A Known-Plaintext Attack on Two-Key Triple Encryption

Similar documents
Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude

Related-key Attacks on Triple-DES and DESX Variants

Block Cipher Operation. CS 6313 Fall ASU

Computer Security CS 526

Secret Key Algorithms (DES)

On the Security of the 128-Bit Block Cipher DEAL

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security 3/23/18

Technion - Computer Science Department - Technical Report CS

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

arxiv: v2 [cs.cr] 17 Jul 2016

Lecture 4: Symmetric Key Encryption

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Applying Time-Memory-Data Trade-Off to Meet-in-the-Middle Attack

Computer Security: Principles and Practice

Data Encryption Standard

Lecture 3: Symmetric Key Encryption

Goals of Modern Cryptography

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Cryptography MIS

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

CSC 474/574 Information Systems Security

Differential Cryptanalysis

Authentication Part IV NOTE: Part IV includes all of Part III!

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Attack on DES. Jing Li

Lecture IV : Cryptography, Fundamentals

Cryptography: More Primitives

Double-DES, Triple-DES & Modes of Operation

CPSC 467: Cryptography and Computer Security

ISA 562: Information Security, Theory and Practice. Lecture 1

CSC 474/574 Information Systems Security

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Stream Ciphers and Block Ciphers

Narrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT

Key Separation in Twofish

Lecture 1 Applied Cryptography (Part 1)

Other Systems Using Timing Attacks. Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995)

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

The Salsa20 Family of Stream Ciphers

CPSC 467b: Cryptography and Computer Security

Network Security Essentials Chapter 2

Improved Truncated Differential Attacks on SAFER

1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?

Public Key Cryptography

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Multiple forgery attacks against Message Authentication Codes

Technion - Computer Science Department - Technical Report CS

New Attacks on Feistel Structures with Improved Memory Complexities

Keywords Security, Cryptanalysis, RSA algorithm, Timing Attack

McEliece Cryptosystem in real life: security and implementation

Homework 02. A, 8 letters, each letter is 7 bit, which makes 8*7=56bit, there will be 2^56= different combination of keys.

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Foundations of Cryptology

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems

Data Encryption Standard

Encryption I. An Introduction

Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Symmetric key cryptography

Chapter 3 Block Ciphers and the Data Encryption Standard

7. Symmetric encryption. symmetric cryptography 1

Information Security

Breaking Grain-128 with Dynamic Cube Attacks

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Cryptography and Network Security

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Mike Hamburg. August 1, Abstract

Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE

A Related Key Attack on the Feistel Type Block Ciphers

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Symmetric Cryptography. CS4264 Fall 2016

Encryption. INST 346, Section 0201 April 3, 2018

Assignment 3: Block Ciphers

Security against Timing Analysis Attack

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Week 4. : Block Ciphers and DES

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Chapter 6 Contemporary Symmetric Ciphers

Study and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard

How to Break and Repair Leighton and Micali s Key Agreement Protocol

Introduction to Cryptography. Lecture 6

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

A practical integrated device for lowoverhead, secure communications.

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

CPSC 467: Cryptography and Computer Security

Public-key Cryptography: Theory and Practice

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

An Overview of Cryptanalysis Research for the Advanced Encryption Standard

c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)

Lecture Note 9 ATTACKS ON CRYPTOSYSTEMS II. Sourav Mukhopadhyay

Transcription:

A Known-Plaintext Attack on Two-Key Triple Encryption Paul C. van Oorschot and Michael J. Wiener BNR P.O. Box 3511 tation C Ottawa, Ontario, Canada, K1Y 4H7 1990 June 29 Abstract. A chosen-plaintext attack on two-key triple encryption noted by Merkle and Hellman is extended to a known-plaintext attack. The known-plaintext attack has lower memory requirements than the chosen-plaintext attack, but has a greater running time. The new attack is a significant improvement over a known-plaintext brute-force attack, but is still not seen as a serious threat to two-key triple encryption. Key Words. triple encryption, cryptanalysis, DE. 1. Introduction Due to questions raised (e.g., see [Diff77]) regarding the adequacy of security by the 56-bit key in the Data Encryption tandard (DE) [FIP46], several varieties of multiple encryption have been considered. Given a few plaintext-ciphertext pairs, an exhaustive search defeats (single) DE in on the order of 2 56 operations. Double DE encryption, using two independent 56-bit keys (see Figure 1), requires on the order of 2 112 operations to attack by this naive approach. This may be reduced to on the order of 2 56 operations and 2 56 words of memory using a simple "meet-in-the-middle" attack [Diff77]. K 1 K 2 P (Plaintext) C (Ciphertext) Figure 1: Double Encryption is a private-key cryptosystem such as DE. Two-key triple DE (see Figure 2) can be defeated by the naive approach in on the order of 2 112 operations. This may be reduced to on the order of 2 56 operations and 2 56 words of

