Multiple Encryption New Cryptanalytic Algorithms and Applications - - PowerPoint PPT Presentation

Multiple NewMITM Dissection Summary

Multiple Encryption — New Cryptanalytic Algorithms and Applications

Orr Dunkelman

Computer Science Department University of Haifa

4th July, 2013

Orr Dunkelman Multiple Encryption 1/ 35

Multiple NewMITM Dissection Summary

Outline

1

Multiple Encryption and Meet in the Middle Attacks The Meet in the Middle Attack Reducing the Memory Complexity A Meet in the Middle Attack on 2-Key 3-Encryption

2

New Approach to Meet in the Middle Attacks Improving the Meet in the Middle Attack on 4-Encryption Extending the Basic Attack The Advantages of Keeping Things Asymmetric Dissection and Parallel Collision Search

3

Solving Bicomposite Problems The Knapsack Problem as a Bicomposite one Solving Combinatorial Search Problems

4

Conclusions

Orr Dunkelman Multiple Encryption 2/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

The Origins of Multiple Encryption

◮ The main critique against DES was its short (56 bits) key

size.

◮ Already in 1977, Diffie and Hellman suggested a 20M$

machine to break DES by exhaustive search.

Orr Dunkelman Multiple Encryption 3/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

The Origins of Multiple Encryption

◮ The main critique against DES was its short (56 bits) key

size.

◮ Already in 1977, Diffie and Hellman suggested a 20M$

machine to break DES by exhaustive search.

◮ As a result, it was suggested to use double and triple

encryption.

◮ Due to the Meet in the Middle attack [DH77],

double-DES was not considered much more secure than DES.

Orr Dunkelman Multiple Encryption 3/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Double-Encryption

Consider Double-Encryption:

P

E

K1

E

K2 C

Orr Dunkelman Multiple Encryption 4/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Double-Encryption

Consider Double-Encryption:

◮ In a MitM attack, try all K1 values,

and compute XK1 = EK1(P).

◮ Store all (XK1, K1) pairs in a table

indexed by XK1.

P

E

K1 (XK1, K1)

E

K2 C

Orr Dunkelman Multiple Encryption 4/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Double-Encryption

Consider Double-Encryption:

◮ In a MitM attack, try all K1 values,

and compute XK1 = EK1(P).

◮ Store all (XK1, K1) pairs in a table

indexed by XK1.

◮ Then, for every K2, decrypt C, and

check whether DK2(C) is in the table.

P

E

K1 (XK1, K1) DK2(C)

E

K2 C

Orr Dunkelman Multiple Encryption 4/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Double-Encryption

Consider Double-Encryption:

◮ In a MitM attack, try all K1 values,

and compute XK1 = EK1(P).

◮ Store all (XK1, K1) pairs in a table

indexed by XK1.

◮ Then, for every K2, decrypt C, and

check whether DK2(C) is in the table.

◮ In case there is a match in the table,

check the corresponding (K1, K2) pair, using a second plaintext/ciphertext pair.

P

E

K1 (XK1, K1) DK2(C) ?

= E

K2 C

Orr Dunkelman Multiple Encryption 4/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Double-Encryption (Analysis)

◮ We shall assume that the block size and the key size are

always n bits.

◮ When this is the case, the complexities of the proposed

MitM attack is 2n+1 single E calls (i.e., 2n double-E calls), and 2n memory blocks.

Orr Dunkelman Multiple Encryption 5/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Double-Encryption (Analysis)

◮ We shall assume that the block size and the key size are

always n bits.

◮ When this is the case, the complexities of the proposed

MitM attack is 2n+1 single E calls (i.e., 2n double-E calls), and 2n memory blocks.

◮ There is a simple time-memory tradeoff: TM = 22n with

T ≥ 2n.

Orr Dunkelman Multiple Encryption 5/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Double-Encryption (Analysis)

◮ We shall assume that the block size and the key size are

always n bits.

◮ When this is the case, the complexities of the proposed

MitM attack is 2n+1 single E calls (i.e., 2n double-E calls), and 2n memory blocks.

◮ There is a simple time-memory tradeoff: TM = 22n with

T ≥ 2n.

◮ The data complexity of the attack is 2 (= unicity

distance).

Orr Dunkelman Multiple Encryption 5/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Triple-Encryption

◮ The same attack works also against Triple-Encryption:

C = EK3(DK2(EK1(P)))

◮ Just construct a table of 2n entries as before.

Orr Dunkelman Multiple Encryption 6/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on Triple-Encryption

◮ The same attack works also against Triple-Encryption:

C = EK3(DK2(EK1(P)))

◮ Just construct a table of 2n entries as before. ◮ The attack offers a simple time-memory tradeoff of

TM = 23n with T ≥ 22n.

