# Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller.

## Presentation on theme: "Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller."— Presentation transcript:

Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller

Block Ciphers A block cipher is modeled as a set of 2 n randomly chosen permutations indexed by an n-bit key K. For the sake of simplicity, we will assume that the size of the plaintexts P and the ciphertexts C is also n, but we can easily handle other lengths C P K

Encryption and Decryption Given a key K and a plaintext P it is easy to encrypt, i.e. compute the ciphertext C=E K (P). Given a key K and a ciphertext C it is easy to decrypt, i.e. compute the plaintext P=D K (C). C P K

The Basic Cryptanalytic Problem Input: a list of plaintext-ciphertext pairs (P 1,C 1 ), (P 2,C 2 ),(P 3,C 3 ),… Goal: find K such that C 1 =E K (P 1 ), C 2 =E K (P 2 ),… Note: K is expected to be unique given only a single pair, but knowing additional pairs can make it easier to find it. C P K

Exhaustive Search For each n-bit value of K: Perform trial encryptions i.e., test whether C 1 =E K (P 1 ), if so test whether C 2 =E K (P 2 ) … Time complexity: 2 n, Memory: constant. C P K

History Between 1977 and 2001, the most widely used block cipher was DES. Its small key size (n=56) raised concerns about the possibility to break it via exhaustive key search. Soon after the standartization of DES, a simple solution to the small key size problem was proposed: Double encryption: Instead of DES K (P), use DES K 2 )DES K 1 )P)), with independent keys K 1,K 2.

The Meet-in-the-Middle (MITM) Attack In 1981, Hellman and Merkle showed that double encryption can be broken much faster than expected: In fact, breaking it requires the same time as in the case of single-DES, if we are given a large amount of memory. More precisely, double encryption with two n bit keys can be broken given two plaintext-ciphertext pairs in time and memory of 2 n (instead of time complexity 2 2n and memory complexity of 1 in exhaustive key search).

MITM Attack Algorithm For each n-bit value of K 1 : Partially encrypt P 1 and store the n-bit suggestions for X Sort the list (which contains most of the possible values of X) into increasing value of X, along with the corresponding K1. For each n-bit value of K 2 : Partially decrypt C 1 and store the n-bit suggestions for X Sort the list (which contains most of the possible values of X) into increasing value of X, along with the corresponding K2. For each match test the full key. Time 2 n, memory 2 n (ignoring logarithmic factors). C1C1 P1P1 X K1K1 K2K2 K1K1 X 000 010... 101 011... 111110

MITM Attack Algorithm For each n-bit value of K 1 : Partially encrypt P 1 and store the n-bit suggestions for X Sort the list (which contains most of the possible values of X) into increasing value of X, along with the corresponding K1. For each n-bit value of K 2 : Partially decrypt C 1 and store the n-bit suggestions for X Sort the list (which contains most of the possible values of X) into increasing value of X, along with the corresponding K2. C1C1 P1P1 X K1K1 K2K2 K1K1 X 000 010... 101 011... 111110

MITM Attack Algorithm For each of the O(2 n ) possible matches, we get a pair of possible keys K1 and K2, which we test with the second given pair of plaintext and ciphertext. Only one pair of keys is expected to survive this test. Time 2 n, memory 2 n (ignoring logarithmic factors). C1C1 P1P1 X K1K1 K2K2 K1K1 X 000 010... 101 011... 111110

Two Important Remarks: There is no need to build the second sorted table of K2 and X values: We can generate them in the natural order of increasing K2, and search where each generated value of X (which jump around with no sorted order) is located in the first sorted table of K1 and X. If we are not given a second plaintext/ciphertext pair, we can actually generate in the same time and memory complexity all the O(2 n ) pairs of K1 and K2 values which are compatible with the first given pair.

