22 ìàðòà 2018 ã. 1 / 38 AEAD ðåæèìû íà îñíîâå ïîëèíîìèàëüíûõ õýøôóíêöèé: ñóùåñòâóþùèå ðåøåíèÿ, èõ êðèïòîãðàôè åñêèå ñâîéñòâà è âîçìîæíûå ìîäèôèêàöèè Êèñëÿêîâà Àíàñòàñèÿ ÂÌÊ ÌÃÓ èì. Ì.Â. Ëîìîíîñîâà ÐóñÊðèïòî 2018 22 ìàðòà 2018 ã.
22 ìàðòà 2018 ã. 2 / 38 Ñîäåðæàíèå 1 Ñóùåñòâóùèå ïîõîäû 2 Ïîëèíîìèàëüíûå õýøôóíêöèè 3 Aòàêè íà GCM 4 Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì
22 ìàðòà 2018 ã. 3 / 38 Ñóùåñòâóùèå ïîõîäû Êëàññè åñêèå ðåøåíèÿ Äâà íåçàâèñèìûõ ïðèìèòèâà è èõ ðåàëèçàöèè Äâà ðàçëè íûõ êëþ à Íèçêàÿ ñêîðîñòü
22 ìàðòà 2018 ã. 3 / 38 Ñóùåñòâóùèå ïîõîäû Êëàññè åñêèå ðåøåíèÿ Äâà íåçàâèñèìûõ ïðèìèòèâà è èõ ðåàëèçàöèè Äâà ðàçëè íûõ êëþ à Íèçêàÿ ñêîðîñòü AEAD ðåæèìû Àóòåíòèôèöèðîâàííîå øèôðîâàíèå [ISO/EIC 19772:2009] ýòî ïðåîáðàçîâàíèå äàííûõ ñ ïîìîùüþ êðèïòîãðàôè åñêîãî àëãîðèòìà äëÿ ñîçäàíèÿ øèôðòåêñòà, êîòîðûé íå ìîæåò áûòü íåçàìåòíî èçìåíåí òðåòüèì ëèöîì.
22 ìàðòà 2018 ã. 4 / 38 Ñîäåðæàíèå 1 Ñóùåñòâóùèå ïîõîäû 2 Ïîëèíîìèàëüíûå õýøôóíêöèè 3 Aòàêè íà GCM 4 Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì
22 ìàðòà 2018 ã. 5 / 38 Ïîëèíîìèàëüíûå õýøôóíêöèè Îáùèé âèä f H (x 1... x m ) = m i=0 x ih i
22 ìàðòà 2018 ã. 5 / 38 Ïîëèíîìèàëüíûå õýøôóíêöèè Îáùèé âèä f H (x 1... x m ) = m i=0 x ih i Õýøôóíêöèÿ GHASH GHASH H (x 1... x m ) = m i=0 x i H m i
22 ìàðòà 2018 ã. 5 / 38 Ïîëèíîìèàëüíûå õýøôóíêöèè Îáùèé âèä f H (x 1... x m ) = m i=0 x ih i Õýøôóíêöèÿ GHASH GHASH H (x 1... x m ) = m i=0 x i H m i Õýøôóíêöèÿ ÑÒÁ 34.101.31-2011 T H (x 1... x m ) = const H m m i=1 x i H m+1 i
22 ìàðòà 2018 ã. 5 / 38 Ïîëèíîìèàëüíûå õýøôóíêöèè Îáùèé âèä f H (x 1... x m ) = m i=0 x ih i Õýøôóíêöèÿ GHASH GHASH H (x 1... x m ) = m i=0 x i H m i Õýøôóíêöèÿ ÑÒÁ 34.101.31-2011 T H (x 1... x m ) = const H m m i=1 x i H m+1 i Õýøôóíêöèÿ ðåæèìà PD T H (A 1... A h C 1... C q ) = = h i=1 H i A i q j=1 H h+j C j H h+q+1 ( A C )
22 ìàðòà 2018 ã. 6 / 38 Ñîäåðæàíèå 1 Ñóùåñòâóùèå ïîõîäû 2 Ïîëèíîìèàëüíûå õýøôóíêöèè 3 Aòàêè íà GCM 4 Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì
22 ìàðòà 2018 ã. 7 / 38 Èçâåñòíûå àòàêè íà GCM N.Ferguson Authentication Weaknesses in GCM M.-J. O. Saarinen Cycling Attacks on GCM, GHASH and other polynomial MACs and hashes C.Cid, G.Procter On Weak Keys and Forgery Attacks against Polynomialbased MAC Schemes J. Mattsson, M.Westerlund Authentication Key Recovery on GCM
22 ìàðòà 2018 ã. 8 / 38 Àòàêè íà GCM N.Ferguson Authentication Weaknesses in GCM Â GF(2 128 ) ìàòðèöû M c è M s íàä GF(2) òàêèå, òî c x = M c x è x 2 = M s x x. Äëÿ óñïåøíîé ïîäìåíû áëîêà íåîáõîäèìî: 0 = t i=1(c 2 i C 2 i )H 2i = j=2 i D j H j = j M j D j H = A D H, ãäå A D ìàòðèöà ðàçìåðà 128 128 íàä GF(2), M s ôèêñèðîâàííîå çíà åíèå, à ýëåìåíò M D ëèíåéíàÿ êîìáèíàöèÿ ñîîòâåòñòâóþùèõ áèò D j. Ñëåäîâàòåëüíî, êîýôôèöèåíòû M Dj (M s ) j ëèíåéíàÿ êîìáèíàöèÿ áèò D j.
22 ìàðòà 2018 ã. 9 / 38 Àòàêè íà GCM M.-J. O. Saarinen ¾Cycling Attacks on GCM, GHASH and other polynomial MACs and hashes  GCM èñïîëüçóåòñÿ ãðóïïà ïîðÿäêà (2 128 1 = 2 27 1). 2 2n 1 = n 2 2i 1 + 1. i=1 Çíà èò, ìîæíî ïîëó èòü ïîëíîå ðàçëîæåíèå ïîðÿäêà ãðóïïû íà ïðîñòûå ìíîæèòåëè: 3 5 17 257 641 65537 274177 6700417 67280421310721 }{{} 9 Òàêèì îáðàçîì, íàõîäèì öèêëû äëèíû n = 1, 3, 5, 15, 17, 51,... ïîðÿäêè 2 9 = 512 ðàçëè íûõ ìóëüòèïëèêàòèâíûõ ïîäãðóïï èñõîäíîé ãðóïïû GF(2 128 ).
22 ìàðòà 2018 ã. 10 / 38 Ñîäåðæàíèå 1 Ñóùåñòâóùèå ïîõîäû 2 Ïîëèíîìèàëüíûå õýøôóíêöèè 3 Aòàêè íà GCM 4 Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì
22 ìàðòà 2018 ã. 11 / 38 Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì Hash H (x 1... x m ) = m i=0 x i H i, ãäå {, } è óìíîæåíèå â öåëûõ èñëàõ ïî ìîäóëþ 2 128,
22 ìàðòà 2018 ã. 11 / 38 Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì Hash H (x 1... x m ) = m i=0 x i H i, ãäå {, } è óìíîæåíèå â öåëûõ èñëàõ ïî ìîäóëþ 2 128, Z 2 128 = {0,..., 2 128 1} êîëüöî âû åòîâ ïî ìîäóëþ 2 128. Z 2 n = {0,..., 2 n 1} êîëüöî âû åòîâ ïî ìîäóëþ 2 n.
