0

I am performing an operation where a function F(k,x) takes two 64bit values and returns the product of their decimal numbers. For example:

F(123,231) = 123 x 231 = 28413

The number is then converted into binary and the least significant bits are extracted. i.e. if 28413 = 0110111011111101 then we take 11111101, which is 253 in decimal.

This function is part of a Feistel network in security. When performing a type of attack (chosen plaintext) we get to the point where we have 253 and 231, but need to figure out 123.

Is there any way that is possible?

Nathaniel Ford
  • 20,545
  • 20
  • 91
  • 102
elgreco007
  • 3
  • 2
  • 1
  • Your explanation is clear until you get to the Feistel part. What do you mean you need to 'figure out' `123`? Are you looking for inputs into your function? Do you need to modify your function? (In this case please provide what you have.) Be clear about what the specific problem is. – Nathaniel Ford Dec 16 '15 at 18:17
  • @NathanielFord 123 is a key in the function F, which is unknown. The attacker inputs 231 and gets back 253. He also knows how F operates i.e. the input 231 is multiplied with the key and the LSBs are taken from that. Can he deduce the key? Thank you – elgreco007 Dec 20 '15 at 15:19

2 Answers2

0

Your function is doing F(k,x) = k*x mod 256.

Your question is given F(k,x) and x, can you find k?

When x is odd, there are 2^56 solutions, all of which have k = x^-1 * F(k,x) mod 256. That is, you compute the inverse of x mod 256, and each possible solution is derived by adding a multiple of 256 to the product of F(k,x) with that value.

When x is even, you can't compute the inverse, but you can still determine the solutions using a similar trick. You need to first compute the number of twos (2s) that divide x, say it is t twos, and then divide out 2^t from x and 256, then solve the problem from there. i.e. k = (x/2^t)^-1 * F(k,x) mod (256/2^t).

Generally using multiplies in cipher designs is dangerous, especially due to chosen plaintext attacks, because an attacker can make things disappear to simplify his attack. You can find examples of breaking ciphers like that on my blog (see attacks on chaotic hash function and multiprime).

TheGreatContini
  • 6,429
  • 2
  • 27
  • 37
-1

No.

By dropping the most significant bits, the operation is rendered mono-directional. In order to recover the 123 you would have to brute-force the function with every possibility until the result was the value you want.

I.e. run F(x,231) for values of x until the result of F is 253.

That said, knowing one of the two inputs and the output makes it relatively easy to brute force. It would depend on the number of valid values for x (e.g. is it always a 3 digit number? Always prime? Always odd?)

There may be some other shortcuts, depending on the patterns that multiplying a number of 231 gets you, but any given value for that number will have different patterns. e.g. if it was 9 instead of 231, you would know that the sum of the digits always summed to 9.

Draco18s no longer trusts SE
  • 15,628
  • 3
  • 36
  • 56
  • Thank you that makes sense! Brute forcing might work as the key (and the known input and output) are 64 bits. So if brute forcing is an option, the cipher is probably quite vulnerable... thank you! – elgreco007 Dec 14 '15 at 20:27
  • That depends on how many bits. ;) 256 bits would exceed the lifetime of the universe with current computational power! 64 might be possible, I am unsure of where the boundaries between "a few hours/days" and "thousands of years" are off-hand. – Draco18s no longer trusts SE Dec 14 '15 at 20:30