Life After DES: New Methods, New Attacks - Cryptology Unlocked

Cryptography Reference

In-Depth Information

(2b + 5)a = c mod 256

is solvable toward a for known b and c , because 2 b + 5 is relatively prime to

256 (see Section 4.5.3).

Byte b can accept 2 6

= 64 values at most. Knowing key stream byte K,a

results from b unambiguously. So, there are only 64 possible values for tmp

as well as for the 14 bits 2 ,..., 15 of key2 ! The 16 higher-order bits of key2

are undetermined for the time being; a total of 2 22 (approximately 4 million)

values can be considered for the 30 most significant bits (2 ,..., 31) of key2

with given K .

That's all we can get out of (d) and (e); the two least significant bits of key2

play no role in these equations. We can recover values of key2 that belong to

successive plaintext bytes from equation (c). The same applies to (a) and (b).

So we need several successive plaintext - ciphertext pairs, i.e., the values of K

in successive steps. Now things get far more complicated.

Equation (c) won't help us further in the form stated, since we can see in

(5) that the two least significant bits of key2 play an important role. But the

reversion of crc32() described in (6) shows us how to proceed: we represent

key2 i (the value of key2 for the i th step) as a function of key2 i + 1 by means of

(c) and (6), and compare the right and left sides bitwise: if key2 i + 1 is known,

then bits 10 ,..., 31 are given on the right-hand side, and the left-hand side

can accept only 64 (2 6 ) values in the 14 bits 2 ,..., 15 of key2 i anyway. Since

the right and left sides have to coincide in the six bits, 10 ,..., 15, the 14 bits

2 ,..., 15 of key2 i are given 'unambiguously on average'. Under this prerequi-

site, we can continue comparing the right and left sides to gradually determine

all 30 bits of key2 i and eventually all bits of key2 i + 1 . What remains are 2 22

possible values for the entire sequence, key2 i + 1 , key2 i ,..., key2 1 . This is a

clever attack in my opinion.

However, we haven't reached our goal yet; we don't know the values of key1

and key0 . We can use the values for key2 and the crc32 reversion (6) to

compute the most significant bytes of key1 in successive steps. This would

yield us 2 24 (approximately 16 million) values for bytes 0, ... ,23 of key1 .We

can now easily reverse equation (b):

key1 i − 1 + LSB(key0 i ) = (key1 i − 1) * 134775813 − 1

mod 2 32

Search WWH ::

Custom Search

Home