions can be attacked,
generally with very different strategies
Informational Constraints
We are to attack a cipher which enciphers plaintext into ciphertext or
deciphers the opposite way, under control of a key The available
information necessarily constrains our attack strategies
Ciphertext Only: We have only ciphertext to work with Sometimes
the statistics of the ciphertext provide insight and can lead to a break
Trang 2 Known Plaintext: We have some, or even an extremely large
amount, of plaintext and the associated ciphertext
Defined Plaintext: We can submit arbitrary messages to be ciphered
and capture the resulting ciphertext (Also Chosen Plaintext and
Adaptive Chosen Plaintext.)
Defined Ciphertext: We can submit arbitrary messages to be
deciphered and see the resulting plaintext (Also Chosen Ciphertext and Adaptive Chosen Ciphertext.)
Chosen Key: We can specify a change in any particular key bit, or
some other relationship between keys
Timing: We can measure the duration of ciphering operations and use
that to reveal the key or data
Fault Analysis: We can induce random faults into the ciphering
machinery, and use those to expose the key
Man-in-the-Middle: We can subvert the routing capabilities of a
computer network, and pose as the other side to each of the
communicators (Usually a key authentication attack on public key systems.)
Attack Strategies
The goal of an attack is to reveal some unknown plaintext, or the key (which will reveal the plaintext) An attack which succeeds with less effort than a brute-force search we call a break An "academic" ("theoretical,"
"certificational") break may involve impractically large amounts of data or resources, yet still be called a "break" if the attack would be easier than brute force (It is thus possible for a "broken" cipher to be much stronger than a cipher with a short key.) Sometimes the attack strategy is thought to be
obvious, given a particular informational constraint, and is not further
classified
under every possible key until readable messages are produced (Also
"brute force" any searchable-size part of a cipher.)
Codebook (the classic "codebreaking" approach): Collect a codebook
of transformations between plaintext and ciphertext
Differential Cryptanalysis: Find a statistical correlation between key values and cipher transformations (typically the Exclusive-OR of text pairs), then use sufficient defined plaintext to develop the key
Trang 3 Linear Cryptanalysis: Find a linear approximation to the keyed
S-boxes in a cipher, and use that to reveal the key
Meet-in-the-Middle: Given a two-level multiple encryption, search
for the keys by collecting every possible result for enciphering a known plaintext under the first cipher, and deciphering the known ciphertext under the second cipher; then find the match
Key Schedule: Choose keys which produce known effects in different
rounds
Birthday (usually a hash attack): Use the birthday paradox, the idea that it is much easier to find two values which match than it is to find
a match to some particular value
Formal Coding (also Algebraic): From the cipher design, develop
equations for the key in terms of known plaintext, then solve those equations
Correlation: In a stream cipher, distinguish between data and
confusion, or between different confusion streams, from a statistical imbalance in a combiner
Dictionary: Form a list of the most-likely keys, then try those keys one-by-one (a way to improve brute force)
Replay: Record and save some ciphertext blocks or messages
(especially if the content is known), then re-send those blocks when useful
Many attacks try to isolate unknown small components or aspects so they can be solved separately, a process known as divide and conquer Also see: security
Augmented Repetitions
When sampling with replacement, eventually we again find some object or value which has been found before We call such an occurrence a
"repetition." A value found exactly twice is a double, or "2-rep"; a value found three times is a triple or "3-rep," and so on
For a known population, the number of repetitions expected at each level has long been understood to be a binomial expression But if we are sampling in
an attempt to establish the effective size of an unknown population, we have
two problems:
1 The binomial equations which predict expected repetitions do not reverse well to predict population, and
Trang 42 Exact repetitions discard information and so are less accurate than we would like For example, if we have a double and then find another of
that value, we now have a triple, and one less double So if we are
using doubles to predict population, the occurrence of a triple
influences the predicted population in exactly the wrong direction
Fortunately, there is an unexpected and apparently previously unknown combinatoric relationship between the population and the number of
combinations of occurrences of repeated values This allows us to convert
any number of triples and higher n-reps to the number of 2-reps which have
the same probability So if we have a double, and then get another of the same value, we have a triple, which we can convert into three 2-reps The
total number of 2-reps from all repetitions (the augmented 2-reps value) is
then used to predict population
We can relate the number of samples s to the population N through the expected number of augmented doubles Ead:
Ead(N,s) = s(s-1) / 2N
This equation is exact, provided we interpret all the exact n-reps in terms of
2-reps For example, a triple is interpreted as three doubles; the
augmentation from 3-reps to 2-reps is (3 C 2) or 3 The augmented result is the sum of the contributions from all higher repetition levels:
n i
ad = SUM ( ) r[i]
i=2 2
where ad is the number of augmented doubles, and r[i] is the exact
repetition count at the i-th level
And this leads to an equation for predicting population:
Nad(s,ad) = s(s-1) / 2 ad
This predicts the population Nad as based on a mean value of augmented doubles ad Clearly, we expect the number of samples to be far larger than the number of augmented doubles, but an error in the augmented doubles ad
should produce a proportionally similar error in the predicted population
Nad We typically develop ad to high precision by averaging the results of
many large trials
However, since the trials should have approximately a simple Poisson
distribution (which has only a single parameter), we could be a bit more
Trang 5clever and fit the results to the expected distribution, thus perhaps
developing a bit more accuracy
Also see the article: Estimating Population from Repetitions in Accumulated Random Samples, and the Population Estimation Worksheets in JavaScript page of the Ciphers By Ritter / JavaScript computation pages
Authentication
One of the objectives of cryptography: Assurance that a message has not
been modified in transit or storage (message authentication or message integrity) Also key authentication for public keys Also user or source
identification, which may verify the right to send the message in the first place
Message Authentication
One form of message authentication computes a CRC hash across the
plaintext data, and appends the CRC remainder (or result) to the plaintext data: this adds a computed redundancy to an arbitrary message The CRC result is then enciphered along with the data When the message is
deciphered, if a second CRC operation produces the same result, the
message can be assumed unchanged
Note that a CRC is a fast, linear hash Messages with particular CRC result values can be constructed rather easily However, if the CRC is hidden
behind strong ciphering, an Opponent is unlikely to be able to change the CRC value systematically or effectively In particular, this means that the CRC value will need more protection than a simple exclusive-OR stream cipher or the exclusive-OR approach to handling short last blocks in a block cipher
A similar approach to message authentication uses a nonlinear cryptographic hash function These also add a computed redundancy to the message, but generally require significantly more computation than a CRC It is thought
to be exceedingly difficult to construct messages with a particular
cryptographic hash result, so the hash result perhaps need not be hidden by encryption
Trang 6One form of cryptographic hash is DES CBC mode: using a key different than that used for encryption, the final block of ciphertext is the hash of the message This obviously doubles the computation when both encryption and