3

As ASICs are specifically designed to generate the hash for a block of a block chain. which is much faster than other GPUs which are used to break 2key-3DES. can we use Array of ASICs to break 2key-3DES in practical time?

SSA
  • 640
  • 5
  • 11

1 Answers1

3

First of all, 2DES is

$$\textrm{ciphertext} = E_{K_1}(D_{K_2}(E_{K_1}(\textrm{plaintext})))$$

The below from 19 September 2020 on the Bitcoin mining, Bitcoin mining is based on SHA256d calculations. All in all, ASICs, FPGAs, GPUs, and CPUs.

\begin{array} {|l|c|c|c|c|}\hline & \text{in a second} & \text{in a hour} & \text{in a day} & \text{in an Year} \\ \hline \text{Bitcoin Miners on SHA-256D} & \approx 2^{67.9} & \approx 2^{84} & \approx 2^{84.3} & \approx 2^{92.8} \\ \hline \end{array}

We can adjust the values if we can find 2DES implementation, however, the miners use various sources to mine, however, we can approximate with hashcat on Nvidia RTX 3080.

Hashmode: 14000 - DES (PT = $salt, key = $pass)
Speed.#1.........: 53585.1 MH/s 
Hashmode: 1410 - sha256($pass.$salt) 
Speed.#1.........:  6980.9 MH/s (81.18ms)

The DES is around 8 times faster ( not going into too many details of hash modes ) and 2 times for SHA256d that makes $2^4$-times faster. We call the DES 3 times so the speed is $2^4/3$. Make a little approximation it to $2^3$

\begin{array} {|l|c|c|c|c|}\hline & \text{in a second} & \text{in a hour} & \text{in a day} & \text{in an Year} \\ \hline \text{Bitcoin Miner on 2DES adjusted} & \approx 2^{70.9} & \approx 2^{87} & \approx 2^{87.3} & \approx 2^{95.8} \\ \hline \end{array}

So in a year, they can reach $\approx 2^{95.8}$ 2DES calculations. Therefore they still need $112-86.8 = 20.2$ year that is $\approx 1048576$ years to execute brute force for a single target.

The above is a simple full brute force attack. In a more careful attack design (thanks to Poncho), the attackers can simplify some calculations

for key1 in KeySpace:
   c' = DESDec(k1,m)
   m' = DESEnc(k1,c)

for key2 in KeySpace:
      assert m' = DECEnc(k2,c')

Now this totally calls $2^{56}( 2 + 2^{56}) = 2^{57} + 2^{112} $. The outer loop can also benefit from calling the key sechedule once. This can speed the brute-force attack 3 times.

One can go for better options. An interesting case is a multi-target attack. With a multi-target attack, you can find some keys faster. The expected cost of finding a key from $t$ target is $2^{112}/t$. For a billion targets, the cost would be below $2^{84}$ and the time would be below $2^{54}$

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • 1
    Perhaps it should be added that this is for brute force key search, for a single 112-bit key; and a few plaintext/ciphertext pairs (case 1 there). Prospects are much better for the same plaintext enciphered under a number of keys (case 2). Prospects with lots of plaintext/ciphertext pairs uh, that's complicated. – fgrieu Nov 16 '20 at 16:49
  • 1
    "We call the DES 3 times"; actually, for a brute force search based on a plaintext/ciphertext pair, the attacker can (simplifying a bit) have an outer loop that iterates over the outer DES key (and encrypts the plaintext/decrypts the ciphertext), and then have an inner loop that iterates over the inner DES key (and so effectively does a single DES operation per iteration); using this optimization, your single target estimates can be sped by a factor of 3 (2 actually, because of how you rounded) – poncho Nov 16 '20 at 19:57
  • 1
    @poncho Very nice. I found that it is almost 3 by $2^{56}( 2 + 2^{56}) = 2^{57} + 2^{112}$ – kelalaka Nov 16 '20 at 20:19
  • why do we use 2^112 here? if we use Oorschot-Wiener model, we have only 2^80 keys to search and we can get it less than an hour. is it not true? – SSA Nov 18 '20 at 05:06
  • @SSA What about the memory requirement, known-plaintext? I just wanted to keep the answer as simple as possible and gave links to other solutions as better options. There are other issues that we don't consider here either. The nodes of bitcoin are far from each other compared to a SuperComputer, which will affect the computation time. What about the memories of some nodes? do they enough memory to keep the memory requirements? – kelalaka Nov 18 '20 at 07:46
  • @kelalaka, firstly, I don't fully understand how come they have reached to this magic bit security of 2^80. Now, Regarding your explanation above, I just want to know, if we use the similar infrastructure (high speed ASIC modules) to brute force K1(K3) and K2, what are the chances to break it with reasonable amount of memory and time? – SSA Nov 18 '20 at 10:30
  • @SSA I don't know any recent ASIC for DES. However, if you know the number of ASIC nodes and their total SHA256 running cores, we can estimate. – kelalaka Nov 18 '20 at 12:37
  • How does “Deep Crack” fit into this? – Cole Tobin Nov 20 '20 at 18:50
  • @ColeJohnson DeepCrack is ASIC that can give some estimate about the clock speed... – kelalaka Nov 20 '20 at 18:55
  • @kelalaka, the comparison you showed above between sha256d and 2DES, will it same across other H/W(ASIC) based 2key 3DES, I mean is DES always same 8 times faster than sha256? have we considered the computational complexity between the two? for ex. sha256 is one way function and quite faster at first look, while DES requires more calculation of SP network. – SSA Nov 24 '20 at 04:55
  • Nope: I've only used the comparison between the hashcat result. nothing more, not ASIC. Actually. DES is very agile in ASIC. Well, how you describe the computational complexity. I've seen this done for the AES attack that they took all cost of fast inplementation to show that their attack is slightly less then the brute force. – kelalaka Nov 24 '20 at 10:24