Information Security Technical Report, Vol. 2, No. 2 (1997) 18-21

The Difficulty of Attacking Cryptosystems

By Sean Murphy, Information Security Group, Royal Holloway, University of London

In this article the author discusses cryptosystem both from the designer’s point of view as well as the attacker‘s point of view. Particular at ten tion is paid to exhaustive key search attacks and the efort required for an attack to be successful.

In today’s commercial world, cryptosystems are widely used for a variety of purposes. These include encryption, authentication, integrity, non-repudiation and the management of other cryptosystems (key management). A cryptosystem is a mathematical function for processing data. Usually, there is no secret about the mathematical function apart from one parameter, the key. The knowledge of a key is what allows a legitimate user of a cryptosystem access to the cryptosystem. If an illegitimate user of a cryptosystem, by whatever method, finds a key of a legitimate user, they obtain the same rights and privileges as the legitimate user of the cryptosystems. Thus efficient and secure management of these keys is essential for the use of cryptosystems to ensure an illegitimate user does not obtain a key of a legitimate user.

It is possible, though usually very difficult, to attack cryptosystems directly to find keys of legitimate users. In this article, we consider the difficulty of such attacks on the most widely used cryptosystems.

There are essentially two types of cryptosystem. The first (historically) is known as a secret key or symmetric key cryptosystem. In such cryptosystems, the key for the underlying mathematical function can be used to reverse this mathematical function (hence the term symmetric). In order to participate in such a cryptosystem, all users have to have access to

the same key (hence the term ‘secret key’). The two types of secret key cryptosystems are stream ciphers, which are used in applications like mobile communications, and block ciphers, which are used in applications like data encryption and message authentication. Examples of block ciphers are Data Encryption Standard, International Data Encryption Algorithm, and SAFER. In practice, symmetric cryptosystems are built by repeatedly using simple mathematical operations involving the key. This means that symmetric cryptosystems can be executed at high speed and are typically used in security applications where large amounts of data have to be processed.

The other type of cryptosystem is known as a public key or asymmetric cryptosystem. In these cryptosystems, the key for the underlying mathematical function cannot easily be used to reverse this mathematical function. A separate key is needed to do this (hence the term ‘asymmetric’). A participant in such a cryptosystem can thus have a key pair, one of which is kept private and the other is made public (hence the term ‘public key’). Asymmetric cryptosystems are based on asymmetric or one-way mathematical problems that are easy in one direction, but hard in the reverse direction. For example, it is easy to find the product of two numbers, but the reverse problem of finding the factors of a given number can be hard. The other such mathematical problem that is commonly used is the discrete logarithm problem. Examples of asymmetric cryptosystems are Diffie- Hellman, RSA and El Gamal, on which the Digital Signature Standard (DSS) is based. Asymmetric cryptosystems generally offer greater flexibility of application than symmetric cryptosystems, but are much slower to execute. They are used in applications such as

18 0167-4048/97/$17.00 0 1997, Elsevier Science Ltd

The Difficulty of Attacking Cryptosystems

digital signatures, key management, entity authentication and key management. The key for any cryptosystem is some information that can be stored as a string of binary digits (i.e. bits). For symmetric key cryptosystems, a key is usually a binary string of a given length, and any binary string of this given length is a valid key. For example DES has a 56-bit key. This means that any binary string of length 56 can be a DES key. For asymmetric key cryptosystems, whilst a key is a binary string of a given length, not every binary string of this length is a valid key. For example, some versions of RSA currently being used have a key length of 512 bits, meaning that the private key is 512-bit string, but this does not mean that every 512-bit key is possible as a valid key, as, for example, ‘even numbers’ are invalid. Even though the key length of both symmetric and asymmetric cryptosystems are measured in bits, it is important to note the figures are not directly comparable. In fact, the techniques used to find unknown keys for symmetric and asymmetric cryptosystems are quite different, and we consider them separately

The techniques for finding an unknown key of a symmetric cryptosystem can be illustrated by considering block cipher. (The techniques for stream ciphers are similar.) For a block cipher, the key can usually be any binary string of a given length. For example, DES has a 56-bit key, triple DES a 112-bit key, and IDEA and SAFER a 12%bit key, so DES has 256 possible keys, triple DES 2*12 possible keys, and IDEA and SAFER 21z8 possible keys. Suppose we have some data processed by a block cipher with an unknown key. The obvious way to find this key is to try all possible keys until we find a small collection of possible keys that work, one of which is the unknown key. This attack is known as a brute force attack or an exhaustive key search, and needs a minimal amount of data to perform. Clearly this attack will always work eventually.