History (continued) As a countermeasure, it was suggested to use Triple Encryption: DES K 3 )DES K 2 )DES K 1 )P))), with three independent keys K 1,K 2,K 3. A trivial extension of the MITM attack (by guessing K3, which reduces triple-DES to double-DES) breaks triple encryption in time 2 2n and memory 2 n. In all these attacks, the product TM of the time and space complexities is equal to the number of possible keys, and thus the improved attacks can be viewed as simple tradeoffs which shift some of the time complexity to memory complexity.

History (continued) Triple-DES is still used today by the banking industry Despite extensive research, no significant improvements have been found in the last 30 years, and thus we believed that the security of multiple encryption was well understood Today I will show you that what we knew was only the tip of the iceberg of a rich and surprising theory

Multiple Encryption A natural generalization is to consider r-fold encryption: E K r )E K r-1 )…(E K 1 )P))), with independent keys K 1,K 2,…,K r. A trivial extension of MITM breaks r-fold encryption in time T and memory M such that TM=2 r n (provided M≤2 [r/2]n ), given the smallest possible number of r plaintext/ciphertext pairs. Can we do better? Yes we can! I will start by showing that we can break 4-encryption with the same time and memory complexities of breaking 3-encryption

Dissection Attack on 4-Encryption Given 4 Plaintext/Ciphertext Pairs C1C1 P1P1 K2K2 K1K1 K4K4 X1X1 X2X2 X3X3 K3K3 C2C2 P2P2 K2K2 K1K1 K4K4 Y1Y1 Y2Y2 Y3Y3 K3K3 For each guess of a possible n-bit value of X 2 : Given P 1,X 2 obtain 2 n suggestions for K 1,K 2 using a 2R MITM attack, and store them in a list next to Y 2 (the corresponding encryption of P 2 ). Given X 2,C 1 obtain 2 n suggestions for K 3,K 4 using a 2R MITM attack. For each suggestion for K 3,K 4, match Y 2 (the corresponding decryption of C 2 ) with the stored list. For each match test the full key using (P 3,C 3 ( and ( P 4,C 4 (. Time 2 2n, memory 2 n. K 1, K 2 Y2Y2 000 010... 111 101 011... 110 111... 100

Dealing With A Larger Number of Encryptions: For 4-encryption, we obtained TM=2 3n (instead of the expected 2 4n ). What next? We can always reduce the case of r+1 encryptions to r encryptions by guessing the last key. This increases the time complexity by a factor of 2 n without changing the memory complexity. The best attack on 5-encryption and 6-encryption follows this guessing route. However, we now show that 7-encryption is not harder than 6-encryption!

Dissection Attack on 7-Encryption Split the cipher into two subciphers, the upper part with 3 rounds, and the lower part with 4 rounds. Guess 2 intermediate encryption values in the middle (one for (P 1,C 1 ) and one for (P 2,C 2 ))… 3 4 2

Dissection Attack on 7-fold Encryption (ctd.) For each guess of the 2 intermediate encryption values: Use a standard 3R MITM attack on the top part, obtain 2 n suggestions for K 1,K 2,K 3 and store them in a list, along with the corresponding partial encryptions of P 3 and P 4. Given the 2 “plaintext-ciphertext” pairs, use a 4R attack to obtain 2 2n suggestions for K 4 -K 7 on-the-fly. For each suggestion, partially decrypt C 3 and C 4 and search the list for matches. For each match, test the full key.

The Attack Guesses 3 intermediate values: Two values are chosen after the third round in the outer loop One value is chosen after the fifth round in the inner loop 3 4 2 1

Analysis of the Attack We guess 2n bits in the middle The top 3R attack takes 2 2n time and 2 n memory. The bottom 4R attack takes 2 2n time and 2 n memory. The total complexity is T=2 4n and M=2 n. Hence, we obtain a time/memory product of TM=2 5n (instead of 2 7n ).

Attacks on r-fold Encryption (I) After showing two surprising cases of specific attacks on r-encryption, let us develop a formal treatment of the general problem, in which we fix M=2 n and want to minimize the time complexity T. Definition: The gain of an algorithm A for r-fold encryption over the standard MITM algorithm is Gain(A)=r-log(TM)/n. So, dissection yields a gain of 1 for r=4 and a gain of 2 for r=7. Where else can we get additional gains?