memory using a chosen-plaintext attack due to Merkle and Hellman which requires 2 56 chosen-plaintext plaintext-ciphertext pairs [Merk81]. This latter attack, although impractical, is of interest in that it exhibits what Merkle and Hellman refer to as a "certificational" weakness in two-key triple encryption. K 1 K 2 K 3 or K 1 (three-key triple encryption) (two-key triple encryption) P (Plaintext) A -1 B C (Ciphertext) Figure 2: Triple Encryption This paper presents a known-plaintext attack on two-key triple encryption. The Merkle- Hellman attack is first reviewed in 2. The new attack is presented in 3 and briefly analyzed in 4, showing it to require a running time on the order of 2 120-log 2n operations and n words of memory, where n is the number of available plaintext-ciphertext pairs. This is the best known-plaintext attack on two-key triple DE that the authors are aware of. In 5, we consider a hardware implementation of the new attack using n = 2 32. As with the Merkle-Hellman attack, the new attack poses no serious threat to two-key triple encryption in practice. However, it is of interest in that it may be used to both reduce the memory requirements and relax the chosen-plaintext condition in the Merkle-Hellman attack, and may lead to further advances. It is also highly amenable to parallel implementation. As with the Merkle-Hellman attack, the ideas discussed in this paper are not restricted to DE, but apply to any similar cipher. 2. The Merkle-Hellman Attack on Two-Key Triple Encryption Let C = K (P) denote that the plaintext P, enciphered using key K, results in ciphertext C. Then as in [Merk81], denote two-key triple encryption by the function Enc(): Let A and B be the intermediate values in Enc(P): C = Enc(P) = K1 ( -1 K 2 ( K1 (P))). (1) A = K1 (P) and B = -1 K 2 (A). (2)

The Merkle-Hellman attack finds the desired two keys K 1 = κ 1, K 2 = κ 2 by finding the plaintext-ciphertext pair such that intermediate value A is 0. The first step is to create a list of all of the plaintexts that could give A = 0: P i = -1 i (0) for i = 0, 1,..., 2 56-1. (3) Each P i is a chosen plaintext and the corresponding ciphertexts are obtained from the holder of keys κ 1 and κ 2 : C i = Enc(P i ) for i = 0, 1,..., 2 56-1. (4) The next step is to calculate the intermediate value B i for each C i using K 3 = K 1 = i. B i = -1 i (C i ) for i = 0, 1,..., 2 56-1. (5) A table of triples of the following form is constructed: (P i or B i, i, flag), where flag indicates either a P i -type or B i -type triple. Note that the 2 56 values P i from equation (3) are also potentially intermediate values B, by equation (2). All P i and B i values from equations (3) and (5) are placed in this table, and the table is sorted on the first entry in each triple, and then searched in order to find consecutive P and B values such that B i = P j. If B i = P j, then i, j is a candidate for the desired pair of keys κ 1, κ 2. This fact is illustrated in the two-key triple encryption depicted in Figure 3. i j i P i A = 0-1 P j = Bi C i see equation (3) see equation (3) see equation (5) Figure 3: Two-Key Triple Encryption with a Candidate Pair of Keys Because C i = Enc(P i ) for both the candidate pair of keys i, j and the desired keys κ 1, κ 2, it is reasonable to expect that the two pairs of keys might be equal. Each candidate pair of keys found from the sorted table is tested on a few other plaintext-ciphertext pairs to filter out "false alarms". The reason the attack succeeds is that a match P j = B i is found in the table with i = κ 1 ; this is that i for which κ 1 (P i ) = 0. Testing all candidate pairs guarantees that κ 1 and κ 2 will be found [Merk81].

3. Known-Plaintext Extension of the Merkle-Hellman Attack Because the Merkle-Hellman algorithm computes a table based on the fixed value A = 0, and it is not known a priori which plaintext P results in the intermediate value A = 0, it is necessary to test all 2 56 possibilities (i.e., i -1 (0) for all possible keys i). Also, the attacker must request that each of these plaintexts be enciphered for him by his adversary. This makes the Merkle-Hellman attack far from practical. The idea for extending the algorithm is to remove the reliance on a single, fixed value of A; rather, we choose values for A at random, and for each choice, carry out a tabulation. We continue until a "lucky" choice of A is made which results in the success of the algorithm. As the attacker, we no longer require access to the adversary's Enc() function. Instead, we assume that we are given n plaintext-ciphertext pairs. The new algorithm proceeds as follows. Tabulate the (P, C) pairs, sorted or hashed on the plaintext values (see Table 1 in Figure 4). Table 1 is independent of A and requires O(n) words of storage. Now randomly select and fix (for this stage of computation) a value a for A, and create a second table (see Table 2 in Figure 4) as follows. For each of the 2 56 possible keys K 1 = i, calculate what the plaintext value would be if i were used for K 1 : P i = i -1 (a). Next, look up P i in Table 1. If P i is found in the first column of Table 1, take the corresponding ciphertext value C and compute the intermediate value B = i -1 (C). Place this value of B along with the key i into Table 2. Table 2 is sorted or hashed on the B values. Each entry in Table 2 consists of an intermediate B value and corresponding key i which is a candidate for κ 1 ; as described above, each (B, i) pair is associated with a (P, C) pair from Table 1 which satisfies i (P) = a. The remaining task is to search for the desired value of K 2. For each of the 2 56 candidate keys K 2 = j, calculate what the intermediate B value would be if j were used for K 2 : B j = j -1 (a). Next, look up B j in Table 2. For each appearance of B j (if any), the corresponding key i along with key j is a candidate for the desired pair of keys κ 1, κ 2. (To handle the rare case that a given B-value appears more than once in Table 2, a few bits could be added in Table 2 entries to indicate the multiplicity of each B-value.) Each candidate pair of keys (i, j) is tested on a few other plaintext-ciphertext pairs. If all of these additional (P, C) pairs have P mapped to C by the key pair (i, j), then (i, j) = (κ 1, κ 2 ) and the task is complete.

This algorithm will find κ 1 and κ 2 the first time any one of the available (P, C) pairs has a first intermediate value (κ 1 (P)) that is equal to a chosen a. If the algorithm does not succeed for a given a, the process is repeated for another value of A until ultimately the desired keys κ 1, κ 2 are found. Table 1 Table 2 (for fixed a) P C B key i sorted or hashed on P values sorted or hashed on B values Figure 4: Tables used in the Known-Plaintext Attack 4. Time and pace Analysis In this section, we briefly summarize the running time and memory requirements of the known-plaintext attack. The time required for building and hashing Table 1 is the time required to hash n items. This time is dominated by other computations required in the attack, for n < 2 56. The space required for Table 1 is O(n). For each value of A that is tried, the time required to build Table 2 is on the order of 2 56, assuming that Table 1 is hashed on the plaintext values so that lookups take constant time. Because only 2 56 out of 2 64 possible texts are searched for in Table 1, the expected number of entries in Table 2 is n/2 8. This space is reusable across different values of A. The time required to work with Table 2 to find candidate pairs of keys is on the order of 2 56. The probability of selecting a value of A that leads to success is n/2 64. The expected number of draws required to draw one red ball out of a bin containing n red balls and N - n green balls is (N + 1)/(n + 1) if the balls are not replaced. Therefore, assuming that one does not try the same value of a more than once, the expected number of values of a that must be tried is (2 64 + 1)/(n + 1) 2 64 /n for n large.

Thus, the expected running time for the attack is on the order of (2 56 )(2 64 /n) = 2 120-log 2n, and the space required is O(n). 5. Parallel Hardware Implementation In this section we present one possible parallel hardware implementation of the knownplaintext attack on two-key triple DE, assuming that n = 2 32 plaintext-ciphertext pairs are available. Given a number of assumptions concerning the cost of components and the performance that can be achieved by present-day technology, the illustrated implementation of the attack is shown to be four orders of magnitude faster (for an attacker with fixed resources) than a brute-force known-plaintext attack. This is the best known-plaintext attack the authors are aware of, but this attack is still not feasible. We conclude that twokey triple DE is currently not vulnerable to attack in practice. The following hardware implementation is suitable for an attacker with a large amount of resources. We will assume that the attacker has 1 billion (10 9 ) dollars and n = 2 32 plaintext-ciphertext pairs available to him. Note that the execution time is not particularly sensitive to n (provided that n is not too small) because as n increases, the number of operations required for the attack (2 120-log 2n) decreases, but memory requirements increase, and the number of machines that can be built with a fixed amount of money decreases. Each machine for attacking two-key triple DE (see Figure 5) consists of a central component containing Table 1, and 512 peripheral components each containing its own version of Table 2 (for distinct sets of values for A). Peripheral (Table 2) Peripheral (Table 2) Central (Table 1)... 512 peripheral components in all Peripheral (Table 2) Peripheral (Table 2) Figure 5: A ingle Machine for Attacking Two-Key Triple DE

The function of the central component is to service requests from the peripheral components for the ciphertexts (if any) which correspond to a specified plaintext. In order to service these requests quickly, Table 1 is hashed on the plaintext values. To reduce overhead during table lookup of hashed values caused by hashing collisions, the density of the hashing table is restricted to 50%. In this case, the total memory required for Table 1 is 2(2 32 words)(64 + 64 = 128 bits per word) = 2 40 bits. Assuming that bulk memory can be obtained for $10/Mbit, the cost of this memory is approximately $10 million. If each memory chip is 1M x 1-bit, then Table 1 is organized as approximately 8000 rows, with 128 chips in each row. These rows are independent and can be accessed in parallel. This makes it possible for the central component to service the requests from the peripheral components in parallel. Each request will be directed to one of the 8000 rows. There should be few collisions among 512 requests out of 8000 rows. We will assume that the cost of the complex routing and arbitration circuitry required to make this work will double the cost of the memory making the total cost of a central component $20 million. We will assume that the average time required to service a request from a peripheral component is 250 ns. This may seem slow considering the current speed of memories, but this figure takes into account delays caused by the routing and arbitration circuitry, delays due to collisions among the 512 requests, and delays due to hashing collisions which lead to extra probes into Table 1. The expected number of words required for Table 2 is n/2 8 = 2 24. Again, restricting the density of Table 2 to 50%, the total memory required for Table 2 is 2(2 24 words)(64 + 56 + 4 = 124 bits per word) 4000 Mbits. (Four extra bits have been allocated to handle the problem of possible duplicate B-values as indicated in 3.) Assuming that bulk memory can be obtained for $10/Mbit, the cost of this memory is $40 000. For all 512 peripheral components in a machine, the total memory costs are approximately $20 million. Peripheral components have some circuitry other than memory, such as DE chips, but there is just enough of this circuitry that the 250 ns request rate is not slowed down. The cost of this circuitry is negligible compared to the cost of memory. Then the total cost of one machine is $40 million. Therefore, the attacker who has $1 billion can afford to build 25 machines. The expected number of values of A that must be tried is 2 64 /n = 2 32. For each value a of A, 2 56 accesses of Table 1 are required to build Table 2. Also 2 56 accesses of Table 2 are required to find all candidate pairs of keys. Assuming that accesses of Table 2 also require 250 ns, the expected time required to find the desired pair of keys is (2 32 )(2 56 + 2 56 )(250 ns) / (25 x 512 peripheral components) 4 x 10 8 years.

Next, we consider a brute-force known-plaintext attack. Analysis indicates that a DE chip could be built in volume for about $10/chip [BNR]. A similar chip with added comparison circuitry and modified input/output could be built for about the same cost and used for attacking DE. The cost of building a machine for attacking two-key triple DE would include overhead in addition to the cost of the DE chips; assume this overhead cost to be roughly equal to the total cost of the DE chips. Then for $1 billion, the attacker could afford to build a machine with 50 million DE chips. Using current technology, each DE chip could perform a DE operation in about 500 ns. One would expect to have to search through about half of the 2 112 pairs of keys, and testing each pair of keys requires 3 DE operations. Therefore, the expected time required for a brute-force search is (3)(0.5)(2 112 )(500 ns) / (50 x 10 6 DE chips) 2.5 x 10 12 years. Therefore, the known-plaintext attack is approximately four orders of magnitude faster than a brute-force search, based on the assumptions made in the preceding arguments. However, this is of little practical consequence unless new ideas improve the running time of the former by several more orders of magnitude. 6. Conclusion The new attack presented in this paper demonstrates a known-plaintext variation of the chosen-plaintext Merkle-Hellman attack, with a decreased memory requirement. The penalty that is paid for these improvements is increased running time. The new attack gives approximately four orders of magnitude improvement over a bruteforce known-plaintext attack, provided that a sufficient number of plaintext-ciphertext pairs are available. Despite the improvement, for practical purposes, two-key triple encryption remains currently invulnerable to known-plaintext attacks. The authors encourage others to pursue other known-plaintext attacks on two-key triple encryption, which further reduce the running time. References [Merk81] Merkle, R. and M. Hellman, "On the ecurity of Multiple Encryption", Communications of the ACM, vol. 24, no. 7, pp. 465-467, July 1981. ee also Communications of the ACM, vol. 24, no. 11, p. 776, November 1981. [Diff77] Diffie, W. and M. Hellman, "Exhaustive Cryptanalysis of the NB Data Encryption tandard", Computer, vol. 10, no. 6, pp. 74-84, June 1977. [FIP46] "Data Encryption tandard", National Bureau of tandards (U..), Federal Information Processing tandards Publication (FIP PUB) 46, National Technical Information ervice, pringfield VA, 1977. [BNR] Internal study, BNR, Ottawa, 1989.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback