1 / 37

Dissect and conquer: New algorithms for cryptanalysis of multiple encryption, knapsacks, etc.

Dissect and conquer: New algorithms for cryptanalysis of multiple encryption, knapsacks, etc. Nathan Keller Bar Ilan University Joint with Itai Dinur, Orr Dunkelman, and Adi Shamir. Block Ciphers. P. A block cipher is a set of 2 n permutations indexed by an n -bit key K.

krikor
Download Presentation

Dissect and conquer: New algorithms for cryptanalysis of multiple encryption, knapsacks, etc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dissect and conquer: New algorithms for cryptanalysis of multiple encryption, knapsacks, etc. Nathan Keller Bar Ilan University Joint with Itai Dinur, Orr Dunkelman, and Adi Shamir

  2. Block Ciphers P • A block cipher is a set of 2n permutations indexed by an n-bit key K. • Each permutation works on a space of b bits. • Maps b-bit plaintexts to b-bit ciphertexts. • We shall assume for simplicity that b=n. K C

  3. Encryption and Decryption P • Given a key K and a plaintext P it is easy to encrypt, i.e. compute the ciphertext C=EK(P). • Given a key K and a ciphertext C it is easy to decrypt, i.e. compute the plaintext P=DK(C). K C

  4. The Basic Cryptanalytic Problem P • Input: a list of plaintext-ciphertext pairs (P1,C1), (P2,C2),(P3,C3),… • Goal: find K such that C1 =EK(P1), C2=EK(P2),… K C

  5. Exhaustive Search P • Foreach n-bit value of K: • Perform trial encryptions i.e., test whether C1 =EK(P1),if so test whether C2 =EK(P2) … • Time complexity: 2n,Memory: constant. K C

  6. History Between 1977 and 2001, the most widely used block cipher was DES. Its small key size (n=56) raised concerns about possibility to break it by exhaustive key search. Soon after the standartization of DES, a simple solution to the small key size problem was proposed: Double encryption: Instead of DESK(P), use DESK2)DESK1)P)) , with independent keys K1,K2.

  7. The Meet-in-the-Middle (MITM) Attack • In 1981, Hellman and Merkle showed that double encryption can be broken much faster than expected. • Actually, the time complexity of the attack is the same as on single-key DES! • More generally, double encryption with two nbit keys can be broken in time and memory of 2n (instead of time complexity 22n of exhaustive key search).

  8. MITM Attack Algorithm P1 K1 X • For each n-bit value of K1: • Partially encrypt P1 and store the n-bit suggestions for X in a sorted list. • For each n-bit value of K2: • Partially decrypt C1 and look for matches in the list. • For each match test the full key. • Time2n, memory2n (ignoring logarithmic factors). K1 101 000 011 010 X . . . . . . 110 111 K2 C1

  9. History (continued) As a countermeasure, it was suggested to use Triple Encryption: DESK3 )DESK2)DESK1)P))), with independent keys K1,K2,K3. A trivial extension of the MITM attack breaks triple encryption in time and memory of 22n and 2n, respectively. Despite extensive research, no significant improvements have been found. Triple-DES was used as a de-facto encryption standard from 1998 until 2001 (or even later).

  10. Multiple Encryption A natural generalization is to consider r-fold encryption: EKr )EKr-1)…(EK1)P))), with independent keys K1,K2,…,Kr. A trivial extension of MITM breaks r-fold encryption in time T and memory M such that TM=2rn(provided M≤2[r/2]n). Can we do better? Yes we can!

  11. Dissection Attack on 4-Fold Encryption P1 P2 K1,K2 Y2 K1 K1 Y1 X1 110 101 000 X2 K2 K2 Y2 111 011 010 K3 K3 . . . X3 Y3 . . . . . . 110 100 111 K4 K4 C2 C1 • For each n-bit value of X2: • Given P1,X2 obtain 2nsuggestions for K1,K2using a 2R MITM attack, and store them in a list next to Y2 (the corresponding encryption of P2). • Given X2,C1 obtain 2nsuggestions for K3,K4using a 2R MITM attack. • For each suggestion for K3,K4, match Y2 (the corresponding decryption of C2) with the stored list. • For each match test the full key using (P3,C3(and (P4,C4(. • Time 22n, memory 2n.

  12. Composite Problems • So, we obtained TM=23n (instead of 24n). • What next? We can increase r, but let’s put the problem in perspective first… • A composite problem: • We are given the initial value and the final value of a cascade of rsteps. • In each step, one of a list of possible transformations was applied. • The goal: Find out, which transformation was applied in each step.

