A New Class Of Weak Keys for Blowfish Orhun KARA and Cevat MANAP T - - PowerPoint PPT Presentation

A New Class Of Weak Keys for Blowfish

Orhun KARA and Cevat MANAP T¨ UB˙ ITAK - UEKAE (National Research Institute of Electronics and Cryptology)

1

Redefining Blowfish

Key XORs in Blowfish can be moved around to generate two building blocks K2 and U2.

F F Pi1 Pi2 Pi3 Pi4 x′ y′ x′ y′ F F x x y y K2 U2

U2 is an involution and has 232 fixed points of the form (x, F(x) ⊕ x). K−1

2

is same as K2 with a different ordering of the subkeys.

2

F F F F F U2 F F F F F F F F F F F P17 P17 P2 K2 K2 K2 U2 U2 F F F F F Standard Description Type II Type III P14 P15 P16 P18 P18 P16 P14 P15 P13 P18 P17 K2 F F P15 P16 P14 P4 P3 P2 P1 P1 P3 P2 P4 P1 P4 P3 P5

Weak Keys

Type III definition can be summarised as: plaintext → initW → F → S → K2 → S → U2 → S → K2 → S → U2 → S → K2 → S → U2 → S → K2 → S → F → finalW → ciphertext

4

Weak Keys

Type III definition can be summarised as: plaintext → initW → F → S → K2 → S → U2 → S → K2 → S

X0

→ U2

X0

→ S → K2 → S → U2 → S → K2 → S → F → finalW → ciphertext X0 is a fixed point of U2.

5

Weak Keys

Type III definition can be summarised as: plaintext → initW → F → S → K2 → S → U2 → S

X2

→ K2

X1

→ S

X0

→ U2

X0

→ S

X1

→ K2

X2

→ S → U2 → S → K2 → S → F → finalW → ciphertext X0 is a fixed point of U2. Conditions on subkeys used in K2.

6

Weak Keys

Type III definition can be summarised as: plaintext → initW

X8

→ F

X7

→ S

X6

→ K2

X5

→ S

X4

→ U2

X3

→ S

X2

→ K2

X1

→ S

X0

→ U2

X0

→ S

X1

→ K2

X2

→ S

X3

→ U2

X4

→ S

X5

→ K2

X6

→ S

X7

→ F

X8

→ finalW → ciphertext X0 is a fixed point of U2. Conditions on subkeys used in K2. Definition: A key is called weak if the encryption function has 232 fixed points in the middle step.

7

Detecting Weak Keys

• Fixed points occur with probability 232

264 = 2−32.

• For a fixed point

plaintext ⊕ initW = X8 = ciphertext ⊕ finalW initW ⊕ finalW = plaintext ⊕ ciphertext

• For 234 known plaintexts, calculate plaintext ⊕ ciphertext.

– on average 4 fixed points occur, giving initW ⊕ finalW. – random 64 bit values for non-fixed points. Detect weak keys by looking at “plaintext⊕ciphertext.”

8

First Attack

• Detecting a weak key gives P1 ⊕ P18 and P2 ⊕ P17 for free.
• Conditions on subkeys of K2 dictate P3 = P16, P4 = P15,

P5 = P14, P6 = P13, P7 = P12,P8 = P11 and P9 = P10. (Hence, expected number of weak keys : 2k−7∗32 = 2k−224)

• 9 equations in 18 variables.
• Guess 9 variables, determine remaining 9 variables. 29∗32 = 2288

guesses total.

• Check if a guess is valid by 9 encryptions. 9 ∗ 2288 encryptions

≈ 2282.1 exhaustive search steps. (1 Exhaustive search step is 512+9 encryptions.)

9

Second Attack

• Exhaustively search and store all weak keys, sorting them w.r.t.

(P1 ⊕ P18,P2 ⊕ P17).

• Pre-computation costs ≈ 2k−7 exhaustive search steps.
• Weak keys occupy 2k−224 spaces in memory.
• Online phase costs 2

k−224 64

exhaustive search steps.

10

Attacks On Weak Keys

For some attack working on weak keys,

• W workload of identification, w total number of weak keys.
• Given a set of 2k

w keys, expect one weak key on average,

• Run identification on the set, with complexity W 2k

w .

• Successful attack requires W 2k

w < 2k,i.e. W < w. 11

Thanks.

12