Documentos de Académico
Documentos de Profesional
Documentos de Cultura
www.elsevier.com/locate/ipl
Abstract
In this paper we analyze the complexity of recovering cryptographic keys when messages are encrypted under various keys.
We suggest key-collision attacks, which show that the theoretic strength of a block cipher (in ECB mode) cannot exceed the
square root of the size of the key space. As a result, in some circumstances, some keys can be recovered while they are still in
use, and these keys can then be used to substitute messages by messages more favorable to the attacker (e.g., transfer $1000000
to bank account 123-4567890). Taking DES as our example, we show that one key of DES can be recovered with complexity
228 , and one 168-bit key of (three-key) triple-DES can be recovered with complexity 284 . We also discuss the theoretic strength
of chaining modes of operation, and show that in some cases they may be vulnerable to such attacks.
2002 Elsevier Science B.V. All rights reserved.
Keywords: Cryptanalysis; Data Encryption Standard (DES); Triple-DES; Multiple-encryption; Birthday paradox; Key-collision attacks;
Cryptography
1. Introduction
Cryptographic keys are used as secret information
during encryption, and knowledge of these keys is
required to decrypt the ciphertexts. Most currently
used ciphers use keys of 56 bits, 64 bits and 80
bits, and newer ciphers use keys of 128 (up to 256)
bits. Ciphers with k-bit keys can be used with 2k
distinct keys, and therefore, it is believed that the
complexity of recovering keys of ciphers with k-bit
keys is not less than 2k , unless the design of the
cipher is weak, or has unfavorable properties. It is also
widely believed that substituting encrypted messages
E-mail address: biham@cs.technion.ac.il (E. Biham).
URL address: http://www.cs.technion.ac.il/~biham/.
0020-0190/02/$ see front matter 2002 Elsevier Science B.V. All rights reserved.
PII: S 0 0 2 0 - 0 1 9 0 ( 0 2 ) 0 0 2 6 9 - 7
118
119
120
1 enl/2 .
k
As long as we choose nl 2k , the probability of finding a key remains high. Table 1 illustrates this tradeoff
between the complexity of encrypting with the random
keys, and the number of required ciphertexts. Moreover, in such a situation, we find one of every 2k / l
keys, and as l grows, the fraction of found keys grows
as well. Note that in the above description, l memory
cells are required to keep the table. When l = 2k , this
attack becomes the dictionary attack [24].
However, if l n, a variant of the attack in which
the key is found only after it is already obsolete (and
thus can be used only to decrypt old messages, rather
than to substitute messages), requires only n memory
Table 1
The tradeoff between the complexity of encrypting with the random keys to attack DES
and the number of required ciphertexts
Ciphertexts
Complexity
1
256
28
248
216
240
224
232
228
228
232
224
240
216
248
28
256
1
Table 2
The average complexity invested in each found key of DES
Ciphertexts
Expected number of keys found
Complexity per found key
228
1
228
229
4
227
230
16
226
232
28
224
240
224
216
248
240
28
256
256
1
121
122
5. Summary
4. Discussion
This definition of theoretic strength is very strong
as the size of the memory is considered as equivalent
to computation time. In practice, memory is much
more limited, and practical attacks might require more
computation time in order to reduce some currentlyunrealistic size of memory. However, there is no
accepted tradeoff-function that measures how much
computation time is equivalent to any fixed amount
of memory. Thus, in order to study the asymptotic
behavior of attacks we are forced to select our own
function. We use the simplest such tradeoff-function,
i.e., we consider that a time unit is equivalent to
a memory unit. Other functions which consider any
fixed number of time units as equivalent to a memory
unit would not change the Big-O results of our
paper.
We encourage researchers to propose the most
suitable tradeoff-function, which might even be non-
Theoretic
strength
Ciphers
56
40
64
80
128
228
220
232
240
264
192
256
k
296
2128
2k/2
DES
US exportable ciphers (up to January 2000)
LOKI [7,6], Feal-N [28], SAFER-SK64 [21]
Skipjack
Feal-NX [27], SAFER-SK128 [21], IDEA [20],
AES [32] and AES candidates (see [31])
AES [32] and AES candidates (see [31])
AES [32] and AES candidates (see [31])
Any cipher
123
Table 4
The complexities of attacking multiple-encryption schemes
Scheme
Double-DES
Two-key triple-DES
3-MAK DES [9]
Three-key triple-DES
Any scheme
Any double-encryption with two keys
Any triple-encryption with two keys
Any triple-encryption with three keys
Multiple-encryption with m encryptions
odd m
even m
Key
size
Theoretic
strength
Required
ciphertexts
112
112
112
168
k
2k
2k
3k
256
256
256
284
2k/2
2k
2k
23k/2
1
256
256
228
2k/2
1
2k
2k/2
mk
mk
2mk/2
2mk/2
2k/2
1
Table 5
The complexities of attacking modes (such as CBC) with random
initial values
Key
Steps
Ciphers
80
272
Skipjack
112
288
3-MAK DES
128
128
296
2128
192
2160
256
2192
size
probability of success of other attacks (such as differential and linear cryptanalysis), and the damage when
a single key is compromized. Another possible countermeasure avoids encrypting fixed common blocks in
messages by using some chaining mode with random
initial values. This solution helps, but as we showed,
if the initial values are shorter than the keys, keycollision attacks still require fewer steps than exhaustive search. Thus, to prevent key-collision attacks, we
suggest increasing the size of the initial value to the
size of the key, if this solution is applicable (usually
the initial value has the size of the block, thus the block
size should be increased as well), or increasing the key
size by a factor of two, as was done in hash functions
for the hashed results, to make sure that the complexity of an attack is higher than exhaustive search of
keys of the original size. This last solution increases
the security of ciphers against exhaustive search as
well.
Acknowledgements
It is a pleasure to acknowledge Ross Anderson,
Don Coppersmith, Jennifer Seberry, Adi Shamir and
the anonymous referees for their various remarks and
suggestions which helped to improve the presentation
and results of this paper. Ross Anderson pointed
out the observation at the end of Section 2 that the
described attacks are applicable even when modes of
operation with random initial values are used. This
research was supported by the fund for the promotion
of research at the Technion.
References
[1] American National Standards Institute, Triple Data Encryption
Algorithm Modes of Operation, ANSI standard X9.52, 1998.
[2] E. Biham, Cryptanalysis of multiple modes of operation,
J. Cryptology 11 (1) (1998) 4558.
[3] E. Biham, Cryptanalysis of triple modes of operation, J. Cryptology 12 (3) (1999) 161184.
[4] E. Biham, A. Biryukov, An improvement of Davies attack on
DES, J. Cryptology 10 (3) (1997) 195206.
[5] E. Biham, A. Shamir, Differential Cryptanalysis of the Data
Encryption Standard, Springer, Berlin, 1993.
[6] L. Brown, M. Kwan, J. Pieprzyk, J. Seberry, Improving resistance to differential cryptanalysis and the redesign of LOKI,
in: Advances in Cryptology, Proceedings of ASIACRYPT91,
in: Lecture Notes in Computer Science, Springer, Berlin, 1991,
pp. 3650.
[7] L. Brown, J. Pieprzyk, J. Seberry, LOKIa cryptographic
primitive for authentication and secrecy applications, in: Advances in Cryptology, Proceedings of AUSCRYPT90, in:
124
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]
[37]