  13. Composite Problems (cont.) • Clearly, r-fold encryption is a composite problem. • There are many other examples: • Knapsack – we are given n numbers x1,x2,…,xn and a target sum S and want to find whether there is a subset of the numbers whose elements sum up to S. • Rubik’s cube – find a shortest solution given an initial state. • Rebound attacks on hash functions. • etc…

  14. Previous Work But if this has so many applications, then surely people worked on this before! Indeed… Schroeppel-Shamir (SICOMP 1981): Algorithm for knapsacks with T=2n/2 and M=2n/4. Somewhat similar to the algorithm for 4-fold encryption. Fiat et al.(FOCS 1989): Application of Schroeppel-Shamir to the Rubik’s cube and to other problems.

  15. Previous Work (cont.) Van Oorschot-Wiener(CRYPTO 1996): Probabilistic algorithm for double encryption with T=23n/4 and M=const. Significantly different algorithm. Becker-Coron-Joux (EUROCRYPT 2011): Algorithm for knapsacks with TM=23n/4, for all 2n/16≤M≤2n/4. Very similar algorithm. Similar results in some other special cases.

  16. Where does this converge to? It seems that TM=23n/4 is the “right” curve, and all is left is to show that it holds also for M≤2n/16. Apparently, it isn’t! We present algorithms which achieve TM<23n/4 for any M<2n/4, and in particular, achieve TM=25n/7 for M=2n/7. How do we achieve it? Let’s increase r…

  17. Dissection Attack on 7-fold Encryption 2 3 Split the cipher into twosubciphers, the upper part with 3 rounds, and the lower part with 4 rounds. Guess 2 intermediate encryption values in the middle (one for (P1,C1) and one for (P2,C2))… 4

  18. Dissection Attack on 7-fold Encryption (ctd.) • For each guess of the 2 intermediate encryption values: • Use a standard 3R MITM attack on the top part, obtain 2n suggestions for K1,K2,K3 and store them in a list, along with the corresponding partial encryptions of P3 and P4. • Given the 2 “plaintext-ciphertext” pairs, use a 4R attack to obtain 22n suggestions for K4-K7on-the-fly. • For each suggestion, partially decrypt C3 and C4 and search the list for matches. • For each match, test the full key.

  19. Analysis of the Attack • We guess 2n bits in the middle • The top 3R attack takes 22n time and 2n memory. • The bottom 4R attack takes 22n time and 2n memory. • The total complexity is T=24n andM=2n. • Hence, we obtain TM=25n (instead of 27n). • We can apply the algorithm to knapsacks, by dividing the initial set into 7 (!) disjoint subsets. We obtain T=24n/7 and M=2n/7.

  20. Attacks on r-fold Encryption (I) This was our most surprising result. Now, a more formal treatment of r-fold encryption. We fix M=2n and want to minimize T. Definition: The gain of an algorithm A for r-fold encryption over the standard MITM algorithm is Gain(A)=r-log(TM)/n. So, dissection yields gain of 1 for r=4 and gain of 2 for r=7.

  21. Attacks on r-fold Encryption (II) • There are two “natural” generalizations of the basic algorithm (for 4-fold encryption): • LogLayer Algorithm: • Assume that r is a power of 2. • Guess the intermediate value after every second round, apply MITM attacks to each pair of consecutive rounds separately, and get r/2 “double” rounds. • Continue recursively. • The complexity is T=2(r-logr)n. Hence: • The asymptotic gain is O(log r). • Gain of 2 is achieved at r=8.

  22. Attacks on r-fold Encryption (III) • Square Algorithm: • Assume that r=(r’)2. • Guess r’-1 intermediate values after every r’ rounds, apply an r’-round attack to each chunk of r’rounds separately, and get r’ “big” rounds. • Apply an r’-round attack to the big rounds. • The complexity is T=2(r-√r)n. Hence: • Asymptotic gain: O(√r). • Gain 2 is achieved at r=9.

  23. Asymmetry rules! Dissection achieves gain 2 already for 7-fold encryption. Is it stronger also asymptotically? Yes! It can be extended recursively to obtain asymptotic gain of O(√2r). Main idea: Continue the asymmetric division into subciphers recursively. Where does the asymmetry come from?

  24. Another look at the attack on 7-fold Encryption • Split the cipher into twosubciphers, the upper part with 3 rounds, and the lower part with 4 rounds. • Guess 2 intermediate encryption values in the middle (one for (P1,C1) and one for (P2,C2)). • Use a standard 3R MITM attack on the top part, obtain 2n suggestions for K1,K2,K3 and store them in a list along with the corresponding partial encryptions of P3 and P4. • Given the 2 “plaintext-ciphertext” pairs, use a 4R attack to obtain 22n suggestions for K4-K7on-the-fly. • For each suggestion, partially decrypt C3 and C4 and search the list for matches. • For each match, test the full key.