The Difference Between Meet in the Middle and Dissection Algorithms: Compute from both sides, equate Guess to partition the problem

Attacks on r-Encryption (II) There are two “natural” generalizations of the basic algorithm (for 4-fold encryption): LogLayer Algorithm: Assume that r is a power of 2. Guess the intermediate value after every second round, apply MITM attacks to each pair of consecutive rounds separately, and get r/2 “double” rounds. Continue recursively. The complexity is T=2 (r-log r)n. Hence: The asymptotic gain is O(log r). Gain of 2 is achieved at r=8.

Attacks on r-Encryption (III) Square Algorithm: Assume that r=(r’) 2. Guess r’-1 intermediate values after every r’ rounds, apply an r’-round attack to each chunk of r’ rounds separately, and get r’ “big” rounds. Apply an r’-round attack to the big rounds. The complexity is T=2 (r-√r)n. Hence: Asymptotic gain: O(√r). Gain 2 is achieved at r=9.

Asymmetry rules! Our dissection achieved a gain 2 already for 7-fold encryption. Is it stronger also asymptotically? Yes! It can be extended recursively to obtain asymptotic gain of O(√2r). Main idea: Use an asymmetric division into subciphers recursively. Where does the asymmetry come from?

Dissection attacks on r-Encryption Split the cipher into two subciphers, by guessing k out of the r values after a certain number of rounds. Solve the top part by a recursive application of the dissection algorithm. Make sure that the number of possible solutions does not exceed 2 n, and store all these solutions in a table sorted into increasing value of some other intermediate values. Solve the bottom part by another recursive application of the dissection algorithm. This time you can generate more solutions on-the-fly.

Dissection attacks on r-Encryption Search each solution coming from the bottom in the table of solutions coming from the top. Whenever you find a possible combination of keys that agrees on some intermediate results, check its correctness by testing the remaining plaintext/ciphertext pairs that were not used so far. Given r pairs altogether, we expect only one combination of key values to survive this test Given fewer pairs, we can enumerate all the solutions

The Optimal Dissection Parameters: Proposition: An algorithm A for r-fold encryption with gain k-1 can be leveraged to an algorithm for (r+k+1)-fold encryption with gain k, and this is the best way to dissect the problem into 2 parts Sketch-of-proof: Fix k intermediate values after k+1 rounds. Apply a standard MITM attack to the first k+1 rounds. Store the resulting 2 n suggestions for the first k+1 keys in a sorted table. Apply algorithm A to the last r rounds to obtain on-the- fly 2 r-k suggestions for the r last round keys and check them against the table.

The Resultant Magic Sequence of r Values The proposition allows us to construct a “magic sequence” of the numbers of rounds r for which the gain increases by 1 when we use a total memory of M=2 n for our tables: Magic(1)={4,7,11,16,22,29,37,46,…}. Solution of the recursion shows that Magic(1) k =(k+1)(k+2)/2. Hence, the asymptotic gain is O(√2r).

Using Larger Amounts of Memory What can be said about the time complexity of multiple encryption given a larger amount of M=2 ln memory? The results generalize to any amount of memory and yield the magic sequences of values of r: Magic(l)={2l+2,2l+4,…,4l,4l+3,4l+6,…,7l,7l+4,...}. The asymptotic gain is O(√2lr).

Composite Problems There are many other types of combinatorial problems (which have nothing to do with cryptography) to which we can apply our new dissection techniques. The general notion of a composite problem: We are given the initial value and the final value of a cascade of r steps. In each step, one of a list of possible transformations was applied. The goal: Find out, which transformation was applied in each step.

Composite Problems (cont.) Clearly, the problem of breaking r-encryption is a special case of a composite problem. There are many other examples: Knapsack – we are given n numbers x 1,x 2,…,x n and a target sum S and want to find whether there is a subset of the numbers whose elements sum up to S. Rubik’s cube – find a shortest solution given an initial state. Rebound attacks on hash functions. etc…

Application to Knapsacks Modular Knapsack Problem: Given: A list of n integers {a 1,a 2,…,a n } of n bits each, and a target integer S. Goal: Find a vector ɛ={ɛ 1,ɛ 2 …ɛ n } where ɛ i ϵ{0,1} such that S=∑ 1≤i≤n (ɛ i ∙a i ) mod 2 n. How to represent Knapsack as a composite problem?

Representing Knapsack as a Block Cipher ɛ={ɛ 1,ɛ 2 …ɛ n } P C=P+∑ 1≤i≤n (ɛ i ∙a i ) (mod 2 n ) We fix the plaintext to be the 0 n-bit vector, the ciphertext to be S. The knapsack problem reduces to recovering the key of this block cipher, given one plaintext- ciphertext pair.

Representing Knapsack as 4-Fold Encryption (I) We split the knapsack to 4 independent knapsacks by splitting the generators and defining S=σ 1 +σ 2 +σ 3 +σ 4 (mod 2 n ) X i =∑ 1≤j≤i (σ j ) {ɛ 1,ɛ 2 …ɛ n/4 } 0 S {ɛ n/4+1,…,ɛ n/2 } {ɛ n/2+1,…,ɛ 3n/4 } {ɛ 3n/4+1,…,ɛ n } X1X1 X2X2 X3X3

Representing Knapsack as 4-Fold Encryption (II) Problem: In r-fold encryption, we have r plaintexts => can guess part of the intermediate value. Here we have a single “big” plaintext. Solution: Split the “block cipher” also vertically into n/4-bit blocks. {ɛ 1,ɛ 2 …ɛ n/4 } 0 {ɛ n/4+1,…,ɛ n/2 } {ɛ n/2+1,…,ɛ 3n/4 } {ɛ 3n/4+1,…,ɛ n } X1X1 X2X2 X3X3 000 S1S1 S2S2 S3S3 S4S4

Representing Knapsack as 4-Encryption (III) Problem: There is a dependence between the “vertical” chunks through the addition carry. Solution: We guess the intermediate encryption values in their natural order. We keep track of the carry values without having to guess them separately

Representing Knapsack as 4-Encryption Conclusion: We can apply to knapsacks the algorithm for r-fold encryption, for any r! We can adjust r to the exact amount of available memory, using the algorithms for M>2 n. In particular, we can apply the algorithm to knapsacks, by dividing the initial set into 7 (!) disjoint subsets. We obtain T=2 4n/7 and M=2 n/7. This combination of complexities is better than in the best previously known special-purpose algorithm for solving knapsack problems, due to Becker-Coron-Joux (presented at Eurocrypt 2011)

Time-Memory Tradeoff for Knapsacks Becker, Coron and Joux 2011 Schroeppel and Shamir 1981

Probabilistic Algorithms We promised to obtain TM<2 3n/4 for any M<2 n/4 but the attacks above give it only for 2 n/16 { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/12/3435743/slides/slide_40.jpg", "name": "Probabilistic Algorithms We promised to obtain TM<2 3n/4 for any M<2 n/4 but the attacks above give it only for 2 n/16

Conclusions We presented new generic algorithms for multiple encryption. Our techniques allow us to improve the best known algorithms for the knapsack problem with small memory. The techniques are applicable to other composite problems (such as Rubik’s cube, rebound attacks on hash functions etc.) An aside: the symmetric way is not always the best one…

Open Problems Are our results optimal? It seems that at least the “magic exponent” of 5/7 in the product of time and memory complexities TM is optimal, but we cannot be sure… Prove lower bounds for composite problems. Was studied in several papers, but only very weak bounds are known. In particular, we conjecture that always T≥2 n/2, but don’t know to prove even weaker bounds. Is there a way to exploit more data in order to reduce the time and memory complexities? Find new applications of the dissection technique!

Thanks for listening!

Download ppt "Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller."

Similar presentations