22 ìàðòà 2018 ã. 11 / 38 Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì Ïîëèíîìèàëüíàÿ ôóíêöèÿ õýøèðîâàíèÿ ñ ìîäóëüíûì óìíîæåíèåì Hash H (x 1... x m ) = m i=0 x i H i, ãäå {, } è óìíîæåíèå â öåëûõ èñëàõ ïî ìîäóëþ 2 128, Z 2 128 = {0,..., 2 128 1} êîëüöî âû åòîâ ïî ìîäóëþ 2 128. Z 2 n = {0,..., 2 n 1} êîëüöî âû åòîâ ïî ìîäóëþ 2 n. (A + B) 2 = A 2 + 2AB + B 2 = A 2 + B 2 2AB 0 (mod 2 n )
22 ìàðòà 2018 ã. 12 / 38 Íåêîòîðûå îïðåäåëåíèÿ Ïîðÿäîê ãðóïïû G èñëî ýëåìåíòîâ â ýòîé ãðóïïå. G = n. Ïîðÿäêîì ýëåìåíòà g ãðóïïû G íàçûâàåòñÿ íàèìåíüøåå èñëî k òàêîå, òî g k 1 â G, ò.å. ord(g) = k. Èíäåêñ íèëüïîòåíòíîñòè ýëåìåíòà a êîëüöà K íàèìåíüøåå èñëî k òàêîå, òî a k 0 (mod K ). Ýëåìåíò a íàçûâàåòñÿ îáðàòèìûì ýëåìåíòîì êîëüöà K, åñëè äëÿ íåãî ñóùåñòâóåò îáðàòíûé â êîëüöå K, ò.å. b K, ò.. ab 1 â K. Ìóëüòèïëèêàòèâíàÿ ãðóïïà K êîëüöà K ìíîæåñòâî âñåõ îáðàòèìûõ ýëåìåíòîâ ýòîãî êîëüöà.
22 ìàðòà 2018 ã. 13 / 38 Ñòðóêòóðà êîëüöà Z 2 n Z 2 n = Z 2 n Zeven 2 n Êîëüöî Z 2 n áóäåò ñîäåðæàòü ýëåìåíòû ñëåäóùèõ ïîðÿäêîâ: Ïîðÿäîê/Èíäåêñ íèëüïîòåíòíîñòè ýëåìåíòà Âåðîÿòíîñòü 1 2 1 n 2 2 2 n 2 k, k {2,..., log 2 n } (1 + 2 2 )2 k n 2 k, k { log 2 n + 1,..., n 2} 2 k n m, m {3,... n}, m 2 i 2 m 2 n
22 ìàðòà 2018 ã. 14 / 38 Ñðàâíåíèå ñ GCM èñëî ðàçëè íûõ ïîäãðóïï GCM 512 ïîäãðóïï Õýøôóíêöèÿ ñ ìîäóëüíûì óìíîæåíèåì 246 ïîäãðóïï Ìàêñèìàëüíûé ïîðÿäîê GCM 2 128 Õýøôóíêöèÿ ñ ìîäóëüíûì óìíîæåíèåì 2 126 èñëî ýëåìåíòîâ ìàêñèìàëüíîãî ïîðÿäêà GCM 2 126 + 2 123 +... ýëåìåíòîâ Õýøôóíêöèÿ ñ ìîäóëüíûì óìíîæåíèåì 2 126 ýëåìåíòîâ
22 ìàðòà 2018 ã. 15 / 38 Ñðàâíåíèå ñ GCM Ñëàáûå êëþ è GCM
22 ìàðòà 2018 ã. 16 / 38 Ñðàâíåíèå ñ GCM Ñëàáûå êëþ è õýøôóíêöèè ñ ìîäóëüíûì óìíîæåíèåì
22 ìàðòà 2018 ã. 17 / 38 Ñðàâíåíèå ñ GCM Ñëàáûå êëþ è Ïîëîâèíà êëþ åé õýø-ôóíêöèè ñ ìîäóëüíûì óìíîæåíèåì ñëàáûå!
22 ìàðòà 2018 ã. 18 / 38 Ñïàñèáî çà âíèìàíèå! Âîïðîñû?
