Dissect and conquer: New algorithms for cryptanalysis of multiple encryption, knapsacks, etc.

Nathan KellerBar Ilan University

Joint with Itai Dinur, Orr Dunkelman, and Adi Shamir

Block Ciphers

• A block cipher is a set of 2n permutations indexed by an n-bit key K.• Each permutation works on a space of b bits.• Maps b-bit plaintexts to b-bit ciphertexts.• We shall assume for simplicity that b=n.

C

P

K

Encryption and Decryption

• Given a key K and a plaintext P it is easy to encrypt, i.e. compute the ciphertext C=EK(P).• Given a key K and a ciphertext C it is easy to

decrypt, i.e. compute the plaintext P=DK(C).

C

P

K

The Basic Cryptanalytic Problem

• Input: a list of plaintext-ciphertext pairs (P1,C1), (P2,C2),(P3,C3),…• Goal: find K such that C1 =EK(P1), C2 =EK(P2),…

C

P

K

Exhaustive Search

• For each n-bit value of K:• Perform trial encryptions i.e., test whether C1 =EK(P1), if

so test whether C2 =EK(P2) …

• Time complexity: 2n, Memory: constant.

C

P

K

History• Between 1977 and 2001, the most widely used

block cipher was DES. • Its small key size (n=56) raised concerns about

possibility to break it by exhaustive key search.

• Soon after the standartization of DES, a simple solution to the small key size problem was proposed:

• Double encryption: Instead of DESK(P), use DESK2

)DESK1)P)) , with independent keys K1,K2.

The Meet-in-the-Middle (MITM) Attack

• In 1981, Hellman and Merkle showed that double encryption can be broken much faster than expected. • Actually, the time complexity of the attack is the

same as on single-key DES!

• More generally, double encryption with two n bit keys can be broken in time and memory of 2n (instead of time complexity 22n of exhaustive key search).

MITM Attack Algorithm

• For each n-bit value of K1:• Partially encrypt P1 and store the n-bit suggestions for X in a

sorted list.• For each n-bit value of K2: • Partially decrypt C1 and look for matches in the list.• For each match test the full key.

• Time 2n, memory 2n (ignoring logarithmic factors).

C1

P1

XK1

K2

K1 X000010.

..

101011.

..111110

History (continued)• As a countermeasure, it was suggested to use

Triple Encryption: DESK3 )DESK2

)DESK1)P))), with

independent keys K1,K2,K3.

• A trivial extension of the MITM attack breaks triple encryption in time and memory of 22n and 2n, respectively. • Despite extensive research, no significant

improvements have been found.

• Triple-DES was used as a de-facto encryption standard from 1998 until 2001 (or even later).

Multiple Encryption

• A natural generalization is to consider r-fold encryption: EKr

)EKr-1)…(EK1

)P))), with independent keys K1,K2,…,Kr.

• A trivial extension of MITM breaks r-fold encryption in time T and memory M such that TM=2rn (provided M≤2[r/2]n).

• Can we do better? Yes we can!

Dissection Attack on 4-Fold Encryption

C1

P1

K2

K1

K4

X1

X2

X3K3

C2

P2

K2

K1

K4

Y1

Y2

Y3K3

• For each n-bit value of X2:• Given P1,X2 obtain 2n suggestions for K1,K2 using a 2R MITM attack,

and store them in a list next to Y2 (the corresponding encryption of P2).

• Given X2,C1 obtain 2n suggestions for K3,K4 using a 2R MITM attack. • For each suggestion for K3,K4, match Y2 (the corresponding

decryption of C2) with the stored list.• For each match test the full key using (P3,C3( and (P4,C4(.

• Time 22n, memory 2n.

K1,K2 Y2

000010.

..111

101011.

..110

110111.

..100

Composite Problems

• So, we obtained TM=23n (instead of 24n). • What next? We can increase r, but let’s put the

problem in perspective first…

• A composite problem:• We are given the initial value and the final value of a

cascade of r steps.• In each step, one of a list of possible transformations

was applied. • The goal: Find out, which transformation was applied

in each step.

Composite Problems (cont.)

• Clearly, r-fold encryption is a composite problem.

• There are many other examples:• Knapsack – we are given n numbers x1,x2,…,xn and a

target sum S and want to find whether there is a subset of the numbers whose elements sum up to S.

• Rubik’s cube – find a shortest solution given an initial state.