◮ Data complexity: 3.

Orr Dunkelman Multiple Encryption 6/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Reducing the Memory Complexity of MitM Attacks

P

E

K1

E

K2 C

Orr Dunkelman Multiple Encryption 7/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Reducing the Memory Complexity of MitM Attacks

P

E

K1

E

K2 C ◮ Each key suggested by the MITM is a collision

between two functions: f1(K1) = EK1(P), and f2(K2) = DK2(C).

Orr Dunkelman Multiple Encryption 7/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Reducing the Memory Complexity of MitM Attacks

P

E

K1

E

K2 C ◮ Each key suggested by the MITM is a collision

between two functions: f1(K1) = EK1(P), and f2(K2) = DK2(C).

◮ Such collisions can be found in time O(2n/2)

with no memory.

◮ There are 2n collisions, and we need to cover all

• f them.

◮ Total time complexity: O(23n/2). ◮ There is a tradeoff between time and memory.

More info: [vOW94] “Parallel Collision Search with Application to Hash Functions and Discrete Logarithms”

Orr Dunkelman Multiple Encryption 7/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Another Improvement (3-Encryption)

◮ An interesting observation by [L98] is the fact that double

encryption leads to many collisions.

◮ Hence, if a value in not in the table (and many bins are

expected to remain empty), we can discard many of the colliding keys.

◮ This allows slightly reducing the time complexity of the

heavy part (guessing K2, K3), in exchange for additional data.

Orr Dunkelman Multiple Encryption 8/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on 2-Key 3-Encryption [DH77]

Consider 2-Key 3-Encryption:

P

E

K1

D

K2

E

K1

C

Orr Dunkelman Multiple Encryption 9/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on 2-Key 3-Encryption [DH77]

Consider 2-Key 3-Encryption: E

K1

D

K2

E

K1

Orr Dunkelman Multiple Encryption 9/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on 2-Key 3-Encryption [DH77]

Consider 2-Key 3-Encryption:

◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1(0).

PK1

E

K1

D

K2

E

K1

Orr Dunkelman Multiple Encryption 9/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on 2-Key 3-Encryption [DH77]

Consider 2-Key 3-Encryption:

◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1(0).

◮ Ask for the encryption of PK1, and

• btain CK1.

PK1

E

K1

D

K2

E

K1 CK1

Orr Dunkelman Multiple Encryption 9/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on 2-Key 3-Encryption [DH77]

Consider 2-Key 3-Encryption:

◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1(0).

◮ Ask for the encryption of PK1, and

• btain CK1.

◮ Decrypt CK1 under K1 to obtain

XK1 = DK1(CK1). Store (XK1, K1) in a table.

PK1

E

K1

D

K2

E

K1 CK1 XK1

Orr Dunkelman Multiple Encryption 9/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on 2-Key 3-Encryption [DH77]

Consider 2-Key 3-Encryption:

◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1(0).

◮ Ask for the encryption of PK1, and

• btain CK1.

◮ Decrypt CK1 under K1 to obtain

XK1 = DK1(CK1). Store (XK1, K1) in a table.

PK1

E

K1

D

K2

E

K1 CK1 XK1

Orr Dunkelman Multiple Encryption 9/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Meet in the Middle Attack on 2-Key 3-Encryption [DH77]

Consider 2-Key 3-Encryption:

◮ For any K1 decrypt 0 to obtain the

corresponding plaintext PK1 = DK1(0).

◮ Ask for the encryption of PK1, and

• btain CK1.

◮ Decrypt CK1 under K1 to obtain

XK1 = DK1(CK1). Store (XK1, K1) in a table.

◮ Try all K2 values, and compute DK2(0)

looking for a match in the table.

PK1

E

K1

D

K2

E

K1 CK1 XK1

Orr Dunkelman Multiple Encryption 9/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Analysis

◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2n chosen plaintexts (worst case). ◮ The time/memory complexities are 2n.

Orr Dunkelman Multiple Encryption 10/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Analysis

◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2n chosen plaintexts (worst case). ◮ The time/memory complexities are 2n. ◮ The data complexity can be reduced in exchange for an

increase in time complexity [BC12].

Orr Dunkelman Multiple Encryption 10/ 35

Multiple NewMITM Dissection Summary MitM PCS 2K3Enc

Analysis

◮ The attack exploits a chosen plaintext scenario. ◮ The data complexity is 2n chosen plaintexts (worst case). ◮ The time/memory complexities are 2n. ◮ The data complexity can be reduced in exchange for an

increase in time complexity [BC12].

