Re: Using a Magic Value in Place of Authentication
- From: Stefan Tillich <stefanti@xxxxxxxxxxxx>
- Date: Fri, 27 Mar 2009 08:47:41 +0100
Antony Clements schrieb:
"Stefan Tillich" <stefanti@xxxxxxxxxxxx> wrote in message news:49cbb7b1$0$12126$3b214f66@xxxxxxxxxxxxxxxxxxxxxxxYes. In fact that means that the two permutations E_k1 and E_k2 (i.e., the encryption functions for keys k1 and k2) share a single mapping from a specifc plaintext to a specific ciphertext.
You don't need a whole lot of resources to map a fixed 1 to 1 transformation, if you know that m is plain english, and that the user only uses "A" through "Z" in the key, then as you can see, it's not that hard as the key, in terms of "c = k xor m" will map to one thing and one thing only for each character in m.
When did we restrict the plaintext or key of an encryption method to plain English? I must have missed that. But ok.
I'm not quite sure what you mean by "fixed 1 to 1 transformation". My guess is that you mean the mapping (M, K) -> C, where M, K, and C and the message space, key space and ciphertext space, respectively.
So let's ignore things like efficient encoding key derivation, etc. and assume that elements of M and K can only consist of 26 characters which are encoded as bytes. For AES-128, that would mean we have 16 characters per plaintext block and key, giving 26^16 ~= 2^75 possibilities each. So we have 2^75 plaintext-ciphertext pairs for each of the 2^75 keys and still require 2^128 bits to store each pair. Our total required storage is now 2^278 ~= 10^83. This is only a thousand times the estimated number of atoms in the Universe, so we're getting closer :-)
However, there's still the problem of calculating the complete mapping (which I've neglected previously).
If you'd have such resources to map all key-dependent permutations of the encryption method to look for such "shared" plaintext-to-ciphertext mappings, then you would be able break the encryption anyway. However, modern block ciphers are dimensioned so that you cannot build up such mapping tables even if you could use every atom in the Universe to store a single bit of your tables. E.g., for AES-128, you have 2^128 mappings (one for each key) with 2^128 entries (one for each plaintext) and each entry has 2^128 bits (the resulting ciphertext), so we have 2^384 ~= 10^115; whereas we have an estimated measly 10^80 atoms in the Universe).
It does depend entirely on the method of encryption. Simple methods require much less resources, and the key can be easily retreivable.
I was presuming modern encryption systems which are deemed secure from our current point of view, not things - to put it blunt - like Ceasar cipher. My point is that you're trying to construct an attack on an encryption method when in fact you just know a bit of the plaintext and it's structure. Modern encryption systems however should be resistant against chosen-plaintext attacks which would cover all of your pretext.
Of course you could just test a single ciphertext over all possible keys and indeed determine after 2^128 encryptions (if you're lucky) that it can only be the result of a specific plaintext and key. Then you could sit tight and try to intercept that exact ciphertext (which you'd get after about 2^127 ~= 10^38 ciphertexts). At a million ciphertexts per second you'd intercept it after 10^32 seconds ~= 3 * 10^15 billion years. If the Universe will revert expansion and will someday collapse, it is probably before that time. If it expands infinitely it is likely that there isn't much energy left anymore to sustain life as we know it.
And if you find a way to handle the limitations of the Universe, we could still switch to AES-256 :-)
It's been shown recently that there are structures beyond what we consider the size of the universe to be, in essense, it's bigger than we thought, and by default there is more matter than we thought, so using the phrase "there isn't enough matter in the universe" needs to be rethought. But your point is taken.
It's nice what you can conjure up with just a couple of bits, isn't is :-)
Stefan
.
- Follow-Ups:
- Re: Using a Magic Value in Place of Authentication
- From: Antony Clements
- Re: Using a Magic Value in Place of Authentication
- References:
- Using a Magic Value in Place of Authentication
- From: Jeffrey Walton
- Re: Using a Magic Value in Place of Authentication
- From: Ilmari Karonen
- Re: Using a Magic Value in Place of Authentication
- From: Antony Clements
- Re: Using a Magic Value in Place of Authentication
- From: Stefan Tillich
- Re: Using a Magic Value in Place of Authentication
- From: Antony Clements
- Re: Using a Magic Value in Place of Authentication
- From: Stefan Tillich
- Re: Using a Magic Value in Place of Authentication
- From: Antony Clements
- Re: Using a Magic Value in Place of Authentication
- From: Stefan Tillich
- Re: Using a Magic Value in Place of Authentication
- From: Antony Clements
- Re: Using a Magic Value in Place of Authentication
- From: Ilmari Karonen
- Re: Using a Magic Value in Place of Authentication
- From: Antony Clements
- Re: Using a Magic Value in Place of Authentication
- From: Stefan Tillich
- Re: Using a Magic Value in Place of Authentication
- From: Antony Clements
- Using a Magic Value in Place of Authentication
- Prev by Date: Re: Audio scrambling?
- Next by Date: Re: RSA moduli sizes
- Previous by thread: Re: Using a Magic Value in Place of Authentication
- Next by thread: Re: Using a Magic Value in Place of Authentication
- Index(es):
Relevant Pages
|