22 ìàðòà 2018 ã. 19 / 38
Àëãîðèòì GCM (Galois Counter Mode) Àâòîðû: David A. McGrew, John Viega Àâòîð ñòàíäàðòà NIST: Morris Dworkin Îáùèé âèä àëãîðèòìà øèôðîâàíèÿ E K (P, A, IV ) = C Îáùèé âèä àëãîðèòìà ðàñøèôðîâàíèÿ D K (C, A, IV ) = P or FAIL Îãðàíè åíèÿ íà ïàðàìåòðû: len(k ) = 128 áèò; äëèíà áëîêà 128 áèò; len(p) 2 39 256 áèò; len(a) 2 64 1 áèò; 1 len(iv ) 2 64 1 áèò, ðåêîìåíäóåìàÿ äëèíà: len(iv ) = 96 áèò; 22 ìàðòà 2018 ã. 20 / 38
Àëãîðèòì GCM (Galois Counter Mode) Óíèâåðñàëüíàÿ õýøôóíêöèÿ GHASH Ôóíêöèÿ øèôðîâàíèÿ GCTR GCTR K (ICB, x) = Y 1 CB 1 = ICB GHASH H (x) = m i=0 x i H m i, 2 CB i = inc 32 (CB i 1 ), i = 2, n 3 Y i = x i CIPH K (CB i ), i = 1, n 1 4 Y n = X n MSB len(x n )(CIPH K (CB n )) 5 Y = Y 1 Y 2... Y n. ãäå H = CIPH K (0 128 ) êëþ àóòåíòèôèêàöèè, K êëþ øèôðîâàíèÿ, x àóòåíòèôèöèðóåìîå ñîîáùåíèå, 22 ìàðòà 2018 ã. 21 / 38
22 ìàðòà 2018 ã. 22 / 38 Àëãîðèòì GCM (Galois Counter Mode) Àóòåíòèôèöèðîâàííîå øèôðîâàíèå GCM-AE GCM-AE K (IV, P, A) = (C, T ) 1 H = CIPH K (0 128 ) 2 J { 0 = IV 0 31 1, len(iv ) = 96, s = 128 len(iv )/128 len(iv ), J 0 = GHASH H (IV 0 s+64 len(iv ) 96 [len(iv )] 64 ), 3 C = GCTR k (inc 32 (J 0 ), P) 4 u = 128 len(c)/128 len(c) v = 128 len(a)/128 len(a) 5 S = GHASH H (A 0 v C 0 u [len(a)] 64 [len(c)] 64 ) 6 T = MSB t (GCTR K (J 0, S))
22 ìàðòà 2018 ã. 23 / 38 Àëãîðèòì GCM (Galois Counter Mode) Àóòåíòèôèöèðîâàííîå ðàñøèôðîâàíèå GCM-AD GCM-AD K (IV, C, A, T ) = P or FAIL 1 if (len(iv ), len(a), len(c) íå ñîîòâåòñòâóþò óñëîâèÿì) èëè (len(t) t), òî âîçâðàùàåì FAIL. 2 H = CIPH K (0 128 ) IV 0 31 1, len(iv ) = 96 3 J 0 = GHASH H (IV 0 s+64 [len(iv )] 64), len(iv ) 96 ãäå s = 128 len(iv )/128 len(iv ) 4 P = GCTR K (inc 32(J 0), C) 5 u = 128[len(C)/128] len(c) v = 128[len(A)/128] len(a) 6 S = GHASH H (A 0 v C 0 u [len(a)] 64 [len(c)] 64) 7 T = MSB t(gctr K (J 0, S)) 8 Åñëè T = T, òî âîçâðàùàåì P, èíà å FAIL.
22 ìàðòà 2018 ã. 24 / 38 ÑÒÁ 34.101.312011 Èñïîëüçóåìûå îïðåäåëåíèÿ è îïåðàöèè Cèíõðîïîñûëêà ¾Îòêðûòûå âõîäíûå äàííûå êðèïòîãðàôè åñêîãî àëãîðèòìà, êîòîðûå îáåñïå èâàþò óíèêàëüíîñòü ðåçóëüòàòîâ êðèïòîãðàôè åñêîãî ïðåîáðàçîâàíèÿ íà ôèêñèðîâàííîì êëþ å. u : a) äëÿ u = u 1 u 2... u 8 {0, 1} 8 èñëî 2 7 u 1 + 2 6 u 2 + + u 8 ; á) äëÿ u = u 1 u 2... u n, u i {0, 1} 8, èñëî u 1 + 2 8 u 2 + + 2 8(n 1) u n U 8n äëÿ öåëîãî U ñëîâî u {0, 1} 8n òàêîå, òî u = U (mod 2 8n u v äëÿ u, v {0, 1} 8n ñëîâî u + v 8n ; u v äëÿ u, v {0, 1} 128 ñëîâî w {0, 1} 128 òàêîå, òî w(x) = u(x)v(x) (mod x 128 + x 7 + x 2 + x + 1).
