Can you retrieve the original decimal number from the least significant bits of another operation?

时间:2015-12-14 17:59:12

标签: security binary product bits lsb

I am performing an operation where a function F(k,x) takes two 64bit values and returns the product of their decimal numbers. For example:

F(123,231) = 123 x 231 = 28413

The number is then converted into binary and the least significant bits are extracted. i.e. if 28413 = 0110111011111101 then we take 11111101, which is 253 in decimal.

This function is part of a Feistel network in security. When performing a type of attack (chosen plaintext) we get to the point where we have 253 and 231, but need to figure out 123.

Is there any way that is possible?

2 个答案:

答案 0 :(得分:0)

您的功能正在执行F(k,x) = k*x mod 256

您的问题是F(k,x)x,您能找到k吗?

x为奇数时,有2 ^ 56个解,所有解都有k = x^-1 * F(k,x) mod 256。也就是说,您计算x mod 256的倒数,并且每个可能的解决方案是通过将{256}的倍数添加到具有该值的F(k,x)的乘积而得到的。

x为偶数时,您无法计算逆,但您仍然可以使用类似的技巧来确定解。您需要首先计算除x之间的两个(2)的数量,比如它是t两个,然后从2^t和{{1}中除去x然后从那里解决问题。即256

通常在密码设计中使用倍数是危险的,特别是由于选择了明文攻击,因为攻击者可以使事情消失以简化其攻击。你可以找到像on my blog这样的破解密码的例子(参见对混沌哈希函数和乘数的攻击)。

答案 1 :(得分:-1)

No.

By dropping the most significant bits, the operation is rendered mono-directional. In order to recover the 123 you would have to brute-force the function with every possibility until the result was the value you want.

I.e. run F(x,231) for values of x until the result of F is 253.

That said, knowing one of the two inputs and the output makes it relatively easy to brute force. It would depend on the number of valid values for x (e.g. is it always a 3 digit number? Always prime? Always odd?)

There may be some other shortcuts, depending on the patterns that multiplying a number of 231 gets you, but any given value for that number will have different patterns. e.g. if it was 9 instead of 231, you would know that the sum of the digits always summed to 9.