1 / 43

Improved Attacks on Multiple Encryption

Improved Attacks on Multiple Encryption. Adi Shamir The Weizmann Institute Israel Joint with Itai Dinur , Orr Dunkelman , and Nathan Keller. Block Ciphers. P. A block cipher is modeled as a set of 2 n randomly chosen permutations indexed by an n -bit key K.

kaspar
Download Presentation

Improved Attacks on Multiple Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improved Attacks on Multiple Encryption Adi Shamir The Weizmann Institute Israel Joint with ItaiDinur, Orr Dunkelman, and Nathan Keller

  2. Block Ciphers P • A block cipher is modeled as a set of 2n randomly chosen permutations indexed by an n-bit key K. • For the sake of simplicity, we will assume that the size of the plaintexts P and the ciphertexts C is also n, but we can easily handle other lengths K C

  3. Encryption and Decryption P • Given a key K and a plaintext P it is easy to encrypt, i.e. compute the ciphertextC=EK(P). • Given a key K and a ciphertextC it is easy to decrypt, i.e. compute the plaintext P=DK(C). K C

  4. The Basic Cryptanalytic Problem P • Input: a list of plaintext-ciphertext pairs (P1,C1), (P2,C2),(P3,C3),… • Goal: find K such that C1 =EK(P1), C2=EK(P2),… • Note: K is expected to be unique given only a single pair, but knowing additional pairs can make it easier to find it. K C

  5. Exhaustive Search P • Foreach n-bit value of K: • Perform trial encryptions i.e., test whether C1 =EK(P1),if so test whether C2 =EK(P2) … • Time complexity: 2n,Memory: constant. K C

  6. History Between 1977 and 2001, the most widely used block cipher was DES. Its small key size (n=56) raised concerns about the possibility to break it via exhaustive key search. Soon after the standartization of DES, a simple solution to the small key size problem was proposed: Double encryption: Instead of DESK(P), use DESK2)DESK1)P)) , with independent keys K1,K2.

  7. The Meet-in-the-Middle (MITM) Attack • In 1981, Hellman and Merkleshowed that double encryption can be broken much faster than expected: In fact, breaking it requires the same time as in the case of single-DES, if we are given a large amount of memory. • More precisely, double encryption with two nbit keys can be broken given two plaintext-ciphertext pairs in time and memory of 2n (instead of time complexity 22nand memory complexity of 1 in exhaustive key search).

  8. MITM Attack Algorithm P1 K1 X • For each n-bit value of K1: • Partially encrypt P1 and store the n-bit suggestions for X • Sort the list (which contains most of the possible values of X) into increasing value of X, along with the corresponding K1. • For each n-bit value of K2: • Partially decrypt C1and store the n-bit suggestions for X • Sort the list (which contains most of the possible values of X) into increasing value of X, along with the corresponding K2. • For each match test the full key. • Time2n, memory2n (ignoring logarithmic factors). K1 101 000 011 010 X . . . . . . 110 111 K2 C1

  9. MITM Attack Algorithm P1 K1 X • For each n-bit value of K1: • Partially encrypt P1 and store the n-bit suggestions for X • Sort the list (which contains most of the possible values of X) into increasing value of X, along with the corresponding K1. • For each n-bit value of K2: • Partially decrypt C1and store the n-bit suggestions for X • Sort the list (which contains most of the possible values of X) into increasing value of X, along with the corresponding K2. K1 101 000 011 010 X . . . . . . 110 111 K2 C1

  10. MITM Attack Algorithm P1 K1 X • For each of the O(2n) possible matches, we get a pair of possible keys K1 and K2, which we test with the second given pair of plaintext and ciphertext. • Only one pair of keys is expected to survive this test. • Time2n, memory2n (ignoring logarithmic factors). K1 101 000 011 010 X . . . . . . 110 111 K2 C1

  11. Two Important Remarks: There is no need to build the second sorted table of K2 and X values: We can generate them in the natural order of increasing K2, and search where each generated value of X (which jump around with no sorted order) is located in the first sorted table of K1 and X. If we are not given a second plaintext/ciphertext pair, we can actually generate in the same time and memory complexity all the O(2n) pairs of K1 and K2 values which are compatible with the first given pair.