22 ìàðòà 2018 ã. 25 / 38 ÑÒÁ 34.101.312011 Øèôðîâàíèå è èìèòîçàùèòà äàííûõ Îãðàíè åíèÿ íà ïàðàìåòðû Ñîîáùåíèå X {0, 1}, len(x ) 2 64 Àññîöèèðîâàííûå äàííûå I {0, 1}, len(i ) 2 64 Êëþ θ {0, 1} 256 Ñèíõðîïñûëêà S {0, 1} 128 Òåã àóòåíòèôèêàöèè T {0, 1} 64.
22 ìàðòà 2018 ã. 26 / 38 ÑÒÁ 34.101.312011 Øèôðîâàíèå è èìèòîçàùèòà äàííûõ
22 ìàðòà 2018 ã. 27 / 38 ÑÒÁ 34.101.312011 Øèôðîâàíèå è èìèòîçàùèòà äàííûõ Ïóíêòû 4-6 ìîæíî ïåðåïèñàòü â âèäå: t = H r p p i=1 x i r p+1 i, ãäå x = (I 0 128 Im Y 0 128 Yn [len(i )] 64 [len(y )] 64 ) è p = n + m + 1 èñëî áëîêîâ äëèíû 128 áèò â ñòðîêå x.
22 ìàðòà 2018 ã. 27 / 38 ÑÒÁ 34.101.312011 Øèôðîâàíèå è èìèòîçàùèòà äàííûõ Ïóíêòû 4-6 ìîæíî ïåðåïèñàòü â âèäå: t = H r p p i=1 x i r p+1 i, ãäå x = (I 0 128 Im Y 0 128 Yn [len(i )] 64 [len(y )] 64 ) è p = n + m + 1 èñëî áëîêîâ äëèíû 128 áèò â ñòðîêå x. Ñðàâíèì ñ ôóíêöèåé õåøèðîâàíèÿ GCM: GHASH H (x) = m i=0 x i H m i,
Parallel and Double (PD) Òàêèì îáðàçîì: T = E K ( h i=1 H i A i q j=1 ) H h+j C j H h+q+1 ( A C ) 22 ìàðòà 2018 ã. 28 / 38
22 ìàðòà 2018 ã. 29 / 38 Êîíå íîå ïîëå Îïðåäåëåíèå Êîíå íîå ìíîæåñòâî F q èç q ýëåìåíòîâ ñ ââåä¼ííûìè íà í¼ì àëãåáðàè åñêèìè îïåðàöèÿìè ñëîæåíèÿ + è óìíîæåíèÿ *, ò. å. a, b F q (a + b) F q, a b F q íàçûâàåòñÿ êîíå íûì ïîëåì F q (èëè ïîëåì Ãàëóà GF(q)) ïîðÿäêà q, åñëè âûïîëíåíû ñëåäóþùèå àêñèîìû:
22 ìàðòà 2018 ã. 30 / 38 Êîíå íîå ïîëå (ïðîäîëæåíèå) Àêñèîìû: 1 Êîììóòàòèâíîñòü ñëîæåíèÿ 2 Àññîöèàòèâíîñòü ñëîæåíèÿ 3 Ñóùåñòâîâàíèå íóëåâîãî ýëåìåíòà 4 Ñóùåñòâîâàíèå ïðîòèâîïîëîæíîãî ýëåìåíòà 5 Êîììóòàòèâíîñòü óìíîæåíèÿ 6 Àññîöèàòèâíîñòü óìíîæåíèÿ 7 Ñóùåñòâîâàíèå åäèíè íîãî ýëåìåíòà 8 Ñóùåñòâîâàíèå îáðàòíîãî ýëåìåíòà äëÿ íåíóëåâûõ ýëåìåíòîâ 9 Äèñòðèáóòèâíîñòü óìíîæåíèÿ îòíîñèòåëüíî ñëîæåíèÿ