◮ The splice-and-cut technique is very related to this attack

(as well as all techniques built on top of splice-and-cut).

Orr Dunkelman Multiple Encryption 10/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analyzing 4-Encryption

Consider the case of 4-Encryption: C = EK4(EK3(EK2(EK1(P))))

P1, P2, P3, P4

E

K1

E

K2

E

K3

E

K4 C1, C2, C3, C4 X 2

1 Orr Dunkelman Multiple Encryption 11/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analyzing 4-Encryption

Standard MitM attack can take 23n time with 2n memory, or 22n time with 22n memory.

Can we do better?

P1, P2, P3, P4

E

K1

E

K2

E

K3

E

K4 C1, C2, C3, C4 X 2

1 Orr Dunkelman Multiple Encryption 11/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analyzing 4-Encryption

1 For any guess of X 2 1 , perform a MitM

attack on E2 ◦ E1.

P1

E

K1

E

K2

E

K3

E

K4 C1 X 2

1 Orr Dunkelman Multiple Encryption 11/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analyzing 4-Encryption

1 For any guess of X 2 1 , perform a MitM

attack on E2 ◦ E1.

2 Obtain a list of 2n possible pairs of

keys (K1, K2).

P1

E

K1

E

K2

E

K3

E

K4 C1 X 2

1 Orr Dunkelman Multiple Encryption 11/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analyzing 4-Encryption

1 For any guess of X 2 1 , perform a MitM

attack on E2 ◦ E1.

2 Obtain a list of 2n possible pairs of

keys (K1, K2).

3 Encrypt P2 under the obtained

(K1, K2), and store in a table the values of (X 2

2 , (K1, K2)) in a table. P1

E

K1

E

K2

E

K3

E

K4 C1 X 2

1

P2

E E

X 2

2 Orr Dunkelman Multiple Encryption 11/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analyzing 4-Encryption

1 For any guess of X 2 1 , perform a MitM

attack on E2 ◦ E1.

2 Obtain a list of 2n possible pairs of

keys (K1, K2).

3 Encrypt P2 under the obtained

(K1, K2), and store in a table the values of (X 2

2 , (K1, K2)) in a table. 4 Perform another MitM on E4 ◦ E3,

• btain the 2n candidates for (K3, K4),

and compute the value of X 2

2 from C2. P1

E

K1

E

K2

E

K3

E

K4 C1 X 2

1

P2

E E

X 2

2 Orr Dunkelman Multiple Encryption 11/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analyzing 4-Encryption

1 For any guess of X 2 1 , perform a MitM

attack on E2 ◦ E1.

2 Obtain a list of 2n possible pairs of

keys (K1, K2).

3 Encrypt P2 under the obtained

(K1, K2), and store in a table the values of (X 2

2 , (K1, K2)) in a table. 4 Perform another MitM on E4 ◦ E3,

• btain the 2n candidates for (K3, K4),

and compute the value of X 2

2 from C2. P1

E

K1

E

K2

E

K3

E

K4 C1 X 2

1

P2

E E

X 2

2

E E

C2

Orr Dunkelman Multiple Encryption 11/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analyzing 4-Encryption

1 For any guess of X 2 1 , perform a MitM

attack on E2 ◦ E1.

2 Obtain a list of 2n possible pairs of

keys (K1, K2).

3 Encrypt P2 under the obtained

(K1, K2), and store in a table the values of (X 2

2 , (K1, K2)) in a table. 4 Perform another MitM on E4 ◦ E3,

• btain the 2n candidates for (K3, K4),

and compute the value of X 2

2 from C2. 5 Verify the suggested key

(K1, K2, K3, K4) using P3 and P4.

P1

E

K1

E

K2

E

K3

E

K4 C1 X 2

1

P2

E E

X 2

2

E E

C2

Orr Dunkelman Multiple Encryption 11/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analysis

◮ For each X 2 1 guess, we did two MitM attacks of 2n time

and memory.

◮ Then, we had another MitM of 2n time and memory. ◮ So in total — time complexity is 22n, and memory

complexity is 2n.

Orr Dunkelman Multiple Encryption 12/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Analysis

◮ For each X 2 1 guess, we did two MitM attacks of 2n time

and memory.

◮ Then, we had another MitM of 2n time and memory. ◮ So in total — time complexity is 22n, and memory

complexity is 2n.

Orr Dunkelman Multiple Encryption 12/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Extending the Basic Attack

◮ Obviously, enjoying the 2n gain when attacking

r-encryption with r ≥ 4.