  12. History (continued) As a countermeasure, it was suggested to use Triple Encryption: DESK3 )DESK2)DESK1)P))), with three independent keys K1,K2,K3. A trivial extension of the MITM attack (by guessing K3, which reduces triple-DES to double-DES) breaks triple encryption in time22n and memory 2n. In all these attacks, the product TM of the time and space complexities is equal to the number of possible keys, and thus the improved attacks can be viewed as simple tradeoffs which shift some of the time complexity to memory complexity.

  13. History (continued) Triple-DES is still used today by the banking industry Despite extensive research, no significant improvements have been found in the last 30 years, and thus we believed that the security of multiple encryption was well understood Today I will show you that what we knew was only the tip of the iceberg of a rich and surprising theory

  14. Multiple Encryption A natural generalization is to consider r-fold encryption: EKr)EKr-1)…(EK1)P))), with independent keys K1,K2,…,Kr. A trivial extension of MITM breaks r-fold encryption in time T and memory M such that TM=2r n(provided M≤2[r/2]n), given the smallest possible number of r plaintext/ciphertext pairs. Can we do better? Yes we can! I will start by showing that we can break 4-encryption with the same time and memory complexities of breaking 3-encryption

  15. Dissection Attack on 4-Encryption Given 4 Plaintext/Ciphertext Pairs P1 P2 K1,K2 Y2 K1 K1 Y1 X1 110 101 000 X2 K2 K2 Y2 111 011 010 K3 K3 . . . X3 Y3 . . . . . . 110 100 111 K4 K4 C2 C1 • For each guess of a possible n-bit value of X2: • Given P1,X2 obtain 2nsuggestions for K1,K2using a 2R MITM attack, and store them in a list next to Y2 (the corresponding encryption of P2). • Given X2,C1 obtain 2nsuggestions for K3,K4using a 2R MITM attack. • For each suggestion for K3,K4, match Y2 (the corresponding decryption of C2) with the stored list. • For each match test the full key using (P3,C3(and (P4,C4(. • Time 22n, memory 2n.

  16. Dealing With A Larger Number of Encryptions: For 4-encryption, we obtained TM=23n (instead of the expected 24n). What next? We can always reduce the case of r+1 encryptions to r encryptions by guessing the last key. This increases the time complexity by a factor of 2nwithout changing the memory complexity. The best attack on 5-encryption and 6-encryption follows this guessing route. However, we now show that 7-encryption is not harder than 6-encryption!

  17. Dissection Attack on 7-Encryption 2 3 Split the cipher into twosubciphers, the upper part with 3 rounds, and the lower part with 4 rounds. Guess 2 intermediate encryption values in the middle (one for (P1,C1) and one for (P2,C2))… 4

  18. Dissection Attack on 7-fold Encryption (ctd.) • For each guess of the 2 intermediate encryption values: • Use a standard 3R MITM attack on the top part, obtain 2n suggestions for K1,K2,K3 and store them in a list, along with the corresponding partial encryptions of P3 and P4. • Given the 2 “plaintext-ciphertext” pairs, use a 4R attack to obtain 22n suggestions for K4-K7on-the-fly. • For each suggestion, partially decrypt C3 and C4 and search the list for matches. • For each match, test the full key.

  19. The Attack Guesses 3 intermediate values: 2 1 3 Two values are chosen after the third round in the outer loop One value is chosen after the fifth round in the inner loop 4

  20. Analysis of the Attack • We guess 2n bits in the middle • The top 3R attack takes 22n time and 2n memory. • The bottom 4R attack takes 22n time and 2n memory. • The total complexity is T=24n andM=2n. • Hence, we obtain a time/memory product of TM=25n (instead of 27n).