The objective for a designer of a strong block cipher is to ensure that an exhaustive key search on the block cipher takes far longer or is far more expensive than is feasible and that there are no other techniques which recover an unknown key more quickly or more cheaply than an exhaustive key search. The complexity of such attacks is usually quantified by comparing the number of applications of the block cipher in the attack with an exhaustive key search. Even in cases where the attack compares favourably, with an exhaustive key search, it is important to remember that there are other considerations such as the amount of data that needs to be processed by block cipher with the unknown key. Whilst such techniques are specific to the block cipher, there are two types of attacks that have wide applicability, namely differential cryptanalysis and linear cryptanalysis. In differential cryptanalysis, some carefully chosen data processed by the block cipher are analysed to find the unknown key. In linear cryptanalysis, the underlying algebraic structure is used to analyse data processed by the block cipher. For the widely used block ciphers, such as DES, these attacks are currently impractical as they require the generation of vast amounts of data with the unknown key. For example, a differential attack on DES requires the processing of 250 bytes of data and a linear attack 2& bytes of data.

We now consider the complexity of an exhaustive attack on a block cipher. As we have to search through all the keys for an exhaustive key search, the larger the number of keys, the harder this is. As an illustration, we consider an exhaustive key search for a 56-bit DES key Approximate figures for other block ciphers with different key sizes can be derived by multiplying by an appropriate factor.

Clearly the feasibility of an attack depends on the computing resources of the attacker.

Information Security Technical Report, Vol. 2, No. 2 19

The Difficulty of Attacking Cryptosystems

Recently (13 March 1997) RSA Data Security Inc. issued a test challenge to find a 56-bit DES key (with a $10 000 prize). There are 256 or 72 quadrillion possible DES keys. The key was found 140 days later by an effort distributed over the Internet. It involved about 70 000 Internet addresses each searching through different keys until the correct one was found. At the peak rate, 7 billion keys were being tested per second. At this rate, it would have taken 32 days to find the key. Clearly, this was a unique event, and it is debatable whether people would be willing to donate their computer time for a key search for an unknown purpose. As an illustration of the times available to individual organizations, we quote the following table from a recent paper (January 1996) by seven well-known cryptographers that gave rough estimates for recovering a 56-bit DES key. Some of the assumptions underlying the times in this paper are disputed as being unrealistic. Note that Application Specific Integrated Circuit (ASIC) means a specially built chip.

Hacker ’ 5400 1 Computers 38years ~ I

Small Business $10 000 Computers ~ 16 months -

Corporate 5300 000 Computers ~ 19days Department ASIC 3 hours

Large Company $10 million b__~~ ~(

Computers 1 13 hours ASK 6 minutes

Intelligence $300 million ASK 12 seconds Agency

This table is based on current computing speeds and takes no account of future increases in computing speed. It is conceivable that computing speeds could increase 100-fold in the next 20 years. Whilst this means that data can be processed much faster in a cryptosystem, it does mean that exhaustive key searches can be carried out much more quickly and key sizes will have to be increased correspondingly.

For asymmetric cryptosystems, the situation is different. It is generally believed that the difficulty of finding an unknown private key depends on the difficulty of some well known mathematical problem. We consider the problem of finding an RSA private key, which is believed to be equivalent to factoring a large number as the product of two primes. From the invention of asymmetric cryptography (mid-1970s) until recently there were a number of algorithms that could factor such numbers that all took roughly the same time. In the last few years, a new algorithm, the general number field sieve (GNFS), has been invented that can factor a number more quickly than the previous algorithms. The discrete logarithm problem, used for El Gamal and DSS, has a similar complexity. As with DES, an RSA Data Security Inc. challenge number (RSA-130) with 430 bits (130 decimal digits) was issued. This number has recently been factored (April 1996) again using an effort distributed over the Internet. As before, it is doubtful whether people would be willing to denote computing resources for a factoring effort for an unknown purpose. The total effort used in factoring RSA-130 is estimated to be 500 Mips Years, that is equivalent to a computer running at 500 million instructions per second for a year. Such figures make it just about conceivable that, with a concentrated effort over the Internet, one could currently factor a 512-bit number as the product of two primes. This means that RSA systems with 512-bit private keys are potentially vulnerable to such attacks, and some RSA systems are migrating to larger private key sizes, such as 768 bits.

Of course, computing speeds are increasing, and one day it may be possible to factor a 768- bit number. This does not seem likely in the foreseeable future. However, it is entirely possible that overnight someone will invent a new algorithm and all the figures will have to be revised.

20 Information Security Technical Report, Vol. 2, No. 2

The Difficulty of Attacking Cryptosystems

One type of asymmetric cryptosystem currently gaining favour are the elliptic curve cryptosystems. These appear to offer smaller private key sizes than other asymmetric cryptosystems for the same security, as the

algorithms used on other asymmetric cryptosystems do not seem directly applicable, though widespread research has only been carried out in this area relatively recently.

Information Security Technical Report, Vol. 2, No. 2 21