22 ìàðòà 2018 ã. 31 / 38 Àòàêè íà GCM N. Ferguson ¾Authentication Weaknesses in GCM Âû èñëåíèå òåãà àóòåíòèôèêàöèè ìîæíî çàïèñàòü ñëåäóþùèì îáðàçîì: T = K 0 n C i H i, i=1 ãäå K 0 = GCTR k (J 0, S), à n i=1 C ih i = GHASH H (C). Òîãäà äëÿ íåçàìåòíîé ïîäìåíû áëîêà C i íà C i íåîáõîäèìî n i=0 C ih i = n i=0 C i Hi èëè ðàâåíñòâî ïîëèíîìà îøèáêè íóëþ õîòÿ áû äëÿ ïåðâûõ t áèò: t i=0 (C i C i )H i = 0.
22 ìàðòà 2018 ã. 32 / 38 Àòàêè íà GCM N. Ferguson ¾Authentication Weaknesses in GCM t i=0 (C i C i )H i = 0 Îáîçíà èì E i = C i C i. Òîãäà ïîëèíîì îøèáîê ìîæíî çàïèñàòü êàê t E i H i = 0. i=1 Áóäåì ðàññìàòðèâàòü òîëüêî D i = E 2 i t D i H i = 0 = E. i=1 0 òàêèå, òî
22 ìàðòà 2018 ã. 33 / 38 Àòàêè íà GCM N. Ferguson ¾Authentication Weaknesses in GCM Òàê êàê óìíîæåíèå íà êîíñòàíòó è âîçâåäåíèå â êâàäðàò â GF(2 128 ) ëèíåéíû: E = A D H, ãäå A D ìàòðèöà ðàçìåðà 128 128 íàä GF(2), êîýôôèöèåíòû êîòîðîé ëèíåéíàÿ êîìáèíàöèÿ áèò D i. Äëÿ óñòàíîâêè íóëåâîãî çíà åíèÿ â îäèí áèò íåîáõîäèìî 128 óðàâíåíèé. Äëÿ n ðàçëè íûõ êîýôôèöèåíòîâ D i åñòü 128 n ñâîáîäíûõ ïåðåìåííûõ è ìîæíî îáíóëèòü n 1 áèò.
22 ìàðòà 2018 ã. 34 / 38 Àòàêè íà GCM M.-J. O. Saarinen ¾Cycling Attacks on GCM, GHASH and other polynomial MACs and hashes Åñëè H m i+1 = H m j+1, i j, ìîæíî ïîëó èòü êîëëèçèþ íà õýøôóíêöèþ, ïîìåíÿâ ìåñòàìè äâà ñîîòâåòñòâóþùèõ áëîêà ñîîáùåíèÿ. Ïåðèîä ïîâòîðà ñòåïåíåé H ðàâåí n = ord(h). Òî åñòü i, m ìîæíî ïîìåíÿòü ìåñòàìè áëîêè X i è X i+n m.
22 ìàðòà 2018 ã. 35 / 38 Àòàêè íà GCM M.-J. O. Saarinen ¾Cycling Attacks on GCM, GHASH and other polynomial MACs and hashes  GCM èñïîëüçóåòñÿ ãðóïïà ïîðÿäêà (2 128 1 = 2 27 1). 2 2n 1 = n 2 2i 1 + 1. i=1 Çíà èò, ìîæíî ïîëó èòü ïîëíîå ðàçëîæåíèå ïîðÿäêà ãðóïïû íà ïðîñòûå ìíîæèòåëè: 3 5 17 257 641 65537... }{{} 9 (1) Òàêèì îáðàçîì, íàõîäèì öèêëû äëèíû n = 1, 3, 5, 15, 17, 51,... ïîðÿäêè 2 9 = 512 ðàçëè íûõ ìóëüòèïëèêàòèâíûõ ïîäãðóïï èñõîäíîé ãðóïïû GF(2 128 ).
