Prev: sci.crypt kill file : help
Next: Mutual Databases.
From: newbie on 9 Jul 2010 13:01 Hello, I'm referring to a 2000 paper by J. Kelsey, B. Schneier, D. Wagner and C. Hall. In Section 6 they work out a Hamming-weight cryptanalysis against DES. They qualify this as a kind of ciphertext-only attack (2nd paragraph). One point of the attack that is not clear to me is the following: at some point (last par. of p. 13), the attacker has to guess the 6 bits secret key entering the first SBox and then "compute the Hamming weight of that S-Box's output". This last task, however, would seem to require knowledge of the first 6 bit of *plaintext* on the part of the attacker. If this is true, I do not understand in what sense this attack can be classified as cipertext-only. Any clarification on this point would be greatly appreciated. Best, MB
From: Tom St Denis on 9 Jul 2010 13:33 On Jul 9, 1:01 pm, newbie <mbore...(a)gmail.com> wrote: > Hello, > > I'm referring to a 2000 paper by J. Kelsey, B. Schneier, D. Wagner and > C. Hall. In Section 6 they work out a Hamming-weight cryptanalysis > against DES. They qualify this as a kind of ciphertext-only attack > (2nd paragraph). > > One point of the attack that is not clear to me is the following: at > some point (last par. of p. 13), the attacker has to guess the 6 bits > secret key entering the first SBox and then "compute the Hamming > weight of that S-Box's output". This last task, however, would seem to > require knowledge of the first 6 bit of *plaintext* on the part of the > attacker. If this is true, I do not understand in what sense this > attack can be classified as cipertext-only. > > Any clarification on this point would be greatly appreciated. If you guess 6 bits of key then since the key is just XOR'ed against the ciphertext inside the round function you know the plaintext. Tom
From: newbie on 9 Jul 2010 17:20 On 9 Lug, 19:33, Tom St Denis <t...(a)iahu.ca> wrote: > On Jul 9, 1:01 pm, newbie <mbore...(a)gmail.com> wrote: > > > > > Hello, > > > I'm referring to a 2000 paper by J. Kelsey, B. Schneier, D. Wagner and > > C. Hall. In Section 6 they work out a Hamming-weight cryptanalysis > > against DES. They qualify this as a kind of ciphertext-only attack > > (2nd paragraph). > > > One point of the attack that is not clear to me is the following: at > > some point (last par. of p. 13), the attacker has to guess the 6 bits > > secret key entering the first SBox and then "compute the Hamming > > weight of that S-Box's output". This last task, however, would seem to > > require knowledge of the first 6 bit of *plaintext* on the part of the > > attacker. If this is true, I do not understand in what sense this > > attack can be classified as cipertext-only. > > > Any clarification on this point would be greatly appreciated. > > If you guess 6 bits of key then since the key is just XOR'ed against > the ciphertext inside the round function you know the plaintext. > > Tom That would be true if you were given access to that "ciphertext" -- the 6 bits coming from the right half of the output of the last previous round. But this is not implied by the model: all the attacker can see is the Hamming weight of the F-function's output in the last round (disturbed by some noise). So my doubt still stands. MB
|
Pages: 1 Prev: sci.crypt kill file : help Next: Mutual Databases. |