Orr Dunkelman Multiple Encryption 13/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Extending the Basic Attack

◮ Obviously, enjoying the 2n gain when attacking

r-encryption with r ≥ 4.

◮ Just guess the r − 4 last keys, and apply the 4-encryption

attack.

Orr Dunkelman Multiple Encryption 13/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Extending the Basic Attack

◮ Obviously, enjoying the 2n gain when attacking

r-encryption with r ≥ 4.

◮ Just guess the r − 4 last keys, and apply the 4-encryption

attack.

◮ Of course, the question is whether we can do better. . .

Orr Dunkelman Multiple Encryption 13/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Extending the Basic Attack

◮ Obviously, enjoying the 2n gain when attacking

r-encryption with r ≥ 4.

◮ Just guess the r − 4 last keys, and apply the 4-encryption

attack.

◮ Of course, the question is whether we can do better. . . ◮ Namely, can we gain more given that we already gained

something?

Orr Dunkelman Multiple Encryption 13/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4 2

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4 2

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4 2

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4 2

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4 2

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4 2 4

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4 2 4

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The LogLayer Algorithm

◮ A straightforward extension is

the LogLayer algorithm.

◮ When attacking r-encryption,

we guess r/2 − 1 internal states just after round r/2, and attack each half independently.

◮ With 2n memory, the running

time is 2n(r−log(r)).

◮ The “gain” sequence is:

2,4,8,16,32,. . . .

P1 P2 P3 . . . P8 C1 C2 C3 . . . C8

4 2 4

Orr Dunkelman Multiple Encryption 14/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Square Algorithm

◮ A different improvement that

relies on symmetry.

◮ Consider 16-Encryption: P1 P2 P3 . . . P16 C1 C2 C3 . . . C16

Orr Dunkelman Multiple Encryption 15/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Square Algorithm

◮ A different improvement that

relies on symmetry.

◮ Consider 16-Encryption: P1 P2 P3 . . . P16 C1 C2 C3 . . . C16

4 4 4 4

Orr Dunkelman Multiple Encryption 15/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Square Algorithm

◮ A different improvement that

relies on symmetry.

◮ Consider 16-Encryption: P1 P2 P3 . . . P16 C1 C2 C3 . . . C16

4 4 4 4

4-Encryption Attack Time 22n 2n Remaining Keys

Orr Dunkelman Multiple Encryption 15/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Square Algorithm

◮ A different improvement that

relies on symmetry.

◮ Consider 16-Encryption: P1 P2 P3 . . . P16 C1 C2 C3 . . . C16

4 4 4 4

4-Encryption Attack Time 22n 2n Remaining Keys 4-Encryption Attack Time 22n 2n Remaining Keys 4-Encryption Attack Time 22n 2n Remaining Keys 4-Encryption Attack Time 22n 2n Remaining Keys

Orr Dunkelman Multiple Encryption 15/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Square Algorithm

◮ A different improvement that

relies on symmetry.

◮ Consider 16-Encryption: P4 P5 P6 . . . P16 C4 C5 C6 . . . C16

4 4 4 4

2n Keys 2n Keys 2n Keys 2n Keys

Orr Dunkelman Multiple Encryption 15/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Square Algorithm

◮ A different improvement that

relies on symmetry.

◮ Consider 16-Encryption: ◮ Now, we need to attack

“4-Encryption” again.

P4 P5 P6 . . . P16 C4 C5 C6 . . . C16 2n Keys 2n Keys 2n Keys 2n Keys

“E” “E” “E” “E”

Orr Dunkelman Multiple Encryption 15/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Square Algorithm

◮ A different improvement that

relies on symmetry.

◮ Consider 16-Encryption: ◮ Now, we need to attack

“4-Encryption” again.

◮ The complexity is 2n(r−√r+1). ◮ The “gain” sequence is:

2,4,9,12,16,25,36,. . . .

P4 P5 P6 . . . P16 C4 C5 C6 . . . C16 2n Keys 2n Keys 2n Keys 2n Keys

“E” “E” “E” “E”

Orr Dunkelman Multiple Encryption 15/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Why Asymmetry is Important in Symmetric-Key Attacks

◮ The shared characteristic of both LogLayer and Square is

the fact that they are “symmetric” in nature.

◮ They do not distinguish between the “forward” direction

stored in the table, and the “backward” direction which is checked in the table.

◮ In reality, they are different. The “backward” direction

can be generated “on-the-fly”.

Orr Dunkelman Multiple Encryption 16/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Best Algorithm (we could find)

◮ A different improvement relies

• n symmetry.

