I am performing an operation where a function F(k,x)
takes two 64bit values and returns the product of their decimal numbers. For example:
F(123,231) = 123 x 231 = 28413
The number is then converted into binary and the least significant bits are extracted. i.e. if 28413 = 0110111011111101
then we take 11111101
, which is 253
in decimal.
This function is part of a Feistel network in security. When performing a type of attack (chosen plaintext) we get to the point where we have 253
and 231
, but need to figure out 123
.
Is there any way that is possible?
答案 0 :(得分:0)
您的功能正在执行F(k,x) = k*x mod 256
。
您的问题是F(k,x)
和x
,您能找到k
吗?
当x
为奇数时,有2 ^ 56个解,所有解都有k = x^-1 * F(k,x) mod 256
。也就是说,您计算x mod 256
的倒数,并且每个可能的解决方案是通过将{256}的倍数添加到具有该值的F(k,x)
的乘积而得到的。
当x
为偶数时,您无法计算逆,但您仍然可以使用类似的技巧来确定解。您需要首先计算除x
之间的两个(2)的数量,比如它是t
两个,然后从2^t
和{{1}中除去x
然后从那里解决问题。即256
。
通常在密码设计中使用倍数是危险的,特别是由于选择了明文攻击,因为攻击者可以使事情消失以简化其攻击。你可以找到像on my blog这样的破解密码的例子(参见对混沌哈希函数和乘数的攻击)。
答案 1 :(得分:-1)
No.
By dropping the most significant bits, the operation is rendered mono-directional. In order to recover the 123 you would have to brute-force the function with every possibility until the result was the value you want.
I.e. run F(x,231) for values of x until the result of F is 253.
That said, knowing one of the two inputs and the output makes it relatively easy to brute force. It would depend on the number of valid values for x (e.g. is it always a 3 digit number? Always prime? Always odd?)
There may be some other shortcuts, depending on the patterns that multiplying a number of 231 gets you, but any given value for that number will have different patterns. e.g. if it was 9 instead of 231, you would know that the sum of the digits always summed to 9.