Exhaustive Key Search for DES:
Updates and refinements
Jean-Jacques Quisquater
UCL Crypto Group
Louvain-la-Neuve
Belgium
François-Xavier Standaert
(UCL, Columbia, MIT)
[email protected]
http://uclcrypto.org
keylength.com
announcement
• cryptosavvy.com is down
• A new active web site run by UCL Crypto Group
• Gives length of keys for the future (till 2050)
based on (adjustable by you) criteria
• Secret key, public key (RSA, ECC), hash
functions
• Based on papers by Lenstra and Verheul
• Approved and reviewed by Arjen Lenstra
• Your comments?
The beginning of the story
• Brute force attack: try all keys
(possibilities)
• Brute force people: Yahoo (see Jonathan
Swift)
• What is it possible today?
Jonathan Swift
(Gulliver’s travels)
Power and
Sieving
By Monks
(Monkeys?)
Introduction
- Brute-force attacks : often the most realistic
- Basic scenarios : exhaustive search or
precomputation tables
- Hellman (1980) : trade time for memory
 O( N 2 / 3 ) time, O( N 2 / 3 ) memory, O(N )precomputation
- Rivest (1982) : use of distinguished points (Denning’s
book)
 More realistic attacks
Exhaustive search: Basic algorithm
• Given m and c, try all keys k in K,
– Test if E(m, k) = c
• If yes, output k
• k is the key with high probability
Basic algorithm (in //)
• Split K in K1, K2, K3, …
• Distribute m, c and Ki to node i
• Each node i do
– Given m and c, try all keys k in Ki,
– Test if E(m, k) = c
– If yes, output k
• k is the key with high probability
Key search: Bombe
IEEE Computer - November 1991
Crypto 87 - rump session
RFC 3607
Network Working Group
M. Leech
Request for Comments: 3607
Nortel Networks Category: Informational
September 2003
Chinese Lottery Cryptanalysis Revisited: The Internet as a Codebreaking Tool
Status of this Memo This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this memo is unlimited.
Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract This document revisits the so-called Chinese Lottery massively-parallel
cryptanalytic attack. It explores Internet-based analogues to the Chinese Lottery, and
their potentially-serious consequences.
1. Introduction In 1991, Quisquater and Desmedt proposed an esoteric, but technically
sound, attack against DES or similar ciphers. They termed this attack the Chinese
Lottery. It was based on a …
Other paradigm (Chinese Lotto)
• Broadcast (download) m and c
• Each computing node is doing when
possible:
– Choose a random key r in K
– Given m and c, try r,
• Test if E(m, r) = c
– If yes, output k (low communication)
• k is the key with high probability
Other Paradigm
(the Chinese Lotto)
• Advantages (Daniel Bernstein :-):
–
–
–
–
–
–
–
–
–
Low cost
No control
No communication
No wire
Efficient (the price of anarchy – see Papadimitriou – is
only 2)
Automatic redundancy at low cost
Trade-offs are possible
Not used?
See also book by Tanenbaum
DES and exhaustive key search machines
- 1977 : Diffie & Hellman, US$ 20M, (predicted DES totally
insecure by the 1990s)
- 1987 : 512 000 DES / second in one chip
- 1993 : Wiener, US$ 1M, success in 3.5 hours (prediction)
- 1997, 1998, RSA : DES cryptograms broken by computer
consortiums in resp. 5 months and 39 days
- 1998 : EFF DES cracker hardware, US$ 200 000, 3 days
- Recent FPGAs ???
EFF DES Cracker:Paul Kocher
TODAY?
- Spartan 3S1000 : US$ 12
- Optimized FPGA implementations of the DES :
 XC2V8000: 93184 LUT (22 DES in //): 233 DES/sec/chip
 3S1000: 15360 LUT (4 DES in //): 229 DES/sec/chip
US$ 12 000 to crack a DES key in about 3 days
First conclusions
• Pure exhaustive search: 255 keys
• Using existing implementations (UCL) with today
technology (Xilinx):
– Simplest attack: one chip in 222 sec (2 months)
NSA?
Long keys today?
• One year (225 seconds)
• One million of Xilinx8000 (better?)
• That is
– 225 sec x 220 chips x 233 DES/sec = 278 keys
• Conclusion: 80 bits is NOT enough at all
for long term security (112-128-256 bits?).
Hellman’s time-memory tradeoff
- Let P be a fixed chosen plaintext
- Let g be a function that maps ciphertexts to keys
 we define
f ( K )  g ( EK ( P))
=> ~ encryption , <= cryptanalysis
a) Precomputation :
(r tables)
(store extreme points)
b) Online attack :
- Let C be the intercepted ciphertext : C  EK (P)
 Compute g(C)=f(K)
 Start chaining and check for every point if it is the table ?
Y  EPi
K  X i ,t 1
Y  EPi
K  X i ,t 1
Y  f (Y )
Y  f (Y )
 Lots of memory accesses (t for each table)
 Fixed chain length
 Simple analysis
Time-memory tradeoffs using distinguished
points
- Variable chain length but detectable extreme points
- Distinguished points have d bits fixed to zero
a) Precomputation :
SP
DES
DES
chosen plaintext
DES
DES
DES
EP
b) Online attack :
intercepted
ciphertext
chosen plaintext
DES
DES
DES
DES
here is the secret key
?
DES
DES
DES
SP
precomputation
table
?
chosen plaintext
=> Table lookups reduced from t to 1
EP
Problems:
- Chains can merge (=> use different g functions)
- Chains can collide
 The probability of success depends of how well the
computed chains cover the key space
FPGA Designs
Kp
Kp-1
Kp-2
K3
K2
K1
- Nearly as simple as
exhaustive key search
'1'
1
- If n pipeline stages, deal
0
new SP
with n start points in parallel
1
chosen
plaintext
0
MASK
DES
test DP?
EP
Theoretical analysis
•
•
•
•
•
•
2k keys
DP condition of order d.
m start points.
r mask functions.
t min : the minimum chain length.
t max : the maximum chain length.
1. Probability to reach a DP in less than l iterations:
l 1
2 k d
i 0
2 i
P(l )  1   (1 
k
a) Average chain length:
) 1  (1 
2 k d
2 i
k
)
l.P(l )


