![]() |
|
|||
![]() |
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
|
![]() |
[an error occurred while processing this directive]
In each of the eight counter arrays, there is a unique counter having the value 3. The positions of these counters determine the key bits in J1, . . . , J8. These positions are (respectively): 47, 5, 19, 0, 24, 7, 7, 49. Converting these integers to binary, we obtain J1, . . . , J8:
We can now construct 48 bits of the key, by looking at the key schedule for round 3. It follows that K has the form
where parity bits are omitted and ? denotes an unknown key bit. The complete key (in hexadecimal, including parity bits), is: 1A624C89520DEC46. 3.6.2 An Attack on a 6-round DESWe now describe an extension of these ideas to a probabilistic attack on a 6-round DES. The idea is to carefully choose a pair of plaintexts with a specified x-or, and then to determine the probabilities of a specified sequence of x-ors through the rounds of encryption. We need to define an important concept now. DEFINITION 3.5 Let n ≥ 1 be an integer. An n-round characteristic is a list of the form which satisfies the following properties:
The probability of the characteristic is defined to be the product p = p1 × . . . × pn. REMARK Suppose we choose L0, R0 and We also need to recognize that the probabilities pi in a characteristic are defined with respect to an arbitrary (but fixed) pair of plaintexts having a specified x-or, where the 48 key bits for one round of DES encryption vary over all 248 possibilities. However, a cryptanalyst is attempting to determine a fixed (but unknown) key. He is going to choose plaintexts at random (such that they have specified x-ors), hoping that the probabilities that the x-ors during the n rounds of encryption agree with the x-ors specified in the characteristic are fairly close to p1, . . . pn, respectively. As a simple example, we present in Figure 3.10 a 1-round characteristic which was the basis of the attack on the 3-round DES (as before, we use hexadecimal representations). We depict another 1-round characteristic in Figure 3.11. Lets look at the characteristic in Figure 3.11 in more detail. When f (R0, K1) and
So the input x-or to S1 is 001100 and the input x-ors for the other seven S-boxes are all 000000. The output x-ors for S2 through S8 will all be 0000. The output x-or for S1 will be 1110 with probability 14/64 (since it can be computed that N1 (001100, 1110) = 14). So we obtain with probability 14/64. Applying P, we get which in hexadecimal is 0080820016. When this is x-ored with The attack on the 6-round DES is based on the 3-round characteristic given in Figure 3.12. In the 6-round attack, we will start with
Copyright © CRC Press LLC
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |