improved attacks on multiple encryption
DESCRIPTION
Improved Attacks on Multiple Encryption. Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur , Orr Dunkelman , and Nathan Keller. Block Ciphers. P. A block cipher is modeled as a set of 2 n randomly chosen permutations indexed by an n -bit key K. - PowerPoint PPT PresentationTRANSCRIPT
Improved Attacks on Multiple Encryption
Adi ShamirThe Weizmann Institute
Israel
Joint with Itai Dinur, Orr Dunkelman, and Nathan Keller
Block Ciphers
• A block cipher is modeled as a set of 2n randomly chosen permutations indexed by an n-bit key K.• For the sake of simplicity, we will assume that
the size of the plaintexts P and the ciphertexts C is also n, but we can easily handle other lengths
C
P
K
Encryption and Decryption
• Given a key K and a plaintext P it is easy to encrypt, i.e. compute the ciphertext C=EK(P).• Given a key K and a ciphertext C it is easy to
decrypt, i.e. compute the plaintext P=DK(C).
C
P
K
The Basic Cryptanalytic Problem
• Input: a list of plaintext-ciphertext pairs (P1,C1), (P2,C2),(P3,C3),…• Goal: find K such that C1 =EK(P1), C2 =EK(P2),…• Note: K is expected to be unique given only a
single pair, but knowing additional pairs can make it easier to find it.
C
P
K
Exhaustive Search
• For each n-bit value of K:• Perform trial encryptions i.e., test whether C1 =EK(P1), if
so test whether C2 =EK(P2) …
• Time complexity: 2n, Memory: constant.
C
P
K
History• Between 1977 and 2001, the most widely used
block cipher was DES.
• Its small key size (n=56) raised concerns about the possibility to break it via exhaustive key search.
• Soon after the standartization of DES, a simple solution to the small key size problem was proposed:
• Double encryption: Instead of DESK(P), use DESK2
)DESK1)P)) , with independent keys K1,K2.
The Meet-in-the-Middle (MITM) Attack
• In 1981, Hellman and Merkle showed that double encryption can be broken much faster than expected: In fact, breaking it requires the same time as in the case of single-DES, if we are given a large amount of memory.
• More precisely, double encryption with two n bit keys can be broken given two plaintext-ciphertext pairs in time and memory of 2n (instead of time complexity 22n and memory complexity of 1 in exhaustive key search).
MITM Attack Algorithm
• For each n-bit value of K1:• Partially encrypt P1 and store the n-bit suggestions for X • Sort the list (which contains most of the possible values of X)
into increasing value of X, along with the corresponding K1.• For each n-bit value of K2: • Partially decrypt C1 and store the n-bit suggestions for X • Sort the list (which contains most of the possible values of X)
into increasing value of X, along with the corresponding K2.• For each match test the full key.
• Time 2n, memory 2n (ignoring logarithmic factors).
C1
P1
XK1
K2
K1 X000010.
..
101011.
..111110
MITM Attack Algorithm
• For each n-bit value of K1:• Partially encrypt P1 and store the n-bit suggestions for X • Sort the list (which contains most of the possible values of X)
into increasing value of X, along with the corresponding K1.• For each n-bit value of K2: • Partially decrypt C1 and store the n-bit suggestions for X • Sort the list (which contains most of the possible values of X)
into increasing value of X, along with the corresponding K2.
C1
P1
XK1
K2
K1 X000010.
..
101011.
..111110
MITM Attack Algorithm
• For each of the O(2n) possible matches, we get a pair of possible keys K1 and K2, which we test with the second given pair of plaintext and ciphertext.
• Only one pair of keys is expected to survive this test.
• Time 2n, memory 2n (ignoring logarithmic factors).
C1
P1
XK1
K2
K1 X000010.
..
101011.
..111110
Two Important Remarks: • There is no need to build the second sorted table
of K2 and X values: We can generate them in the natural order of increasing K2, and search where each generated value of X (which jump around with no sorted order) is located in the first sorted table of K1 and X.
• If we are not given a second plaintext/ciphertext pair, we can actually generate in the same time and memory complexity all the O(2n) pairs of K1 and K2 values which are compatible with the first given pair.
History (continued)• As a countermeasure, it was suggested to use Triple
Encryption: DESK3 )DESK2
)DESK1)P))), with three
independent keys K1,K2,K3.
• A trivial extension of the MITM attack (by guessing K3, which reduces triple-DES to double-DES) breaks triple encryption in time 22n and memory 2n.
• In all these attacks, the product TM of the time and space complexities is equal to the number of possible keys, and thus the improved attacks can be viewed as simple tradeoffs which shift some of the time complexity to memory complexity.
History (continued)
• Triple-DES is still used today by the banking industry
• Despite extensive research, no significant improvements have been found in the last 30 years, and thus we believed that the security of multiple encryption was well understood
• Today I will show you that what we knew was only the tip of the iceberg of a rich and surprising theory
Multiple Encryption• A natural generalization is to consider r-fold
encryption: EKr )EKr-1
)…(EK1)P))), with independent keys
K1,K2,…,Kr.
• A trivial extension of MITM breaks r-fold encryption in time T and memory M such that TM=2r n (provided M≤2[r/2]n), given the smallest possible number of r plaintext/ciphertext pairs.
• Can we do better? Yes we can! I will start by showing that we can break 4-encryption with the same time and memory complexities of breaking 3-encryption
Dissection Attack on 4-Encryption Given 4 Plaintext/Ciphertext Pairs
C1
P1
K2
K1
K4
X1
X2
X3K3
C2
P2
K2
K1
K4
Y1
Y2
Y3K3
• For each guess of a possible n-bit value of X2:• Given P1,X2 obtain 2n suggestions for K1,K2 using a 2R MITM attack,
and store them in a list next to Y2 (the corresponding encryption of P2).
• Given X2,C1 obtain 2n suggestions for K3,K4 using a 2R MITM attack. • For each suggestion for K3,K4, match Y2 (the corresponding
decryption of C2) with the stored list.• For each match test the full key using (P3,C3( and (P4,C4(.
• Time 22n, memory 2n.
K1,K2 Y2
000010.
..111
101011.
..110
110111.
..100
Dealing With A Larger Number of Encryptions:
• For 4-encryption, we obtained TM=23n (instead of the expected 24n).
• What next? We can always reduce the case of r+1 encryptions to r encryptions by guessing the last key. This increases the time complexity by a factor of 2n without changing the memory complexity.
• The best attack on 5-encryption and 6-encryption follows this guessing route. However, we now show that 7-encryption is not harder than 6-encryption!
Dissection Attack on 7-Encryption
• Split the cipher into two subciphers, the upper part with 3 rounds, and the lower part with 4 rounds.• Guess 2 intermediate encryption values in the
middle (one for (P1,C1) and one for (P2,C2))…
3
4
2
Dissection Attack on 7-fold Encryption (ctd.)
• For each guess of the 2 intermediate encryption values:• Use a standard 3R MITM attack on the top part, obtain 2n
suggestions for K1,K2,K3 and store them in a list, along with the corresponding partial encryptions of P3 and P4.• Given the 2 “plaintext-ciphertext” pairs, use a 4R attack
to obtain 22n suggestions for K4-K7 on-the-fly.• For each suggestion, partially decrypt C3 and C4 and
search the list for matches.• For each match, test the full key.
The Attack Guesses 3 intermediate values:
• Two values are chosen after the third round in the outer loop • One value is chosen after the fifth round in the
inner loop
3
4
2
1
Analysis of the Attack
• We guess 2n bits in the middle • The top 3R attack takes 22n time and 2n memory.• The bottom 4R attack takes 22n time and 2n memory.
• The total complexity is T=24n and M=2n.
• Hence, we obtain a time/memory product of TM=25n (instead of 27n).
Attacks on r-fold Encryption (I)
• After showing two surprising cases of specific attacks on r-encryption, let us develop a formal treatment of the general problem, in which we fix M=2n and want to minimize the time complexity T.
• Definition: The gain of an algorithm A for r-fold encryption over the standard MITM algorithm is Gain(A)=r-log(TM)/n.
• So, dissection yields a gain of 1 for r=4 and a gain of 2 for r=7. Where else can we get additional gains?
The Difference Between Meet in the Middle and Dissection Algorithms:
Compute from both sides, equate
Guess to partition the problem
Attacks on r-Encryption (II)
• There are two “natural” generalizations of the basic algorithm (for 4-fold encryption):• LogLayer Algorithm:• Assume that r is a power of 2.• Guess the intermediate value after every second
round, apply MITM attacks to each pair of consecutive rounds separately, and get r/2 “double” rounds.• Continue recursively.
• The complexity is T=2(r-log r)n. Hence:• The asymptotic gain is O(log r).• Gain of 2 is achieved at r=8.
Attacks on r-Encryption (III)
• Square Algorithm:• Assume that r=(r’)2.• Guess r’-1 intermediate values after every r’ rounds,
apply an r’-round attack to each chunk of r’ rounds separately, and get r’ “big” rounds.• Apply an r’-round attack to the big rounds.
• The complexity is T=2(r-√r)n. Hence:• Asymptotic gain: O(√r).• Gain 2 is achieved at r=9.
Asymmetry rules!
• Our dissection achieved a gain 2 already for 7-fold encryption. Is it stronger also asymptotically?
• Yes! It can be extended recursively to obtain asymptotic gain of O(√2r).
• Main idea: Use an asymmetric division into subciphers recursively.
• Where does the asymmetry come from?
Dissection attacks on r-Encryption
• Split the cipher into two subciphers, by guessing k out of the r values after a certain number of rounds.
• Solve the top part by a recursive application of the dissection algorithm. Make sure that the number of possible solutions does not exceed 2n , and store all these solutions in a table sorted into increasing value of some other intermediate values.
• Solve the bottom part by another recursive application of the dissection algorithm. This time you can generate more solutions on-the-fly.
Dissection attacks on r-Encryption
• Search each solution coming from the bottom in the table of solutions coming from the top.
• Whenever you find a possible combination of keys that agrees on some intermediate results, check its correctness by testing the remaining plaintext/ciphertext pairs that were not used so far.
• Given r pairs altogether, we expect only one combination of key values to survive this test
• Given fewer pairs, we can enumerate all the solutions
The Optimal Dissection Parameters:
• Proposition: An algorithm A for r-fold encryption with gain k-1 can be leveraged to an algorithm for (r+k+1)-fold encryption with gain k, and this is the best way to dissect the problem into 2 parts• Sketch-of-proof:• Fix k intermediate values after k+1 rounds. • Apply a standard MITM attack to the first k+1 rounds.
Store the resulting 2n suggestions for the first k+1 keys in a sorted table.• Apply algorithm A to the last r rounds to obtain on-the-
fly 2r-k suggestions for the r last round keys and check them against the table.
The Resultant Magic Sequence of r Values
• The proposition allows us to construct a “magic sequence” of the numbers of rounds r for which the gain increases by 1 when we use a total memory of M=2n for our tables:
• Magic(1)={4,7,11,16,22,29,37,46,…}.
• Solution of the recursion shows that Magic(1)k=(k+1)(k+2)/2.
• Hence, the asymptotic gain is O(√2r).
Using Larger Amounts of Memory
• What can be said about the time complexity of multiple encryption given a larger amount of M=2ln memory?
• The results generalize to any amount of memory and yield the magic sequences of values of r: Magic(l)={2l+2,2l+4,…,4l,4l+3,4l+6,…,7l,7l+4,...}.
• The asymptotic gain is O(√2lr).
Composite Problems
• There are many other types of combinatorial problems (which have nothing to do with cryptography) to which we can apply our new dissection techniques.
• The general notion of a composite problem:• We are given the initial value and the final value of a cascade
of r steps.• In each step, one of a list of possible transformations was
applied. • The goal: Find out, which transformation was applied in each
step.
Composite Problems (cont.)
• Clearly, the problem of breaking r-encryption is a special case of a composite problem.
• There are many other examples:• Knapsack – we are given n numbers x1,x2,…,xn and a
target sum S and want to find whether there is a subset of the numbers whose elements sum up to S.
• Rubik’s cube – find a shortest solution given an initial state.
• Rebound attacks on hash functions. • etc…
Application to Knapsacks
• Modular Knapsack Problem:• Given: A list of n integers {a1,a2,…,an} of n bits
each, and a target integer S. • Goal: Find a vector ɛ={ɛ1,ɛ2…ɛn} where ɛiϵ{0,1}
such that S=∑1≤i≤n(ɛi a∙ i) mod 2n.
• How to represent Knapsack as a composite problem?
Representing Knapsack as a Block Cipher
ɛ={ɛ1,ɛ2…ɛn}
P
C=P+∑1≤i≤n(ɛi a∙ i) (mod 2n)
• We fix the plaintext to be the 0 n-bit vector, the ciphertext to be S.
• The knapsack problem reduces to recovering the key of this block cipher, given one plaintext-ciphertext pair.
Representing Knapsack as 4-Fold Encryption (I)
• We split the knapsack to 4 independent knapsacks by splitting the generators and defining S=σ1+σ2+σ3+σ4 (mod 2n)
• Xi=∑1≤j≤i(σj)
{ɛ1,ɛ2…ɛn/4} 0
S
{ɛn/4+1,…,ɛn/2} {ɛn/2+1,…,ɛ3n/4} {ɛ3n/4+1,…,ɛn}
X1
X2
X3
Representing Knapsack as 4-Fold Encryption (II)
• Problem: In r-fold encryption, we have r plaintexts => can guess part of the intermediate value. Here we have a single “big” plaintext. • Solution: Split the “block cipher” also vertically
into n/4-bit blocks.
{ɛ1,ɛ2…ɛn/4} 0
{ɛn/4+1,…,ɛn/2} {ɛn/2+1,…,ɛ3n/4} {ɛ3n/4+1,…,ɛn}
X1
X2
X3
0 0 0
S1S2S3S4
Representing Knapsack as 4-Encryption (III)
• Problem: There is a dependence between the “vertical” chunks through the addition carry.• Solution: We guess the intermediate encryption
values in their natural order.• We keep track of the carry values without having to
guess them separately
Representing Knapsack as 4-Encryption
• Conclusion: We can apply to knapsacks the algorithm for r-fold encryption, for any r!• We can adjust r to the exact amount of available
memory, using the algorithms for M>2n.
• In particular, we can apply the algorithm to knapsacks, by dividing the initial set into 7 (!) disjoint subsets. We obtain T=24n/7 and M=2n/7.
• This combination of complexities is better than in the best previously known special-purpose algorithm for solving knapsack problems, due to Becker-Coron-Joux (presented at Eurocrypt 2011)
Time-Memory Tradeoff for Knapsacks
Becker, Coron and Joux 2011
Schroeppel and Shamir 1981
Probabilistic Algorithms
• We promised to obtain TM<23n/4 for any M<2n/4
but the attacks above give it only for 2n/16<M.
• In order to deal with smaller values of M, we combine our algorithm with the Parallel Collision Search algorithm of van Oorschot - Wiener.
• but this is a topic for another one-hour talk…
Conclusions• We presented new generic algorithms for
multiple encryption.• Our techniques allow us to improve the best
known algorithms for the knapsack problem with small memory.• The techniques are applicable to other
composite problems (such as Rubik’s cube, rebound attacks on hash functions etc.)• An aside: the symmetric way is not always the
best one…
Open Problems• Are our results optimal? It seems that at least the
“magic exponent” of 5/7 in the product of time and memory complexities TM is optimal, but we cannot be sure…• Prove lower bounds for composite problems.• Was studied in several papers, but only very weak
bounds are known.• In particular, we conjecture that always T≥2n/2, but don’t
know to prove even weaker bounds.• Is there a way to exploit more data in order to
reduce the time and memory complexities?• Find new applications of the dissection technique!
Thanks for listening!