1995-09-16 - Picking the Crypto Locks

Header Data

From: nobody@REPLAY.COM (Anonymous)
To: cypherpunks@toad.com
Message Hash: 1c620e3abb70657ea3dec709e182f82089c47d85e22258bd47c10220f42efe0a
Message ID: <199509160107.DAA03893@utopia.hacktic.nl>
Reply To: N/A
UTC Datetime: 1995-09-16 01:07:38 UTC
Raw Date: Fri, 15 Sep 95 18:07:38 PDT

Raw message

From: nobody@REPLAY.COM (Anonymous)
Date: Fri, 15 Sep 95 18:07:38 PDT
To: cypherpunks@toad.com
Subject: Picking the Crypto Locks
Message-ID: <199509160107.DAA03893@utopia.hacktic.nl>
MIME-Version: 1.0
Content-Type: text/plain



Byte, October, 1995, pp. 77, 80.


Picking the Crypto Locks

A new technique called differential cryptanalysis can
break even DES quickly

By Peter Wayner


How secure is your encrypted data? Advances in
mathematics and increased computing power mean you need
longer keys and stronger algorithms if you still want to
keep your secrets. Both private-key encryption (which
uses a single key for coding and decoding) and public-key
systems (which use separate keys for encryption and
decryption) are increasingly vulnerable to determined
attack. But do these weaknesses represent a real threat
to encrypted data, or are they still just intriguing
research results?

Unfortunately, when we try to assess the effectiveness of
today's popular cryptographic systems, we run into a
problem of mathematical ignorance. Most people who are
familiar with mathematics can work in two directions,
forward and backward, like the simple algebraic equation
a = b + 1. We can determine the value of the first
variable from that of the second and vice versa. Crypto
systems, however, generally rely on mathematics that
works only in one direction. People assume these systems
are secure because no one has yet shown how to work the
mathematics backward and break open the message. In
general, we determine the strength of most cryptographic
systems by seeing how well they avoid the attacks we know
have been used on other systems. If none of the past
attacks seems to work, then we deem a system secure. For
now.

Let's look at how today's codebreakers work, the
resources and time they need, and what we require in the
way of new systems and longer keys. Recent assessments of
the strength of private-key crypto systems involve
looking for theoretical holes and measuring the time
needed for a brute-force attack. Finding the holes can be
devilishly hard, calling for deep mathematical insights.
Brute-force attacks are easier to mount if enough
computational hardware is available, but they're also
easy to defend against.

The most important development in the realm of data
encryption in recent years is Eli Biham and Adi Shamir's
differential cryptanalysis. They showed how to mount a
limited attack on today's most widely used cryptosystem,
DES (the federal Data Encryption Standard), which is also
the basis for Unix's password system.

Imagine that you had access to your victim's DES cipher
"box" (the common term for an enciphering system) with
preloaded keys. Your goal is to determine the 56-bit key,
so that you can decrypt the other messages your victim
had encrypted with the box. Biham and Shamir showed that
you could infer the hidden key if you could pass 247
messages through the box and observe what came out. This
chosen plaintext attack builds up a statistical model of
the cipher, and it needs this many plaintexts to produce
an answer with confidence.

Most intriguing, this work exposed flaws in many DES
substitutes. Because the U.S. government classified the
details behind DES's design, many assumed that there
might be a trapdoor through which the government could
eavesdrop. To circumvent these potential trapdoors, some
folks designed their own variations of DES. Most of these
new ciphers, however, fall even faster to Biham and
Shamir's mathematical machinery. FEAL-4, a faster
replacement, for example, takes only four well-chosen
plaintexts.

_______________________________________________________

Strengths and Weakness of Crypto Algorithms
_______________________________________________________

Algorithm      Comment      Strengths     Weaknesses
_______________________________________________________

DES            Standard,    Long-tested   Has yielded
               Widely                     to DC
               Accepted
_______________________________________________________

FEAL-4         DES                        Easily broken
               substitute                 by DC
_______________________________________________________

GDES,          DES-like                   Easily broken
New DES                                   by DC
_______________________________________________________

Khufu          DES-like     Secure        New, unknown
                                          against DC
_______________________________________________________

Blowfish       DES-like     Secure        New, unknown
                                          against DC
_______________________________________________________

RC-4           Proprietary  Variable-     Unknown
                            length key
_______________________________________________________

RSA            Widely used  Long-tested   Vulnerable to
Public Key                                advances in
                                          factoring  
_______________________________________________________

Skipjack       Classified   Considered    Algorithm must
                            strong        remain secret
                                          to preserve
                                          law-enforcement
                                          trapdoor
_______________________________________________________

DC = differential cryptanalysis
_______________________________________________________


Recently, the IBM scientists who originally designed DES
revealed that they anticipated Biham and Shamir's attack
and optimized DES to resist it. Because other
nongovernment cryptographers didn't know about this
attack, they couldn't design their software to resist it.
Now the information is public, and there are new ciphers
that hold up well against these attacks. Ralph Merkle's
Khufu and Bruce Schneier's Blowfish are two private-key
ciphers that are similar to DES but resist differential
cryptography. They do this by creating new S-boxes for
each encryption, using the key to randomize them.
(S-boxes are the essential scrambling elements of
DES-like ciphers. Think of them as lookup tables or
nonlinear functions; their outputs should be as random as
possible.) Differential cryptanalysis works only if the
attacker knows what's in the S-boxes.

This work also revealed some stunning counterintuitive
results. Key length is usually taken as a rough measure
of a system's security. DES uses 56-bit keys; a
brute-force attacker might need to try all 2^56 keys to
find the right one. A longer key would mean a longer
brute-force attack. However, Biham and Shamir showed that
even if DES used longer keys, it would hardly be any
stronger against differential cryptanalysis. The
statistical model would still be solvable if DES used the
maximum of 768 bits.

Applying this knowledge to other types of ciphers is
tricky. RSA Data Security markets a proprietary algorithm
called RC-4 that accepts a variable-length key; this
algorithm is used in many products. The flexible key
length can be an advantage in some situations. For
example, the government allows general export of software
using RC-4 with a 40-bit key, but similar software using
a longer key must stay within the U.S. While we don't
know if differential cryptanalysis can be applied to RC-4
directly, because of the algorithm's proprietary nature,
the results with DES suggest that more key is not
necessarily stronger.

Men and Machines

Mathematical tools like differential cryptanalysis can be
the most powerful attack against a cipher system.
Brute-force attacks are normally a last resort, rare in
practice because cipher designers routinely use long key
lengths specifically to preclude them. But times are
changing. We're reaching a point at which a large machine
can quickly search the entire keyspace of DES. DES is
still in wide use; it' s been the commercial and
governmental standard for nearly two decades. Replacing
such standards can be a painfully slow process.

DES users should be thinking about what can be done with
off-the-shelf hardware.

Brute-force attacks simply use large machines that try
all possible passwords in parallel. It's even possible to
produce native chips that run DES. Michael Wiener of Bell
Northern Research described how to build a $1 million
machine using a pipelined DES processor that could cruise
through all possible keys in about 7 hours.

Massively parallel machines can also attack the problem.
Some of the most promismg emergmg machines distribute
small, 1-bit processors directly onto the memory chips.
Some have 1024 processors on a chip with 42 bits of
memory per processor. (Before it entered Chapter 11, Cray
Computer was building for the National Security Agency a
special Cray 3 with such processor-embedded memory.) In
1992 I designed a machine using 1 million associative
processor memory chips (standard DRAM densihes) from
Coherent Research (Syracuse, NY) that could attack all of
DES in one day. This machine could be reprogrammed to
attack other DES-like ciphers. Linden Technology (Austin,
TX) is currently exploring manufacturing new 4-Mb DRAMs
with the 1024 associative processors built onto the chip.

The effect of brute-force attacks on DES is also
important for Unix security, which stores each password
after passing it through DES 25 times. At log-in, you
type your password; it's encrypted 25 times and the
result compared against the password file. If it matches,
the system grants you access. Because the password file
doesn't contain the passwords themselves, unauthorized
users can't use the file to recover them directly. They
must use a brute-force machine. However, the brute-force
attack can be relatively successful against Unix, because
the keyspace is smaller. Most users limit their passwords
to alphabetic characters, occasionally adding numbers.
This makes searching for passwords much faster; it could
be done quite quickly with an associative-memory parallel
processor. One estimate suggests that a computer using
512 of Linden's chips could test all six-character
alphanumeric passwords in 15 minutes. Clearly. the Unix
password structure needs to be rethought in light of
today's machines and code-breaking techniques.

Because of this new vulnerability, you may want to
explore other, newer ciphers. such as Merkle's Khufu or
Schneier's Blowfish. The classified Skipjack algorithm
buried inside the U.S. government's Clipper and Capstone
encryption chips also uses S-boxes, but little is known
about their design. There's little reliable public
information about RSA Data Security's RC-4. Anyone who
uses these algorithms must be prepared to trust the wits
of the designers, because the algorithms have not
undergone the intensely thorough and long-time public
scrutiny given to DES.

Many organizations have opted to continue with DES, but
the current state of the art is triple-DES -- three
passes of the algorithm with either 112- or 168-bit keys.
This effectively guards against both brute-force and
differential analysis attacks. These users can rest
assured that, paradoxically, all the attacks focused on
DES continues to keep it strong.

-----

Peter Wayner is a BYTE consulting editor living in
Baltimore, MD. You can reach him on the Internet at
pcw@access.digex.net, on BIX as pwayner@bix.com, or on
the World Wide Web at http://access.digex.net/~pcw/
pcwpage.html.

-----


Byte, October, 1995, p. 78.


Factoring in Public-Key's Future

Long thought nearly unbreakable, public-key cryptogratphy
is yielding to attack. The secret of security here is key
length.

By Bruce Schneier


Factoring large numbers is hard but not as hard as it
used to be. This has grave implications for the
effectiveness of public key cryptocraphy, which relies on
the difficulty of factoring long keys for its security.
But how long is long enough'?

In 1976, Richard Guy wrote: "I shall be surprised if
anyone regularly factors numbers of size 10^80 without
special form during the present century." In 1977, Ron
Rivest said that factoring a 125-digit number would take
40 quadrillion years. In 1994, a 129-digit number was
factored. The lesson here is that making predictions is
foolish.

Today, 512-bit keys are common. Factoring them, thus
destroying their security, is well within the range of
possibility for today's computing resources. A weekend-
long worm on the Internet could do it.

Computing power is measured in MIPS-years: a
million-instructions-per-second computer running for one
year, or about 3 x 10^13 instructions. A 100-MHz Pentium
is about a 50-MIPS machine; a 1600-node Intel Paragon is
about 50,000 MIPS.

In 1983, a Cray X-MP supercomputer factored a 71-digit
number in 0.1 MIPS-years, using 9.5 CPU hours. That's
expensive. Factoring the 129-digit number in 1994
required 5000 MlPS-years and used the idle time on 1600
computers around the world over an eight-month period.
Although it took longer, it was essentially free.

Those two computations used what's called the *quadratic
sieve*, but a newer, more powerful algorithm has arrived.
The *general number filed sieve* is faster than the
quadratic sieve for numbers well below 116 digits and can
factor a 512-bit number over 10 times faster -- it would
take less than a year to run on  an 1800-node Intel
Paragon.

And the process gets still faster. Mathematicians keep
coming up with new tricks, new optimizations, and new
techniques. A related algorithm, the special number field
sieve, can already factor numbers of a specialized form
(not generally used for cryptography) much faster. So we
can probably optimize the general number field sieve to
run that fast. For all we know, the National Security
Agency is already doing it.

The figure "MIPS Years Needed to Factor" gives the number
of MlPS-years required to factor "special" and "general"
numbers of different lengths.

How Big Is Big Enough?

The wise cryptographer is ultraconservative when choosing
key lengths for a public-key system. You must consider
the intended security, the key's expected lifetime, and
the current state of the factoring art. Now you need a
1024-bit number to get the same security you got from a
512-bit number in the early 1980s. If you want your keys
to remain secure for 20 years, 1024 bits is probably too
short.

Consider these assumptions from the mathematicians who
factored RSA-129: We believe we could acquire 100,000
machines without superhuman or unethical efforts and
without an Internet womm or virus. Many organizations
have several thousand machines on the Net. Using their
facilities would require diplomacy but should not be
impossible. Assuming an average power of 5 MIPS and one
year elapsed time, we could reasonably embark on a
project that would require half a million MIPS-years. The
project to factor the 129-digit number harnessed an
estimated 0.03 percent of the Internet's total computing
power. A well-publicized project might be able to harness
2 percent of the world's computing power for a year.

My recommendations for public-key lengths are given in
the figure "Recommended Public-Key Key Lengths" according
to how long you require the key to be secure. There are
three key lengths given for each period -- one secure
against an individual cryptanalyst who can get his hands
on 10,000 MlPS-years, one against a major corporation
that could harness 10^7 MIPS-years, and the third secure
against a major govemment and 10^9 MIPS-years. These
figures assume that computing power will increase by a
factor of 10 every five years and that mathematical
advances will let us factor numbers at the speeds of the
special number field sieve.

Not everyone will agree with these final recommendations.
The National Institute of Standards and Technology has
mandated 512- to 1024-bit keys for its Digital Signature
Standard. PGP has a maximum RSA key length of 1280 bits.
Aljen Lenstra, the world's most successful factorer,
refuses to predict beyond 10 years. There's always the
possibility that an advance in factoring will surprise me
as well, though I tried to factor everything into my
calculations. But why trust me? I just proved my own
foolishness by making predictions.

_______________________________________________________

MIPS Years Needed to Factor
_______________________________________________________

Ascending Line of General Number Field Sieve

Ascending Line Special Number Field Sieve

Y-axis: MIPS-years
10^0, 10^3, 10^6, 10^9, 10^12, 10^15, 10^18, 10^21

X-axis: Bits
512, 768, 1024, 1280, 1536, 2048
_______________________________________________________


_______________________________________________________

Recommended Public-Key Key Lengths
_______________________________________________________

Ascending bars for: Individual, Company, Government

Y-axis: Bits 0, 500, 1000, 1500, 2000, 2500

X-axis: Year 1995  2000  2005  2010  2015
_______________________________________________________

-----

Bruce Schneier is the author of Applied Cryptography
(John Wiley), the second edition of which is due out in
December. He can be reached on the Internet as
schneier@winternet.com, or on BIX c/o editors@bix.com.

-----













Thread