What is the best attack here?
$E_k(m)=DES_{k1}(DES_{k2}(m)) \oplus k3$
Asked
Active
Viewed 538 times
3
-
2What research have you done? What have you tried? See, we do expect you to do a significant amount of research before asking here, including searching this site for DES-related Q&As that might shed light on your question. At worst it will help you frame “a better question”; at best it might even answer it. – e-sushi Jan 23 '16 at 09:54
-
The answer is same resources as double des. and I cant understand why... Hope someone here knows. – org Jan 23 '16 at 10:02
-
1The best attack I see is brute-forcing $k_1$ and $k_2$ at the same time and xor-ing out $k_3$, for a total cost of $2^{112}$ with little memory. But that's pretty far from your 2DES claim. – CodesInChaos Jan 23 '16 at 10:32
-
@CodesInChaos So this would be as strong as TDES? That's pretty interesting if it is the case. – Maarten Bodewes Jan 23 '16 at 11:43
-
@MaartenBodewes 1) The MitM against 3DES is more complicated and might require a lot of memory. 2) The security decrease given many plaintext/ciphertext pairs might be much bigger than what 3DES loses. 3) This is essentially a hybrid of DES-X conceptually and 3DES. – CodesInChaos Jan 23 '16 at 11:49
-
Oh, wait, yeah, I didn't consider many block encryptions with the same key. You're right of course. Your last comment may go some way towards answering this question too - but proving that anything is the best attack is tricky. – Maarten Bodewes Jan 23 '16 at 11:54
-
@otus Hmm, yes, it's more like a multiple-time pad. Does that term exist? Changed title again, sorry for the confusion. – Maarten Bodewes Jan 23 '16 at 12:25
-
@MaartenBodewes, "key whitening" is probably the correct term here? – otus Jan 23 '16 at 12:27
-
1@otus Could be, but I made the title describe the method explicitly. With just one XOR I'm not 100% if whitening applies. Given the question, I'm not sure if we should use the term "key whitening" in the question title (it's fine in answers of course). – Maarten Bodewes Jan 23 '16 at 12:30
-
@org - are you sure you have the parentheses right in the question? i.e. Are you sure it isn't: $E_k(m) = DES_{k1}(DES_{k2}(m) \oplus k3)$? – J.D. Jan 23 '16 at 15:15
-
yes , Im sure.. – org Jan 23 '16 at 15:39
1 Answers
1
I cannot think of how to attack this using exactly the same resources as the classic meet-in-the-middle attack against double-DES, but there is a way to solve it with similar computational and memory resources (i.e. with about $2^{57}$ time and memory), but using $2^{56}$ chosen plaintexts and $2^{56}$ (adaptive) chosen ciphertexts.
First, notice that if we ask for the encryption of $m$, xor the ciphertext with a known constant $T$, and then ask for the decryption of $E_k(m) \oplus T$, the following equality holds: $$E_k^{-1}(E_k(m) \oplus T) = DES_{k2}^{-1}(DES_{k1}^{-1}(DES_{k1}(DES_{k2}(m)) \oplus k3 \oplus T \oplus k3))$$ $$= DES_{k2}^{-1}(DES_{k1}^{-1}(DES_{k1}(DES_{k2}(m)) \oplus T))$$ So we don't have to worry about the third key, and now we only need to figure out how to conduct a MitM attack against that construction using four applications of DES and two keys. We are going to do this in an inside-out fashion.
Step one: pick any 64-bit value, $A$, and for all $2^{56}$ possible candidate values of $k2$ (which I will denote $k2^*$), do the following:
- compute $B = DES_{k2^*}^{-1}(A)$,
- request $C = E_k(B)$,
- request $D = E_k^{-1}(C \oplus T)$.
- compute $F = DES_{k2^*}(D)$.
Store all $2^{56}$ values of $F$ in a hash table, along with the $k2^*$ candidate values associated with each.
Step two: For all $2^{56}$ possible candidate values of $k1$ (denoted $k1^*$), do the following:
- compute $G = DES_{k1^*}^{-1}(DES_{k1^*}(A) \oplus T)$,
- check if there is any $F$ such that $F = G$.
Any such collision will 'suggest' that $k1 = k1^*$ and $k2 = k2^*$ (the stored $k2^*$ candidate value for $F$), a suggestion that can be easily tested in the following manner:
If you know $m$, $m'$, and $E_k(m)$ and $E_k(m')$, then compute $DES_{k1^*}(DES_{k2^*}(m)) \oplus DES_{k1^*}(DES_{k2^*}(m'))$ and check if that equals $E_k(m) \oplus E_k(m')$. If so, then you almost certainly have the right keys. From there, $k3$ is trivially deducible.
J.D.
- 4,445
- 16
- 21
-
It is quite common that people think that chosen or adaptive attacks are helps in practice. No!. Neither linear nor Differential attacks are never implemented for DES. Only practical attack on DES is brute-force. Also one must consider the storage for MITM attack. Sorting as claimed can be performed with counting sorting, it will require 2x more space. – kelalaka Jan 23 '16 at 21:25
-
@user1820553 - the attack I outlined does not use linear or differential cryptanalysis. The attack does have time and memory requirements that are about the same as the classic MitM attack on double-DES (to within small constant factors). But unfortunately it must use chosen plaintext and ciphertext requests, which again have nothing at all to do with linear or differential attacks on single-DES. – J.D. Jan 23 '16 at 21:38
-
@MeysamGhahramani - a brute force attack with two plaintexts would use $2^{113}$ time, whereas my attack uses about $2^{58}$ time. Of course, the brute-force attack doesn't need chosen plaintexts and ciphertexts, and the memory requirements are basically nill, so in that sense the brute-force attack is greatly superior. But it is much slower. – J.D. Jan 23 '16 at 22:01
-
-
@MeysamGhahramani - no, the time complexity of step one is about $2^{57}$, because there are $2^{56}$ possible values of $k2$, and for each such value the attacker runs $DES$ once and then $DES^{-1}$ once. – J.D. Jan 23 '16 at 22:15
-
-
@MeysamGhahramani - yes, by which I mean the value for $A$ is arbitrary (i.e. can be any 64-bit string), so long as it is fixed. I did not say "do step one for all possible 64-bit strings". Apologies if that wasn't clear. – J.D. Jan 23 '16 at 22:19
-
@J.D., I think that for arbitrary $A$, with your method we cant break this system and we must check all possible $A$ so brute force is better. – Meysam Ghahramani Jan 23 '16 at 22:27
-
@MeysamGhahramani - well, you don't say why you think that, so I can't correct you (or be convinced by you). – J.D. Jan 23 '16 at 22:36
-
1Nice, this seems to work. Of course, quite unrealistic in practice due to all the ciphertext queries. – otus Jan 24 '16 at 08:48