◮ Consider 7-Encryption: P1 P2 P3 . . . P7 C1 C2 C3 . . . C7

Orr Dunkelman Multiple Encryption 17/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Best Algorithm (we could find)

◮ A different improvement relies

• n symmetry.

◮ Consider 7-Encryption: P1 P2 P3 . . . P7 C1 C2 C3 . . . C7

3 4

Orr Dunkelman Multiple Encryption 17/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Best Algorithm (we could find)

◮ A different improvement relies

• n symmetry.

◮ Consider 7-Encryption: P1 P2 P3 . . . P7 C1 C2 C3 . . . C7

3 4

3-Encryption MitM 22n time 2n keys left

Orr Dunkelman Multiple Encryption 17/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Best Algorithm (we could find)

◮ A different improvement relies

• n symmetry.

◮ Consider 7-Encryption: P1 P2 P3 . . . P7 C1 C2 C3 . . . C7

3 4

Orr Dunkelman Multiple Encryption 17/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Best Algorithm (we could find)

◮ A different improvement relies

• n symmetry.

◮ Consider 7-Encryption: P1 P2 P3 . . . P7 C1 C2 C3 . . . C7

3 4

4-Encryption MitM 22n time 22n keys left

Orr Dunkelman Multiple Encryption 17/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Best Algorithm (we could find)

◮ A different improvement relies

• n symmetry.

◮ Consider 7-Encryption: ◮ We access the table with the 22n

suggested keys.

P1 P2 P3 . . . P7 C1 C2 C3 . . . C7

3 4

Orr Dunkelman Multiple Encryption 17/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Best Algorithm (we could find)

◮ A different improvement relies

• n symmetry.

◮ Consider 7-Encryption: ◮ We access the table with the 22n

suggested keys.

◮ The idea is to balance the

complexity of the attack (on the second half) with the number of “solutions”.

◮ The “gain” sequence is:

2,4,7,11,16,22,29,. . . .

P1 P2 P3 . . . P7 C1 C2 C3 . . . C7

3 4

Orr Dunkelman Multiple Encryption 17/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Attacking r-Encryption

1 Guess as many keys as needed to reduce the scheme to a

“magic number” (from the gain list).

2 Dissect the remaining encryptions: 1 For the ith magic number, guess i − 1 internal states

after round i.

2 Attack the first i rounds, obtain 2n keys, and construct a

table.

3 Attack the remaining rounds, and access the table to

find full key candidates.

We call this technique “Dissection”.

Orr Dunkelman Multiple Encryption 18/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Dissection using Parallel Collision Search

◮ Just like in the PCS algorithm for double-encryption, to

use the PCS we need to divide the full encryption function into two.

◮ This is done be defining F upper : (K1, . . . , Kr/2) → (X r/2

1

, . . . , X r/2

r/2 ) and

F lower : (Kr/2+1, . . . , Kr ) → (X r/2

1

, . . . , X r/2

r/2 ).

◮ Given Floyd’s algorithm (or Nivasch’s or Brent’s or . . . ),

find collisions between the two functions.

◮ Actually, we can use Hellman’s TMTO attacks to find 2n

collisions simultaneously in time 2(r/4+1/2)n.

◮ After 2(r/2)n such collisions, we expect the right one to

show up.

Orr Dunkelman Multiple Encryption 19/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Dissection using Parallel Collision Search (cont.)

◮ The key idea is to compute the functions F upper and

F lower using dissection

Orr Dunkelman Multiple Encryption 20/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Dissection using Parallel Collision Search (cont.)

◮ The key idea is to compute the functions F upper and

F lower using dissection and the extra available memory.

◮ Namely, we “agree” on the output of the functions, thus,

restricting them to a smaller space.

Orr Dunkelman Multiple Encryption 20/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Dissection using Parallel Collision Search (cont.)

◮ The key idea is to compute the functions F upper and

F lower using dissection and the extra available memory.

◮ Namely, we “agree” on the output of the functions, thus,

restricting them to a smaller space.

◮ For 8-Encryption:

F upper : (K1, K2, K3, K4) → X 4

1 , X 4 2 , X 4 3 , X 4 4

Uses P1, . . . P4 F upper : (K5, K6, K7, K8) → X 4

1 , X 4 2 , X 4 3 , X 4 4

Uses C1, . . . C4 Takes O(1) to evaluate Generate 23.5n “collisions”, in time 21.5n each.

Orr Dunkelman Multiple Encryption 20/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

Dissection using Parallel Collision Search (cont.)

◮ The key idea is to compute the functions F upper and

F lower using dissection and the extra available memory.

