Cryptanalysis

Software/analytical:

Title: Differential Power Analysis

Description:

Differential power cryptanalysis has been invented in 1998 by a group of researchers from Cryptography Research, Inc., led by an inventor of timing cryptanalysis Paul Kocher. As of today, these attacks are successful against majority of cryptographic tokens available on the market, including all types of smart cards, PCMCIA cards and cryptographic buttons, and no effective countermeasure has been developed, yet. The only effective defense is the physical protection, as the attack requires an access to a cryptographic token with secret parameters, such as a cryptographic key, stored on. No tamper-resistant covers seem to prevent analysis. The attack is based on sampling the power consumption of the device for a series of cryptographic transformations involving hundreds to thousands of random ciphertexts, and then performing a statistical analysis, leading to a full recovery of the key. Reconstructing the full secret or private key takes no more than several minutes, and requires  only standard readily-available measurement equipment worth a few hundred to a few thousand dollars. Your task would be to fully understand the attack, show how it can be applied to symmetric ciphers such as triple DES, IDEA, and RC5, and to analyze possible countermeasures.

Literature:

1. Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Introduction to Differential Power Analysis and Related Attacks,” available on the web at http://www.cryptography.com/dpa/technical/index.html
2. Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Cryptography Research Q&A on Differential Power Analysis,” available on the web at http://www.cryptography.com/dpa/qa/index.html

Project CS-1

Description:

Bruce Schneier in his book "Applied cryptography" states that if a software security program proclaims that it has a "proprietary" encryption algorithm - significantly faster than DES - the odds are that it is some variant of Vigenere polyalphabetic cipher. Cryptanalysis of the Vigenere cipher is believed to take only few seconds with a computer. The algorithm for breaking the cipher is based on so called "index of coincidence," and is very well described in the literature. Your task is to implement this algorithm, test it, and then try to apply your program to files encrypted using Word Perfect, Lotus 1-2-3, etc. Additional task would be to create an updated list of applications such as Word Perfect, etc. that still use a "proprietary" algorithm based on Vigenere cipher (see the catalog of Access Data [2] for a couple of likely candidates).

Literature:

1. B. Schneier, "Applied cryptography," chapter 1.4, pp. 13-15.
2. Access Data, catalog of products; to order call (800) 658-5199 or (801) 224-6970, fax (801) 224-6009, or write Access Data 560 So. State St. Ste. J1, Orem, Utah 84058.
3. D. R. Stinson, "Cryptography - Theory and Practice," chapter 1.2.3, pp. 31-36.
4. A. Sinkov, "Elementary cryptanalysis," Mathematical Association of America, 1966.
5. H. A. Bergen and W. J. Caelli, "File Security in Word Perfect 5.0," Cryptologia, vol. XV, no. 1, pp. 57-66.

Project CS-2

Description:

In December 1995, Paul C. Kocher, a 22-year old independent cryptography consultant from Stanford, CA, released a draft version of his paper warning vendors and users of two most widespread public key cryptoalgorithms, RSA and DSS, about the attack he devised. The attack works under the condition that the intruder can measure the amount of time used to complete cryptographic operations. Extra computations necessary to mount the attack take time proportional to the number of bits of the operands, leading to a full recovery of a secret (private) key in less then one hour for practical operand lengths. Paul is working on a complete implementation of his idea, but he already presented his preliminary results at the RSA Data Security and CRYPTO conferences in 1996. His attack got the recognition of the most respected cryptographers, including the authors of the RSA cryptosystem. The countermeasure eliminating the threat of this attack is currently being added to software products sold by RSA Data Security Inc., it is however not obvious how to protect all implementations of the RSA and DSS against timing attacks. Your task is to implement the attack for a selected implementation of the RSA available in a public domain (RSAREF library, PGP, or PEM) on the basis of Kocher's preliminary papers. Additional tasks could be to analyze possible countermeasures, and find the dependence between the difficulty of the attack and the algorithm for modular multiplication used in the implementation of the cryptoalgorithm.