  25. The Extension • Proposition: An algorithm A for r-fold encryption with gain k-1 can be leveraged to an algorithm for (r+k+1)-fold encryption with gain k. • Sketch-of-proof: • Fix k intermediate values after k+1 rounds. • Apply a standard MITM attack to the first k+1 rounds. Store the resulting 2nsuggestions for the first k+1 keys in a sorted table. • Apply algorithm A to the last r rounds to obtain on-the-fly 2r-k suggestions for the r last round keys and check them against the table.

  26. The Magic Sequence The proposition allows to construct a “magic sequence” of the numbers of rounds for which the gain increases: Magic(1)={4,7,11,16,22,29,37,46,…}. Solution of the recursion shows that Magic(1)k=(k+1)(k+2)/2. Hence, the asymptotic gain is O(√2r).

  27. Larger Amounts of Memory So far we fixed the memory to M=2n. What can be said about larger amounts of memory? The results generalize to any amount of memory and yield the magic sequences: Magic(l)={2l+2,2l+4,…,4l,4l+3,4l+6,…,7l,7l+4,...}. The asymptotic gain is O(√2lr).

  28. Application to Knapsacks • Modular Knapsack Problem: • Given:A list of n integers {a1,a2,…,an} of n bits each,and a target integer S. • Goal: Find a vector ɛ={ɛ1,ɛ2…ɛn} where ɛiϵ{0,1} such that S=∑1≤i≤n(ɛi∙ai) mod2n. • How to represent Knapsack as a composite problem?

  29. Representing Knapsack as a Block Cipher P ɛ={ɛ1,ɛ2…ɛn} • We fix the plaintext to be the 0n-bit vector, the ciphertext to be S. • The knapsack problem reduces to recovering the key of this block cipher, given one plaintext-ciphertext pair. C=P+∑1≤i≤n(ɛi∙ai) (mod 2n)

  30. Representing Knapsack as 4-Fold Encryption (I) • We split the knapsack to 4 independent knapsacks by splitting the generators and defining S=σ1+σ2+σ3+σ4 (mod 2n) • Xi=∑1≤j≤i(σj) 0 {ɛ1,ɛ2…ɛn/4} X1 {ɛn/4+1,…,ɛn/2} X2 {ɛn/2+1,…,ɛ3n/4} X3 {ɛ3n/4+1,…,ɛn} S

  31. Representing Knapsack as 4-Fold Encryption (II) • Problem: In r-fold encryption, we have r plaintexts => can guess part of the intermediate value. Here we have a single “big” plaintext. • Solution: Split the “block cipher” also vertically into n/4-bit blocks. 0 {ɛ1,ɛ2…ɛn/4} X1 {ɛn/4+1,…,ɛn/2} 0 0 0 X2 {ɛn/2+1,…,ɛ3n/4} X3 {ɛ3n/4+1,…,ɛn} S4 S2 S3 S1

  32. Representing Knapsack as 4-Fold Encryption (III) • Problem: There is a dependence between the “vertical” chunks through the addition carry. • Solution: We guess the intermediate encryption values in their natural order. • We keep track of the carry values without having to guess them separately • Conclusion: We can apply to knapsacks the algorithm for r-fold encryption, for any r! • We can adjust r to the exact amount of available memory, using the algorithms for M>2n.

  33. Time-Memory Tradeoff for Knapsacks Becker, Coron and Joux 2011 Schroeppel and Shamir 1981

  34. Probabilistic Algorithms We promised to obtain TM<23n/4 for any M<2n/4 but the attacks above give it only for 2n/16<M. In order to deal with smaller values of M, we combine our algorithm with the Parallel Collision Search algorithm of van Oorschot - Wiener. but this is a topic for another talk…

  35. Conclusions • We presented new generic algorithms for multiple encryption. • Our techniques allow us to improve the best known algorithms for the knapsack problem with small memory. • The techniques are applicable to other composite problems (such asRubik’s cube, rebound attacks on hash functions etc.) • An aside: the symmetric way is not always the best one…

  36. Open Problems • Are our results optimal? It seems that at least the “magic exponent” 5/7 is optimal, but we cannot be sure… • Prove lower bounds for composite problems. • Was studied in several papers, but only very weak bounds are known. • In particular, we conjecture that always T≥2n/2, but don’t know to prove even weaker bounds. • Is there a way to exploit more data in order to reduce the time and memory complexities? • Find more applications!

  37. Thanks for listening!

More Related