22 ìàðòà 2018 ã. 36 / 38 Àòàêè íà GCM M.-J. O. Saarinen ¾Cycling Attacks on GCM, GHASH and other polynomial MACs and hashes Åñëè ord(h) (i j), òî òåã àóòåíòèôèêàöèè áóäåò âåðíûì, ïîêà âûïîëíÿåòñÿ ðàâåíñòâî: X i H m i+1 X j H m j+1 = c. Òàê êàê ord(h) (i j), òî H m i+1 = H m j+1 = H c, ñëåäîâàòåëüíî, ìîæíî ïåðåïèñàòü óñëîâèå â âèäå: X i + X j = c H 1 c, ãäå c H 1 c íå ìåíÿåòñÿ.
Èäåÿ àòàêè Saarinen è Cid & Procter Ñòåïåíè H áóäóò ïîâòîðÿòüñÿ ñ ïåðèîäîì n = ord(h). Ñëåäîâàòåëüíî, i è m ìîæíî ïîìåíÿòü ìåñòàìè áëîêè X i è X i+n m. Åñëè ord(h) (i j), òî òåã àóòåíòèôèêàöèè áóäåò âåðíûì, ïîêà âûïîëíÿåòñÿ ðàâåíñòâî: X i H m i+1 X j H m j+1 = c. Çàìåòèì, òî ïîðÿäîê ãðóïïû äåëèò ðàññòîÿíèå ìåæäó ïåðåñòàâëåííûìè ýëåìåíòàìè. Òàê êàê êàæäàÿ ïîäãðóïïà ðàçìåðà n èìååò ðîâíî n ýëåìåíòîâ, òî: åñëè ÍÎÄ(2 128 1, n) = n, òî âåðîÿòíîñòü óñïåøíîé àòàêè áóäåò n+1 H; 2 128 åñëè ÍÎÄ(2 128 1, n) n, òî ïðè èí îæèäàòü âåðîÿòíîñòü 1 íåò. 2 128 22 ìàðòà 2018 ã. 37 / 38
22 ìàðòà 2018 ã. 38 / 38 Ñïèñîê ëèòåðàòóðû David A. McGrew, John Viega. The Galois/Counter Mode of Operation (GCM). http://csrc.nist.gov/groups/st/toolkit/bcm/documents/proposedmodes/gcm/gcm-spec.pdf Ãîñóäàðñòâåííûé ñòàíäàðò Ðåñïóáëèêè Áåëàðóñü. ÑÒÁ 34.101.312011. Èíôîðìàöèîííûå òåõíîëîãèè è áåçîïàñíîñòü. Çàùèòà èíôîðìàöèè. Êðèïòîãðàôè åñêèå àëãîðèòìû øèôðîâàíèÿ è êîíòðîëÿ öåëîñòíîñòè. Ìèíñê, Ãîññòàíäàðò, 2011. Vladislav Nozdrunov Parallel and double block cipher mode of operation (PDmode) for authenticated encryption. Ïðèíÿò ê îïóáëèêîâàíèþ. Niels Ferguson. Authentication weaknesses in GCM. 2005 http://csrc.nist.gov/groups/st/toolkit/bcm/documents/comments/cwc-gcm/ferguson2.pdf Markku-Juhani O. Saarinen. Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes. IACR Cryptology eprint Archive, 2011, 202. Gordon Procter, Carlos Cid. On Weak Keys and Forgery Attacks against Polynomial-based MAC Schemes IACR Cryptology eprint Archive, 2013, 144. John Mattsson and Magnus Westerlund. Authentication Key Recovery on Galois/Counter Mode (GCM). IACR Cryptology eprint Archive, 2015, 477.