◮ Namely, we “agree” on the output of the functions, thus,

restricting them to a smaller space.

◮ For 8-Encryption:

˜ F upper : X 2

1 → X 4 4

Uses P1, . . . P4 and X 4

1 , X 4 2 , X 4 3

˜ F upper : X 6

1 → X 4 4

Uses C1, . . . C4 and X 4

1 , X 4 2 , X 4 3

Takes O(2n) to evaluate Generate 20.5n “collisions”, in time 20.5n each ×23n.

Orr Dunkelman Multiple Encryption 20/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Gains of the Algorithms

1 2 3 4 5 6 7 8 9 10 11 12 3 6 9 12 15 18 21 24 27 30 33 36 39 42 r Gain

Compared with standard MitM with 2n mem.

Orr Dunkelman Multiple Encryption 21/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Gains of the Algorithms

1 2 3 4 5 6 7 8 9 10 11 12 3 6 9 12 15 18 21 24 27 30 33 36 39 42 r Gain

Compared with standard MitM with 2n mem.

b b b b b LogLayer

Orr Dunkelman Multiple Encryption 21/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Gains of the Algorithms

1 2 3 4 5 6 7 8 9 10 11 12 3 6 9 12 15 18 21 24 27 30 33 36 39 42 r Gain

Compared with standard MitM with 2n mem.

b b b b b LogLayer b b b b b b b Square

Orr Dunkelman Multiple Encryption 21/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Gains of the Algorithms

1 2 3 4 5 6 7 8 9 10 11 12 3 6 9 12 15 18 21 24 27 30 33 36 39 42 r Gain

Compared with standard MitM with 2n mem.

b b b b b LogLayer b b b b b b b Square b b b b b b b b b Dissect

Orr Dunkelman Multiple Encryption 21/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Gains of the Algorithms

1 2 3 4 5 6 7 8 9 10 11 12 3 6 9 12 15 18 21 24 27 30 33 36 39 42 r Gain

Compared with standard MitM with 2n mem.

b b b b b b b b b Dissect b b b b b b b b b b b b b b b b b b b b b PCS

Orr Dunkelman Multiple Encryption 21/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Gains of the Algorithms

1 2 3 4 5 6 7 8 9 10 11 12 3 6 9 12 15 18 21 24 27 30 33 36 39 42 r Gain

Compared with standard MitM with 2n mem.

b b b b b b b b b b b b b b b b b b b b b PCS b b b b b b b b b b b b b b b b b b b b b Dissect & Collide

Orr Dunkelman Multiple Encryption 21/ 35

Multiple NewMITM Dissection Summary 4Enc Extensions Asymmetric PCS

The Gains of the Algorithms

1 2 3 4 5 6 7 8 9 10 11 12 3 6 9 12 15 18 21 24 27 30 33 36 39 42 r Gain

Compared with standard MitM with 2n mem.

b b b b b b b b b Dissect b b b b b b b b b b b b b b b b b b b b b Dissect & Collide

Orr Dunkelman Multiple Encryption 21/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Bicomposite Problems

◮ Actually, multiple-encryption is a

specific case of bicomposite problems.

◮ A bicomposite problem is a

problem that can be dissected in two orthogonal ways.

◮ For example, in the case of

multiple encryption, we can dissect the problem into different plaintext/ciphertext blocks or into different keys.

Orr Dunkelman Multiple Encryption 22/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

The Knapsack Problem

◮ The knapsack problem (AKA “subset sum” problem) is a

well known NP-complete problem.

◮ Many knapsack cryptosystems were proposed (and

broken) over the years.

Orr Dunkelman Multiple Encryption 23/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

The Knapsack Problem

◮ The knapsack problem (AKA “subset sum” problem) is a

well known NP-complete problem.

◮ Many knapsack cryptosystems were proposed (and

broken) over the years.

◮ In the knapsack problem, a set of constants {ai}n i=1 is

given as well as a target value S.

◮ The problem is to find a set of coefficients {ǫi}n i=1,

ǫi ∈ {0, 1} such that

n

• i=1

ǫi · ai = S.

◮ We shall deal with the modular variant (mod 2n).

Orr Dunkelman Multiple Encryption 23/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

The Knapsack Problem (cont.)

◮ It is possible to write this problem as a “multiple

encryption” problem.

Orr Dunkelman Multiple Encryption 24/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

The Knapsack Problem (cont.)

◮ It is possible to write this problem as a “multiple

encryption” problem.

◮ The plaintext is 0, and each encryption is keyed by one

bit,

Orr Dunkelman Multiple Encryption 24/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

The Knapsack Problem (cont.)