  21. Attacks on r-fold Encryption (I) After showing two surprising cases of specific attacks on r-encryption, let us develop a formal treatment of the general problem, in which we fix M=2n and want to minimize the time complexity T. Definition: The gain of an algorithm A for r-fold encryption over the standard MITM algorithm is Gain(A)=r-log(TM)/n. So, dissection yields a gain of 1 for r=4 and a gain of 2 for r=7. Where else can we get additional gains?

  22. The Difference Between Meet in the Middle and Dissection Algorithms: Guess to partition the problem Compute from both sides, equate

  23. Attacks on r-Encryption (II) • There are two “natural” generalizations of the basic algorithm (for 4-fold encryption): • LogLayer Algorithm: • Assume that r is a power of 2. • Guess the intermediate value after every second round, apply MITM attacks to each pair of consecutive rounds separately, and get r/2 “double” rounds. • Continue recursively. • The complexity is T=2(r-logr)n. Hence: • The asymptotic gain is O(log r). • Gain of 2 is achieved at r=8.

  24. Attacks on r-Encryption (III) • Square Algorithm: • Assume that r=(r’)2. • Guess r’-1 intermediate values after every r’ rounds, apply an r’-round attack to each chunk of r’rounds separately, and get r’ “big” rounds. • Apply an r’-round attack to the big rounds. • The complexity is T=2(r-√r)n. Hence: • Asymptotic gain: O(√r). • Gain 2 is achieved at r=9.

  25. Asymmetry rules! Our dissection achieved a gain 2 already for 7-fold encryption. Is it stronger also asymptotically? Yes! It can be extended recursively to obtain asymptotic gain of O(√2r). Main idea: Use an asymmetric division into subciphers recursively. Where does the asymmetry come from?

  26. Dissection attacks on r-Encryption • Split the cipher into twosubciphers, by guessing k out of the r values after a certain number of rounds. • Solve the top part by a recursive application of the dissection algorithm. Make sure that the number of possible solutions does not exceed 2n , and store all these solutions in a table sorted into increasing value of some other intermediate values. • Solve the bottom part by another recursive application of the dissection algorithm. This time you can generate more solutions on-the-fly.

  27. Dissection attacks on r-Encryption • Search each solution coming from the bottom in the table of solutions coming from the top. • Whenever you find a possible combination of keys that agrees on some intermediate results, check its correctness by testing the remaining plaintext/ciphertext pairs that were not used so far. • Given r pairs altogether, we expect only one combination of key values to survive this test • Given fewer pairs, we can enumerate all the solutions

  28. The Optimal Dissection Parameters: • Proposition: An algorithm A for r-fold encryption with gain k-1 can be leveraged to an algorithm for (r+k+1)-fold encryption with gain k, and this is the best way to dissect the problem into 2 parts • Sketch-of-proof: • Fix k intermediate values after k+1 rounds. • Apply a standard MITM attack to the first k+1 rounds. Store the resulting 2nsuggestions for the first k+1 keys in a sorted table. • Apply algorithm A to the last r rounds to obtain on-the-fly 2r-k suggestions for the r last round keys and check them against the table.

  29. The Resultant Magic Sequence of r Values The proposition allows us to construct a “magic sequence” of the numbers of rounds r for which the gain increases by 1 when we use a total memory of M=2nfor our tables: Magic(1)={4,7,11,16,22,29,37,46,…}. Solution of the recursion shows that Magic(1)k=(k+1)(k+2)/2. Hence, the asymptotic gain is O(√2r).

  30. Using Larger Amounts of Memory What can be said about the time complexity of multiple encryption given a larger amount of M=2ln memory? The results generalize to any amount of memory and yield the magic sequences of values of r: Magic(l)={2l+2,2l+4,…,4l,4l+3,4l+6,…,7l,7l+4,...}. The asymptotic gain is O(√2lr).

  31. Composite Problems • There are many other types of combinatorial problems (which have nothing to do with cryptography) to which we can apply our new dissection techniques. • The general notion of acomposite problem: • We are given the initial value and the final value of a cascade of rsteps. • In each step, one of a list of possible transformations was applied. • The goal: Find out, which transformation was applied in each step.