• Rebound attacks on hash functions. • etc…

Previous Work• But if this has so many applications, then surely

people worked on this before! Indeed…

• Schroeppel-Shamir (SICOMP 1981): Algorithm for knapsacks with T=2n/2 and M=2n/4. Somewhat similar to the algorithm for 4-fold encryption.

• Fiat et al. (FOCS 1989): Application of Schroeppel-Shamir to the Rubik’s cube and to other problems.

Previous Work (cont.)• Van Oorschot-Wiener (CRYPTO 1996):

Probabilistic algorithm for double encryption with T=23n/4 and M=const. Significantly different algorithm.

• Becker-Coron-Joux (EUROCRYPT 2011): Algorithm for knapsacks with TM=23n/4, for all 2n/16≤M≤2n/4. Very similar algorithm.

• Similar results in some other special cases.

Where does this converge to?

• It seems that TM=23n/4 is the “right” curve, and all is left is to show that it holds also for M≤2n/16.

• Apparently, it isn’t! • We present algorithms which achieve TM<23n/4

for any M<2n/4, and in particular, achieve TM=25n/7

for M=2n/7.

• How do we achieve it? Let’s increase r…

Dissection Attack on 7-fold Encryption

• Split the cipher into two subciphers, the upper part with 3 rounds, and the lower part with 4 rounds.• Guess 2 intermediate encryption values in the

middle (one for (P1,C1) and one for (P2,C2))…

3

4

2

Dissection Attack on 7-fold Encryption (ctd.)

• For each guess of the 2 intermediate encryption values:• Use a standard 3R MITM attack on the top part, obtain 2n

suggestions for K1,K2,K3 and store them in a list, along with the corresponding partial encryptions of P3 and P4.• Given the 2 “plaintext-ciphertext” pairs, use a 4R attack

to obtain 22n suggestions for K4-K7 on-the-fly.• For each suggestion, partially decrypt C3 and C4 and

search the list for matches.• For each match, test the full key.

Analysis of the Attack

• We guess 2n bits in the middle • The top 3R attack takes 22n time and 2n memory.• The bottom 4R attack takes 22n time and 2n memory.

• The total complexity is T=24n and M=2n.

• Hence, we obtain TM=25n (instead of 27n).

• We can apply the algorithm to knapsacks, by dividing the initial set into 7 (!) disjoint subsets. We obtain T=24n/7 and M=2n/7.

Attacks on r-fold Encryption (I)

• This was our most surprising result. Now, a more formal treatment of r-fold encryption.

• We fix M=2n and want to minimize T.

• Definition: The gain of an algorithm A for r-fold encryption over the standard MITM algorithm is Gain(A)=r-log(TM)/n.

• So, dissection yields gain of 1 for r=4 and gain of 2 for r=7.

Attacks on r-fold Encryption (II)

• There are two “natural” generalizations of the basic algorithm (for 4-fold encryption):• LogLayer Algorithm:• Assume that r is a power of 2.• Guess the intermediate value after every second

round, apply MITM attacks to each pair of consecutive rounds separately, and get r/2 “double” rounds.• Continue recursively.

• The complexity is T=2(r-log r)n. Hence:• The asymptotic gain is O(log r).• Gain of 2 is achieved at r=8.

Attacks on r-fold Encryption (III)

• Square Algorithm:• Assume that r=(r’)2.• Guess r’-1 intermediate values after every r’ rounds,

apply an r’-round attack to each chunk of r’ rounds separately, and get r’ “big” rounds.• Apply an r’-round attack to the big rounds.

• The complexity is T=2(r-√r)n. Hence:• Asymptotic gain: O(√r).• Gain 2 is achieved at r=9.

Asymmetry rules!

• Dissection achieves gain 2 already for 7-fold encryption. Is it stronger also asymptotically?

• Yes! It can be extended recursively to obtain asymptotic gain of O(√2r).

• Main idea: Continue the asymmetric division into subciphers recursively.

• Where does the asymmetry come from?

Another look at the attack on 7-fold Encryption

• Split the cipher into two subciphers, the upper part with 3 rounds, and the lower part with 4 rounds.

• Guess 2 intermediate encryption values in the middle (one for (P1,C1) and one for (P2,C2)).• Use a standard 3R MITM attack on the top part, obtain 2n

suggestions for K1,K2,K3 and store them in a list along with the corresponding partial encryptions of P3 and P4.• Given the 2 “plaintext-ciphertext” pairs, use a 4R attack

to obtain 22n suggestions for K4-K7 on-the-fly.• For each suggestion, partially decrypt C3 and C4 and

search the list for matches.• For each match, test the full key.