◮ It is possible to write this problem as a “multiple

encryption” problem.

◮ The plaintext is 0, and each encryption is keyed by one

bit, ǫi. In other words, every “encryption” either adds ai

• r not.

◮ The ciphertext is selected to be S.

Orr Dunkelman Multiple Encryption 24/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

The Knapsack Problem (cont.)

◮ It is possible to write this problem as a “multiple

encryption” problem.

◮ The plaintext is 0, and each encryption is keyed by one

bit, ǫi. In other words, every “encryption” either adds ai

• r not.

◮ The ciphertext is selected to be S.

What is so bicomposite in this problem?

Orr Dunkelman Multiple Encryption 24/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

The Knapsack Problem as a Bicomposite Problem

◮ We just split the knapsack into

smaller chunks.

◮ Namely, we treat each chunk as

a few bits.

◮ Each chunk has as a plaintext

the value 0, and as ciphertext the respective part of S.

◮ Of course, we need to deal with

carries.

◮ Which is easy if you solve the

knapsack from LSB to MSB.

S S S S S ǫi ǫi ǫi ǫi ǫi ǫi

Orr Dunkelman Multiple Encryption 25/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Breaking Knapsacks as Bicomposites

◮ We can dissect the

problem any way we want, plaintext-wise and encryption-wise.

◮ For example, we can

divide {ǫ}n

i=1 into 7

subsets, to look as if it is a 7-encryption.

S S S S S S S {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi}

Orr Dunkelman Multiple Encryption 26/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Breaking Knapsacks as Bicomposites

◮ We can dissect the

problem any way we want, plaintext-wise and encryption-wise.

◮ For example, we can

divide {ǫ}n

i=1 into 7

subsets, to look as if it is a 7-encryption.

S S S S S S S {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi}

Orr Dunkelman Multiple Encryption

Multiple NewMITM Dissection Summary Knapsack Permutation

Breaking Knapsacks as Bicomposites

◮ We can dissect the

problem any way we want, plaintext-wise and encryption-wise.

◮ For example, we can

divide {ǫ}n

i=1 into 7

subsets, to look as if it is a 7-encryption.

S S S S S S S {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi}

Orr Dunkelman Multiple Encryption

Multiple NewMITM Dissection Summary Knapsack Permutation

Breaking Knapsacks as Bicomposites

◮ We can dissect the

problem any way we want, plaintext-wise and encryption-wise.

◮ For example, we can

divide {ǫ}n

i=1 into 7

subsets, to look as if it is a 7-encryption.

S S S S S S S {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi}

Orr Dunkelman Multiple Encryption

Multiple NewMITM Dissection Summary Knapsack Permutation

Breaking Knapsacks as Bicomposites

◮ We can dissect the

problem any way we want, plaintext-wise and encryption-wise.

◮ For example, we can

divide {ǫ}n

i=1 into 7

subsets, to look as if it is a 7-encryption.

S S S S S S S {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi}

Orr Dunkelman Multiple Encryption

Multiple NewMITM Dissection Summary Knapsack Permutation

Breaking Knapsacks as Bicomposites

◮ We can dissect the

problem any way we want, plaintext-wise and encryption-wise.

◮ For example, we can

divide {ǫ}n

i=1 into 7

subsets, to look as if it is a 7-encryption.

S S S S S S S {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi}

Orr Dunkelman Multiple Encryption

Multiple NewMITM Dissection Summary Knapsack Permutation

Breaking Knapsacks as Bicomposites

◮ We can dissect the

problem any way we want, plaintext-wise and encryption-wise.

◮ For example, we can

divide {ǫ}n

i=1 into 7

subsets, to look as if it is a 7-encryption.

S S S S S S S {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi} {ǫi}

Orr Dunkelman Multiple Encryption 26/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Comparison with Previous Results

◮ Some specific cases of knapsacks are easy

(superincreasing).

◮ Some can be solved by LLL (when the knapsack is

sparse).

◮ Previous attacks for general knapsacks:

◮ Schroeppel-Shamir, 1981 — O(2n/2) time and O(2n/4)

memory.

◮ Howgrave-Graham and Joux, 2010 — O(20.337n) time

and O(20.256n) memory.

◮ Becker, Coron, Joux, 2011 — 20.72n time (no-memory)

• r O(20.291n) time and memory + some tradeoffs.

Orr Dunkelman Multiple Encryption 27/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Comparison with Previous Results

Orr Dunkelman Multiple Encryption 28/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Generalizing Knapsacks

◮ Schroeppel-Shamir needs “monotonicity” to work. ◮ [HGJ10,BCJ11] heavily use properties of modular

addition.

