CSA Brute Force

Could someone confirm that the Residue block in the CSA only are used if the Adaption Field has been present and the length of AF are not Modulus 8?

Or will block 23 always be XOR with SC only?

In other words will the Residue block of 8 bytes only be used if the length of the encrypted payload +AF are not modulus 8?

So to be able to try to BF the SC only on block 23 will only be possible if an AF is present and have a non modulus 8 length?

It's just due to I found a pdf called "Distinguishing Attack on Common Scrambling Algorithm" where they discuss to look at the SC only and it should be possible to reduce the key space from 2^64 to 2^55.

I do not see how that should be done for a real BF if you only can look for AF with a non mod8 length

Some finding / understanding on the Residue part.

In a TS you will have the PUSI indikator where you start a new encoded block ... it's where we do normal do look for the 0x00 0x00 0x01.

If you look on tha TS block for the same PID just before you will typical see an Adaption Field AF (non encrypted) which does take up a lot of space with 0xFF this is typical to do stuffing of the TS bloc of 184 data.

After the AF there will be the last part of the encrypted payload and if the length does not fit with chunks of 8bytes you will have a residue part 1 to 6 bytes ... Thosere are ONLY encrypted with SC.

So I have looked into some data to understand it better.
so here are a TS block form some old Mpeg2 ts where I found the key by BF.



So in this TS you can see the clean part ends with 0x80 0x00 0x00 0x00 so if this is normal or if we know what it can end with and we find AF with a length where there will be a Residue it should be possible to BF for the key only by using SC.
This might be faster than normale BF since it the BC which normal use a lot of time.

Let me hear what you think?

K2TSET said:

Some finding / understanding on the Residue part.

Click to expand...

Forgot to say:
Encrypted "D2 5D 97 18" XOR with output of SC "52 5d 97 18" Equal to "80 00 00 00"

dale_para_bajo said:

*Now Post 16 is trouble for me.
"BC vs SC are like 100:1."

And I all ready said that I do not have seen Cudabiss source but in my aproach a full stream = block time. So here we have VERY diferent results!!!!!.
K2TSET can you tell us your own findigs? Just to compare.

Click to expand...

If you want to look into CUDA kernel use, then NVIDIA do have a tool called "Visual Profiler" where you can see the calls for the cores incl. memory use etc.

With "BC vs SC are like 100:1." I do say Block Cipher takes like 100 times longer than the Stream Cipher.

Reason for that in the BC you have to do the 256 bytes (8bit) lookup and this part are not easy for bitslicing also you will need another lookup for the Perm. (in FPGA you just connect the wires as fixed Perm)

the problem when using a lookup table are the the CPU or GPU has to add the input value (offset) to get the output of the memory position and adding are slow.

I recall some test while ago that if you worked with 16bit ( 2 rounds of lookup) it even gets slower than 2 x 8 bit lookup.

The SC can be done as bitsclicing since the 7 sboxes can be done as logic

So to sum up
BC needs 56 rounds where you only can calculate 1 BC per thread.
CS needs 32+12 rounds where you can do 32 SC per thread (assuming 32 bit)

So you will need run 32 threads og BC to 1 of CS

If the memory access does slow down the lookup for BC you might end up with something like 100:1

By the way if you need speed in software try to unroll the code instead for using small loop's, there is a big difference.



Regarding only 40 Bit used in the Key, I totally agree that it must be wrong... we have to look for 48 bit!


BTW: nice to see activity and thoughts in this thread

The visual profiler will show info even without source, I doubt it will work without a CUDA card, I will suggest you get hold on a CUDA card just to be able to play with the different software like CudaBiss and RBT I know you want to do OpenGL and that's possible as well.

If I should go for a new card I think I would get the GTX1080ti but if you need a cheap one buy a second hand smaller one just to be able to test

I have not played with GPU for some years since my conclusion was it was way slower than FPGA

You are right that the S-box and Perm in BC can be done as 2x8 in parallel.

Memory access are a killer and for sure you need the RAM (constant lookup tables) to be as local as possible, but the main problem are all your kernals / cores want to do lookup more or less all the time.

When you have a memory with a table it will be on a RAM loacation and when you do a lookup for eg. input = 0x00 you will read the base ram location.
when you do a lookup for eg. input = 0xB7 you will read the base ram location + 0xB7 this is an addition (offset) if you like it or not.
only way to get rid of the addition are to have a Base address ending on 0x00 and then replace the last bytes with you input but that is not so easy.

If you try some like the above in C and then try to disasenble after you will see a lot of stuff are going on = waste of time. (depending on your compiler)
Alternatile are to go for ASM you can do that as inline and I guess you can get some speed there.

In FPGA when you go unrolled Pipelined you will get results on ever clk and depending on the size of FPGA you can have many cores.

But again the BC and the Sbox makes the problem. it need 8 bit input and most modern FPGA do have "only" 6bit full LUT's and we need 8bit so the logical way to go here are to use BRAM as dual ROM for 2 x 256bit but you will hit another limit and that is speed of the BRAM.

In the FPGA you can read the BC S-box in all the BRAM on the chip on every clk and that a lot but we still want more

The SC in FPGA can be done with LUT so it small and faster and uses less rounds.

If might not be 100:1 in FPGA but there is a big difference on BC and SC

The only shortcuts I know for CSA at the moment are to split the key in a high and low part 11, 22, 33 and 44,55,66 and only do the key-schedule and BC for the round 1-4 each time you have tested 11,22,33 for all combination (see my image in one the first post (round 1-4 marked with green)

And the other shortcut are to first calculate the BC then run 32 SC int and and when doing the SC run as soon the result does not fit stop the SC.
You will get 2 bit on every round of SC run so after the first round only 25% are left and after 2 round 6,25% are left so you will save some time here but not easy to implement in GPU and even worse in FPGA.

dale_para_bajo said:

Now for SC I do not see how you split Key and add to the registers, then perform Init. I guess more to study. I will as I take all comments seriously. You never know when a good Idea will show up.

Click to expand...

You don't for the SC.
It's only for the first 4 rounds of BC you have the benefit.


I agree with Stefan2k16, CudaBiss is an old program made for early CUDA boards and it might be better with 4 times old card then a newer one. But they do use a lot of power and if you are about to write your own software I would go for the newer ones.

On the FPGA:

I use Altera Cyclone V E A9
1 chip running 32 cores @200Mhz clk will do a complete search in about 12Hours ... using about 15 Watt

Raw FPGA chip cost about $250
but it's almost impossible to build you own board due to BGA chips

Dev boards goes easy + $1000 but typical you will have more features on the FPGA and a lot of addon which you do not need but you get a board ready to play with.

Dev software are free for the Cyclone V serie

If you want to learn FPGA... see a lot youtube + some more
Buy a cheap FPGA board (not to small and avoid crazy Chinese boards) But for example one with a Altera MAX10 M50
Start playing ... and build some great stuff

BUT remember there is a heavy learning curve for FPGA's (it's even worse than GPU) but it's great for parallel processing like BF.
You will need to learn to use pipeline approach to get speed and results on every clk