The Extension

• Proposition: An algorithm A for r-fold encryption with gain k-1 can be leveraged to an algorithm for (r+k+1)-fold encryption with gain k.• Sketch-of-proof:• Fix k intermediate values after k+1 rounds. • Apply a standard MITM attack to the first k+1 rounds.

Store the resulting 2n suggestions for the first k+1 keys in a sorted table.• Apply algorithm A to the last r rounds to obtain on-

the-fly 2r-k suggestions for the r last round keys and check them against the table.

The Magic Sequence

• The proposition allows to construct a “magic sequence” of the numbers of rounds for which the gain increases:

• Magic(1)={4,7,11,16,22,29,37,46,…}.

• Solution of the recursion shows that Magic(1)k=(k+1)(k+2)/2.

• Hence, the asymptotic gain is O(√2r).

Larger Amounts of Memory

• So far we fixed the memory to M=2n. What can be said about larger amounts of memory?

• The results generalize to any amount of memory and yield the magic sequences: Magic(l)={2l+2,2l+4,…,4l,4l+3,4l+6,…,7l,7l+4,...}.

• The asymptotic gain is O(√2lr).

Application to Knapsacks

• Modular Knapsack Problem:• Given: A list of n integers {a1,a2,…,an} of n bits

each, and a target integer S. • Goal: Find a vector ɛ={ɛ1,ɛ2…ɛn} where ɛiϵ{0,1}

such that S=∑1≤i≤n(ɛi a∙ i) mod 2n.

• How to represent Knapsack as a composite problem?

Representing Knapsack as a Block Cipher

ɛ={ɛ1,ɛ2…ɛn}

P

C=P+∑1≤i≤n(ɛi a∙ i) (mod 2n)

• We fix the plaintext to be the 0 n-bit vector, the ciphertext to be S.

• The knapsack problem reduces to recovering the key of this block cipher, given one plaintext-ciphertext pair.

Representing Knapsack as 4-Fold Encryption (I)

• We split the knapsack to 4 independent knapsacks by splitting the generators and defining S=σ1+σ2+σ3+σ4 (mod 2n)

• Xi=∑1≤j≤i(σj)

{ɛ1,ɛ2…ɛn/4} 0

S

{ɛn/4+1,…,ɛn/2} {ɛn/2+1,…,ɛ3n/4} {ɛ3n/4+1,…,ɛn}

X1

X2

X3

Representing Knapsack as 4-Fold Encryption (II)

• Problem: In r-fold encryption, we have r plaintexts => can guess part of the intermediate value. Here we have a single “big” plaintext. • Solution: Split the “block cipher” also vertically

into n/4-bit blocks.

{ɛ1,ɛ2…ɛn/4} 0

{ɛn/4+1,…,ɛn/2} {ɛn/2+1,…,ɛ3n/4} {ɛ3n/4+1,…,ɛn}

X1

X2

X3

0 0 0

S1S2S3S4

Representing Knapsack as 4-Fold Encryption (III)

• Problem: There is a dependence between the “vertical” chunks through the addition carry.• Solution: We guess the intermediate encryption

values in their natural order.• We keep track of the carry values without having to

guess them separately

• Conclusion: We can apply to knapsacks the algorithm for r-fold encryption, for any r!• We can adjust r to the exact amount of available

memory, using the algorithms for M>2n.

Time-Memory Tradeoff for Knapsacks

Becker, Coron and Joux 2011

Schroeppel and Shamir 1981

Probabilistic Algorithms

• We promised to obtain TM<23n/4 for any M<2n/4

but the attacks above give it only for 2n/16<M.

• In order to deal with smaller values of M, we combine our algorithm with the Parallel Collision Search algorithm of van Oorschot - Wiener.

• but this is a topic for another talk…

Conclusions• We presented new generic algorithms for

multiple encryption.• Our techniques allow us to improve the best

known algorithms for the knapsack problem with small memory.• The techniques are applicable to other

composite problems (such as Rubik’s cube, rebound attacks on hash functions etc.)• An aside: the symmetric way is not always the

best one…

Open Problems• Are our results optimal? It seems that at least

the “magic exponent” 5/7 is optimal, but we cannot be sure…• Prove lower bounds for composite problems.• Was studied in several papers, but only very weak

bounds are known.• In particular, we conjecture that always T≥2n/2, but

don’t know to prove even weaker bounds.• Is there a way to exploit more data in order to

reduce the time and memory complexities?• Find more applications!

Thanks for listening!