Literature:

1. Paul C. Kocher, "Cryptanalysis of Diffie-Hellman, RSA, DSS, and Other Systems Using Timing Attacks," extended abstract, December 1995.
2. J. Markoff, "Secure digital transactions just got a little less secure," New York Times, December 11, 1995.
3. B. Kaliski, "Timing Attacks on Cryptosystems," RSA Laboratories' Bulletin, no 2, January 23, 1996.
4. Paul C. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems," Proc. CRYPTO'96, pp. 104-113.
5. RSAREF library, available via ftp from ftp://ftp.rsa.com.

e-mail: pck@cryptography.com

address: P.O. Box 8243, Stanford, CA, 94309, USA

Prerequisites: C in UNIX environment, basics of probability theory
 

Project CS-3

Description:

Security of the RSA cryptosystem is based on the difficulty of finding prime factors of large numbers. Therefore, RSA Data Security, Inc., which holds a patent for RSA, organizes a Factoring Challenge. Fifty one integer numbers, in the range from 100 to 500 decimal digits, were generated by choosing two primes at random and multiplying them together, according to the rules used in the RSA cryptosystem. Prime factors were afterwards destroyed. Anybody, who is able to factor a smallest (!) unfactored number from the list, receives an award. If there are no successful attempts within a given quarter, the award accumulates. The largest number from the list factored so far had 130 decimal digits. Computations are performed simultaneously by many volunteers from all over the world who use spare time of their machines to complete initial, most time-consuming, phase of the algorithm. Obtained partial results are send over the Internet to one place, where the final result is calculated. Two fastest algorithms devised to date are: Quadratic Field Sieve (QFS) and Number Field Sieve (NFS). The latter is more efficient for numbers greater than 100 decimal digits, but its idea and implementation is more complicated. Your task is to get familiar with one of these algorithms and implement it. An additional task is to get familiar with public domain implementation of the program for factorization of large numbers, and associate different parts of its code with particular phases of the algorithm.

Literature:

Basic:

1. A. M. Odlyzko, "The Future of Integer Factorization," RSA Laboratories' CryptoBytes, vol. 1, no. 2, summer 1995, pp. 5-12.
2. Information about "RSA Factoring Challenge," obtained by sending e-mail to challenge-administrator@rsa.com.
3. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, "Handbook of Applied Cryptology," chapters 3.2.6-3.2.7, pp. 95-98.
4. D. M. Bressoud, "Factorization and Primality Testing," Springer-Verlag, 1989, chapter 8, pp. 102-119.
5. J. A. Davis, D. B. Holdridge, and G.J. Simmons, "Status Report on Factoring," Proc. CRYPTO'84, pp. 198-215.
6. C. Pomerance, "The number field sieve," Mathematics of Computation 1943-1993: A Half-Century of Computational Mathematics," Amer. Math. Soc., pp. 465-480.

1. A.K. Lenstra and M.S. Manasse, "Factoring by electronic mail," Proc. CRYPTO'89, pp. 355-371.
2. T. Denny, B. Dodson, A.K. Lenstra, M.S. Manasse, "On the factorization of RSA-120," Proc. CRYPTO'93, pp. 166-173.
3. D. Atkins, M. Graff, A.K. Lenstra, and P.C. Leyland, "The magic words are squeamish ossifrage," Proc. ASIACRYPT'94, pp. 263-277.
4. B. Dodson and A.K. Lenstra, "NFS with four large primes: An explosive experiment," Proc. CRYPTO'95, pp. 372-385.
5. A.K. Lenstra, H.W. Lenstra, Jr., "The Development of the Number Field Sieve," Springer-Verlag, 1993.

Hardware:

Project CH-1

Description:

RC5 is a new block cipher devised by Ron Rivest - one of the inventors of the RSA cryptosystem - as an alternative for the old American standard DES. The cipher has a variable key size, and a variable input/output block size. Variable key length permits RC5 to be exported abroad, but only under the condition that the key size is less or equal to 40 bits. Such a small key length, may make the cipher vulnerable to the exhaustive key search attack. Your task is to design at the logic level the RC-5 breaking machine, and to estimate the number of chips that are necessary to break a single key within one hour. You can follow the design and cost estimates for the DES breaking machine devised by Michael Wiener [5]. Basic operations of the RC5 are: XOR, rotation, and addition.

Literature:

1. B. Schneier, "Applied cryptography," chapter 14.8, pp. 344-346.
2. R. L. Rivest, "The RC5 Encryption Algorithm," RSA Laboratories' CryptoBytes, vol. 1, no. 1, spring 1995, pp. 9-11.
3. B. Kaliski and Y. L. Yin, "On the Security of the RC5 Encryption Algorithm," RSA Laboratories' CryptoBytes, vol. 1, no. 2, summer 1995, pp. 13-14.
4. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, "Handbook of Applied Cryptology," chapter 7.7.2, pp. 269-270.
5. M.J. Wiener, "Efficient DES Key Search," Technical Report TR-244, School of Computer Science, Carleton University, May 1994.