1

On reading the accepted answer to this question, I was wondering whether a Meet In The Middle attack could be applied to the suggested construction (below), and if not, then what is the effective key strength of combining two 256 bit ciphers in such a way? If I understand correctly, the Tahoe-Lafs 100 Year Cryptography project uses a similar construction.

$C=P\oplus K^1\oplus K^2$, where $C$ is the ciphertext, $P$ is the plaintext and $K^1$ is the key stream of one cipher and $K^2$ is the key stream of the other cipher (courtesy of Maarten Bodewes).

SEJPM
  • 45,967
  • 7
  • 99
  • 205
hunter
  • 3,965
  • 6
  • 28
  • 42
  • 2
    Surely this should work by brute-forcing and table'ing $P\oplus K^1$ and then checking for matches with brute-forced $C\oplus K^2$ (ie consider $E^1(M)=M\oplus K^1$ and $E^2(M)=M\oplus K^2$ as ciphers that are applied as $E^1(E^2(M))$) – SEJPM Jul 20 '17 at 17:24
  • @SEJPM would you mind posting that as an answer? – hunter Jul 21 '17 at 10:24
  • It's not really useful to discuss whether the security level of combined stream ciphers like that exceeds 256 bits: that security level is so high that anything beyond it is inconsequentially inconceivable. The real reason to use a composition like this is not to raise the security level, but to hedge against a cryptanalytic breakthrough in one of the stream ciphers. For example, if someone found a technique for breaking AES256-CTR, it is unlikely that the same technique would apply to Salsa20, which has a totally different design. [Adapted from a part of an otherwise wrong answer I wrote.] – Squeamish Ossifrage Jul 22 '17 at 04:01
  • @SqueamishOssifrage It is indeed useful for me in terms of learning about the practical consequences of MITM attacks - the example I gave uses a ubiquitous key size, but the question is generic and could be applied to any key size... I'm more interested in the implicatons of the construction. I'm well aware of just how ridicuously excessive a 256 key is, and the motivations for combining ciphers to mitigate against future breaks, but that's not what I was asking. – hunter Jul 22 '17 at 11:30
  • Sure—that's why I downgraded to a comment. More on-topic, perhaps: Suppose $K^i = S_i(k_i)$ for some short key $k_i$, say 256 bits, and some PRG $S_i$, say AES256-CTR or Salsa20 with zero nonce. MITM needs time & space for $2^{256}$ encs & $2^{256}$ decs, so areatime cost is $22^{256}*2^{256}=2^{513}$. A parallel machine with $2^{256}$ AES circuits, $2^{256}$ Salsa20 circuits, and negligible memory takes $2^{256}$ time—also $2^{513}$ AT. For multi-target attacks, rainbow tables reduce cost of at least one success. Exercise: Can you adapt RTs to the MT MITM scenario to make it cheaper? – Squeamish Ossifrage Jul 22 '17 at 14:14

1 Answers1

1

Let $K^1,K^2$ be the key-streams generated by $k_1,k_2$.

Now define $E^1_{k_1}(m):=m\oplus K^1$ and $E^2_{k_2}(m):=m\oplus K^2$.

Note that $E^1_{k_1}(E^2_{k_2}(m))=m\oplus K^1\oplus K^2$.

You now have a straight double encryption and can apply the standard meet-in-the-middle attack now.

The implementation would use a known-plaintext pair $(m,c)$. You would now tabulate all $E^1_{k_1'}(m)=m\oplus K^{1'}$ and then try all $D^2_{k_2'}(c)=c\oplus K^{2'}$ and look for matches between $E^1_{k_1'}(m)$ and $D^2_{k_2'}(c)$.

SEJPM
  • 45,967
  • 7
  • 99
  • 205