 P(l )
b) Cover g : percentage of chains included in the
region [ t min ; t max ] = P( t max) – P( t min -1).
l
2. Previous proposals for the success rate SR:
P ( K ij .is.new)  (1 
SR 
1
2
k
 
m
i 1
it
2
j 1
)
k
t
j 1 (1 
it
2
k
)
j 1
• OK for Hellman’s tradeoff
• Suggest to stop precomputations at mt²= 2k
• number of chains – mean length of a chain
•Not for the DP variant: we store chains, not keys.
3. A prediction of the mergers using a storage function s(j)
and the probability to find a new chain after storage s(j): p(j).
• j = g m = number of chains in region [ t min; t max ]
•
•
s( j )  s( j  1)    p( j  1)
 1 2 k
p( j )  
l 0
 s( j )  l
2
k
s ( j  1)  s ( j )    (1 
Linear approximation
s( j  1)  (1 
2
2k
s( j )
2
k
)

Euler methods
)  s( j )  
s' ( j )

 (1 
s( j )
2k
Conclusions:
• Precedent evaluations of the success rate are not
directly applicable to the DP variant. We propose:
SR 
s (m)
2k
)
• Linear approximation: too conservative.
• The condition mt²= 2k is not always optimal
linear approximation
(too conservative)
p(j)
s (m)


2k
2
similar to mt² =
2k
4. Average chain length after sort  mod :
Let n l be the number of chains of length l, evaluated
using the storage function with non-zero initial
conditions:
t max
t min l.nl
 mod  t
max
t min nl


 Practically evaluated with length intervals.
5. Final probability of success and complexities:
PS  1  (1  SR) r
Cmem 
s(m)
 mod
r
C prec  r  m  
C proc  r   mod
Practical experiments
• Against DES-40: mt²= 2k is not optimal and we
optimize the online attack.
• Against DES-56: critical precomputation.
 Both confirmed our theoretical predictions
DES-40 : precomputation task
EXP
THEORY
m

23.42
11.21
 mod s(m)
10.97
30.41
s ( m )
 mod
19.44
 mod
s(m)
11.21
11.04
29.76
18.72
22
11.21
10.97
30.05
19.08
23
11.21
10.88
30.27
19.38
24
11.21
10.80
30.44
19.64
m

21
s ( m )
 mod
Note that mt²= 2k would mean to stop
precomputations at m= 217.57 .
DES-40 : online attack
- Presented at the rump session of CRYPTO 2001
- Performed on a single PC (256MbRAM, 350Mhz)
- Breaks a 40-bit key in ~10 sec
- An exhaustive key search on the same PC would have
taken ~50 days.
- PS = 72% (theory predicted 73.7%).
- HW useful for larger keys.
DES-56 : precomputation task
EXP
THEORY
m

 mod
s( m)
s ( m )
20
18
17.83
37.38
19.55
21
18
17.82
38.13
20.30
22
18
17.62
38.61
20.99
23
18
17.30
38.94
21.64
m

 mod
s( m)
s ( m )
20
21
18
18
17.83
17.72
37.30
37.86
19.47
20.14
22
23
18
18
17.58
17.41
38.27
38.55
20.69
21.14
 mod
 mod
DES-56 : online attack predictions

Nbr chains/mask
Cmem (CDROMS)
r
18
20
4096
18
20
16
1024
20
22
12
256
22
24
8
64
24
28
=> With a reasonable encryption rate ( 2 enc/sec)
and 4096 CDROM’s, we could break DES-56
in about:
218  218
8 seconds = 4.2 min.
2
28
with PS = 75%.
2
A lot of other parameters are possible…
Other example (in the paper):
Hellman’s parameters:
 2
19
r2
19
 ~ 2048 CDROMS of memory
 Attack in ~ 20 minutes (< half an hour)
Prospects
- Practical attacks against « real » systems:
- Bond 2002, attack against IBM 4758 CCA (used in retail
banking to protect the ATM infrastructure)
- Oechslin 2003, MS-Windows instant crack
- KULeuven paper of this morning
 Both based on time-memory tradeoff techniques
- Rainbow tables (better for the precomputations), see
Philippe Oechslin
Conclusions
- Time-memory tradeoff using distinguished points revisited
- Practical consequences (by far) more dramatic than
exhaustive key search
- Practical implementations are possible up to 56 bits
- Rainbow tables are simpler to build and analyze
- Distinguished points have a more theoretical interest
and can be used to detect collisions (e.g. hash functions)
(see Q. and Delescaille, at Eurocrypt and Crypto).