Orr Dunkelman Multiple Encryption 29/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Generalizing Knapsacks

◮ Schroeppel-Shamir needs “monotonicity” to work. ◮ [HGJ10,BCJ11] heavily use properties of modular

addition.

◮ However, what happens when the knapsack is of the form:

ǫ1a1 + (ǫ2a2 ⊕ ǫ3a3 + . . .)?

Orr Dunkelman Multiple Encryption 29/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Generalizing Knapsacks

◮ Schroeppel-Shamir needs “monotonicity” to work. ◮ [HGJ10,BCJ11] heavily use properties of modular

addition.

◮ However, what happens when the knapsack is of the form:

ǫ1a1 + (ǫ2a2 ⊕ ǫ3a3 + . . .)?

◮ Luckily for us, we can apply our algorithm for any series

• f T-functions.

Orr Dunkelman Multiple Encryption 29/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Solving Combinatorial Search Problems

◮ Assume we are given a set of permutations σ1, σ2, . . . , σt. ◮ We are given a series of input/output pairs:

• Ci = σkr ◦ σkr−1 ◦ . . . ◦ σ1(Pi)
• Orr Dunkelman

Multiple Encryption 30/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Solving Combinatorial Search Problems

◮ Assume we are given a set of permutations σ1, σ2, . . . , σt. ◮ We are given a series of input/output pairs:

• Ci = σkr ◦ σkr−1 ◦ . . . ◦ σ1(Pi)
• ◮ Your mission (if you are willing to accept it) is to find

which permutations were used.

Orr Dunkelman Multiple Encryption 30/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Solving Combinatorial Search Problems

◮ Assume we are given a set of permutations σ1, σ2, . . . , σt. ◮ We are given a series of input/output pairs:

• Ci = σkr ◦ σkr−1 ◦ . . . ◦ σ1(Pi)
• ◮ Your mission (if you are willing to accept it) is to find

which permutations were used.

◮ Solution — treat as a bicomposite problem.

Orr Dunkelman Multiple Encryption 30/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

An Example for Such a Problem

◮ Consider Rubik’s cube. ◮ We are given a reachable state, and asked to solve it. ◮ There are 18 possible operations (6 planes to rotate by

90, 180, or 270 degrees).

◮ And we know that there is a 18-step solution. ◮ Search space — ≈ 278 20-operation “logical” sequences. ◮ How to find it?

Orr Dunkelman Multiple Encryption 31/ 35

Multiple NewMITM Dissection Summary Knapsack Permutation

Rubik’s Cube

◮ [F+89] — A variant of Schroeppel-Shamir to solve the

problem in 240 time and 220 memory.

◮ [K97] — Golic-Babbage Time-Memory tradeoff attack

(220 memory).

◮ We can just start “encrypting” some of the corners of the

• cube. . .

Orr Dunkelman Multiple Encryption 32/ 35

Multiple NewMITM Dissection Summary

Conclusions

◮ We presented the concept of bicomposite problems and

showed a few generic algorithms which can solve these problems.

◮ These problems can model many types of problems, from

multiple encryption, through knapsacks, to database merge queries.

◮ The gain is both in the “deterministic” environment, and

also in the PCS environment.

◮ We also shown (but not talked) about recursive Dissect &

Collide (the PCS phase is recursive).

Orr Dunkelman Multiple Encryption 33/ 35

Multiple NewMITM Dissection Summary

Open Problems

1 Find more problems to solve!

Orr Dunkelman Multiple Encryption 34/ 35

Multiple NewMITM Dissection Summary

Open Problems

1 Find more problems to solve! 2 Interestingly, the time complexity is never lower than 2r/2n

— prove that this is a lower bound?

Orr Dunkelman Multiple Encryption 34/ 35

Multiple NewMITM Dissection Summary

Open Problems

1 Find more problems to solve! 2 Interestingly, the time complexity is never lower than 2r/2n

— prove that this is a lower bound?

3 Are there other lower bounds proofs?

Orr Dunkelman Multiple Encryption 34/ 35

Multiple NewMITM Dissection Summary

Open Problems

1 Find more problems to solve! 2 Interestingly, the time complexity is never lower than 2r/2n

— prove that this is a lower bound?

3 Are there other lower bounds proofs? 4 Can we combine these techniques with some more

“intuition” about the problem?

Orr Dunkelman Multiple Encryption 34/ 35

Multiple NewMITM Dissection Summary

Questions? Thanks you very much your attention!

Orr Dunkelman Multiple Encryption 35/ 35