  32. Composite Problems (cont.) • Clearly, the problem of breaking r-encryption is a special case of a composite problem. • There are many other examples: • Knapsack – we are given n numbers x1,x2,…,xn and a target sum S and want to find whether there is a subset of the numbers whose elements sum up to S. • Rubik’s cube – find a shortest solution given an initial state. • Rebound attacks on hash functions. • etc…

  33. Application to Knapsacks • Modular Knapsack Problem: • Given:A list of n integers {a1,a2,…,an} of n bits each,and a target integer S. • Goal: Find a vector ɛ={ɛ1,ɛ2…ɛn} where ɛiϵ{0,1} such that S=∑1≤i≤n(ɛi∙ai) mod2n. • How to represent Knapsack as a composite problem?

  34. Representing Knapsack as a Block Cipher P ɛ={ɛ1,ɛ2…ɛn} • We fix the plaintext to be the 0n-bit vector, the ciphertext to be S. • The knapsack problem reduces to recovering the key of this block cipher, given one plaintext-ciphertext pair. C=P+∑1≤i≤n(ɛi∙ai) (mod 2n)

  35. Representing Knapsack as 4-Fold Encryption (I) • We split the knapsack to 4 independent knapsacks by splitting the generators and defining S=σ1+σ2+σ3+σ4 (mod 2n) • Xi=∑1≤j≤i(σj) 0 {ɛ1,ɛ2…ɛn/4} X1 {ɛn/4+1,…,ɛn/2} X2 {ɛn/2+1,…,ɛ3n/4} X3 {ɛ3n/4+1,…,ɛn} S

  36. Representing Knapsack as 4-Fold Encryption (II) • Problem: In r-fold encryption, we have r plaintexts => can guess part of the intermediate value. Here we have a single “big” plaintext. • Solution: Split the “block cipher” also vertically into n/4-bit blocks. 0 {ɛ1,ɛ2…ɛn/4} X1 {ɛn/4+1,…,ɛn/2} 0 0 0 X2 {ɛn/2+1,…,ɛ3n/4} X3 {ɛ3n/4+1,…,ɛn} S4 S2 S3 S1

  37. Representing Knapsack as 4-Encryption (III) • Problem: There is a dependence between the “vertical” chunks through the addition carry. • Solution: We guess the intermediate encryption values in their natural order. • We keep track of the carry values without having to guess them separately

  38. Representing Knapsack as 4-Encryption • Conclusion: We can apply to knapsacks the algorithm for r-fold encryption, for any r! • We can adjust r to the exact amount of available memory, using the algorithms for M>2n. • In particular, we can apply the algorithm to knapsacks, by dividing the initial set into 7 (!) disjoint subsets. We obtain T=24n/7 and M=2n/7. • This combination of complexities is better than in the best previously known special-purpose algorithm for solving knapsack problems, due to Becker-Coron-Joux (presented at Eurocrypt 2011)

  39. Time-Memory Tradeoff for Knapsacks Becker, Coron and Joux 2011 Schroeppel and Shamir 1981

  40. Probabilistic Algorithms We promised to obtain TM<23n/4 for any M<2n/4 but the attacks above give it only for 2n/16<M. In order to deal with smaller values of M, we combine our algorithm with the Parallel Collision Search algorithm of van Oorschot - Wiener. but this is a topic for another one-hour talk…

  41. Conclusions • We presented new generic algorithms for multiple encryption. • Our techniques allow us to improve the best known algorithms for the knapsack problem with small memory. • The techniques are applicable to other composite problems (such asRubik’s cube, rebound attacks on hash functions etc.) • An aside: the symmetric way is not always the best one…

  42. Open Problems • Are our results optimal? It seems that at least the “magic exponent” of 5/7in the product of time and memory complexities TM is optimal, but we cannot be sure… • Prove lower bounds for composite problems. • Was studied in several papers, but only very weak bounds are known. • In particular, we conjecture that always T≥2n/2, but don’t know to prove even weaker bounds. • Is there a way to exploit more data in order to reduce the time and memory complexities? • Find new applications of the dissection technique!

  43. Thanks for listening!

More Related