Enhancing the Strength of Conventional Cryptosystems Basic Research in Computer Science

Home , Lars Ramkilde Knudsen

BRICS û ard BRICS Report Series RS-94-38 Lars Ramkilde Knudsen ISSN 0909-0878 November 1994 Ivan B. Damg Enhancing the Strength of Conventional Cryptosystems Basic Research in Computer Science

Reproduction of all or part of this work is permitted for educational or research use on condition that this copyright notice is included in any copy.

See back inner page for a list of recent publications in the BRICS Report Series. Copies may be obtained by contacting:

BRICS Department of Computer Science University of Aarhus Ny Munkegade, building 540 DK - 8000 Aarhus C Denmark Telephone:+45 8942 3360 Telefax: +45 8942 3255 Internet: [email protected]

Enhancing the Strength of Conventional

Cryptosystems

Ivan B Damgard BRICS Aarhus University

Lars Ramkilde Knudsen Aarhus University

September

Abstract

Welookatvarious ways of enhancing the strength of conventional

cryptosystems such as DES by building a new system which has longer

keys and which uses the original system as a building blo ck We pro

p ose a new variantoftwokey triple encryption which is not vulnerable

to the meet in the middle attackbyvan Oorschot and Wiener Under

an appropriate assumption on the security of DES we can prove that

our system is at least as hard to break as single DES

Intro duction

Since its intro duction in the late seventies the American Data Encryption

Standard DES has b een the sub ject of intense debate and cryptanalysis

Likeany other practical cryptosystem DES can b e broken by searching ex

haustively for the key

One natural direction of research is therefore to nd attacks that will

b e faster than exhaustivesearch measured in the numb er of necessary en

cryption op erations The most successful attack known of this kind is the

linear attackby Matsui This attack requires ab out known plain

text blo cks Although this is less than the exp ected encryptions required

Basic Research in Computer Science Centre of the Danish National Research

Foundation

for exhaustivekey search the attackisby no means more practical than

exhaustive search There are two reasons for this rst one cannot in prac

tice neglect the time needed to obtain the information ab out the plaintext

secondly when doing exhaustivekey search the enemy is free to invest as

much in technology as he is capable of to make the searchmoreecient in

aknown plaintext attack he is basically restricted to the technology of the

legitimate owner of the key and to the frequency with whichthekey is used

In virtually any practical application a single DES key will b e applied to

much less than blo cks even in its entire life time The dierence b etween

the two kinds of attacks is illustrated in a dramatic wayby the results of

Wiener who shows by concrete design of a key searchmachine that if

the enemy is willing to make a one million dollar investment exhaustivekey

search for DES is certainly not infeasible

As a result wehave a situation where DES has proved very resistantover

a long p erio d to cryptanalysis and therefore seems to b e as secure as it can

b e in the sense that by far the most practical attack is a simple brute force

searchforthekey The only problem is that the key is to o short given to days

technology and that therefore dep ending on the value of the data you are

protecting plain DES may not b e considered secure enough anymore

What can b e done ab out this problem One obvious solution is to try

to design a completely new algorithm This can only b e a very long term

solution a new algorithm has to b e analysed over a long p erio d b efore it can

b e considered secure also the vast numb er of p eople who haveinvested in

DES technology will not like the idea of their investments b ecoming worthless

overnight An alternative is to devise a new system with a longer key using

DES as a building blo ck This way existing DES implementations can still

b e used

We are in the situation where wehave a blo ck cipher that has proved to

be very strong the only problem b eing that the keys are to o small and a sim

ple bruteforce attack has b ecome p ossible Thus this section is motivated

by the following general question Given cryptosystem X whichcannotin

practice b e broken faster than exhaustivekey search how can we build a

new system Y such that

Keys in Y are signicantly longer than keys in X eg twice as long

Given an appropriate assumption ab out the securityof X Y is provably

as hard to break as X under any natural attack eg ciphertext only

known plaintext etc

It can b e convincingly argued that Y can in fact not b e broken faster

than exhaustivekey search and is therefore in fact much stronger than

Possible answers to this question have already app eared in the literature

The most well known example is known as twokey triple encryption where

we encipher under one key decipher under a second key and nally encipher

under the rst keyVan Oorschot and Wiener haveshown rening an

attack of Merkle and Hellman that this construction is not optimal

underaknown plaintext attack it can b e broken signicantly faster than

exhaustivekey search

We prop ose a new variantoftwokey triple encryption which has all the

prop erties we require ab ove

Multiple encryption

In this section we lo ok at metho ds for enhancing cryptosystems based on the

idea of encrypting plaintext blo cks more than once Following the notation

of the intro duction we let X b e the original system and weletE resp D

K K

denote encryption resp decryption in X under key K We assume that the

key space of X consists of all k bit strings and that the blo ck length of X

is mInacascade of ciphers it is assumed that the keys of the comp onent

ciphers are indep endent The following result was proved by Maurer and

Massey

Theorem The imp ortance of b eing rst Acascade of ciphers

is at least as hardtobreak as the rst cipher

By restricting ourselves to the most p owerful attack the chosen plaintext

attack we can prove the following more general result

Theorem The imp ortance of b eing there Acascade of ciphers

is at least as hardtobreak under any attack as any of the component ciphers

in the cascade under a chosen plaintext attack

Pro of Assume that wehave an algorithm A which on input the encryp

tions of n known or chosen plaintexts or on input just n ciphertexts breaks

a cascade of N ciphers Y We will use A to break any of the comp onent

ciphers in a chosen plaintext attack Assume that X is the ith cipher of

the N ciphers in the cascade and that we can get encryptions of anycho

sen plaintext Cho ose N keys at random for the ciphers exclusive X

Whenever A asks for the encryption of a chosen or known plaintext P we

multiple encrypt P using the rst i keys yielding PP In a ciphertext

only attackwecho ose a plaintext P ourselves Then we get the encryption

CC of PP in the chosen plaintext setting from X Now use the remaining

hwe input to ASince N i keys to multiple encrypt CC yielding C whic

by assumption A breaks the cascade it will output the N keys amongst

whichwe will get a candidate for the secret key of X Wehaveproved that if

we can break the cascade we can break any of the comp onent ciphers under

achosen plaintext attack Thus if a comp onent cipher X is secure against a

chosen plaintext attack then a cascade of ciphers containing X is as secure

against any attack

A sp ecial case of a cascade of ciphers is when the comp onent ciphers are

equal also called multiple encryption In the following we consider dierent

forms of multiple encryption

Double Encryption

The simplest idea one could think of would b e to encrypt twice using twokeys

K K ie let the ciphertext corresp onding to P be C E E P It is

K K

clear and wellknown however that no matter how K K are generated

there is a simple meetinthe middle attack that breaks this system under a

k k

known plaintext attack using encryptions and blo cks of memory ie

the same time complexityaskey search in the original system Even though

the memory requirements may b e unrealistic it is clear that this is not a

satisfactory improvementover X

Triple Encryption

Triple encryption with three indep endentkeys K K andK where the

ciphertext corresp onding to P is C E E E P is also not a sat

K K K

isfactory solution for a similar reason as for double encryption A simple

meetinthemiddle attack will break this in time ab out encryptions and

space blo cks of memoryThus we do not get full return for our eort in

tripling the key length as stated in demand in the intro duction wewould

like attacks to take time close to ifthekey length is k In addition

to this if X DE S then a simple triple encryption would preservethe

complementation prop erty and preserve the existence of weak keys

It is clear however that no matter how the three keys in triple encryption

are generated the meetinthemiddle attackmentioned is still p ossible and

so the time complexity of the b est attack against any triple encryption variant

is no larger than It therefore seems reasonable to try to generate the

three keys from two indep endent X keys K K since triple encryption will

not provide security equivalent to more than keys anyway

Twokey Triple Encryption

wokey triple encryption pro One variant of this idea is wellknown as t

p osed byWTuchmann we let the ciphertext corresp onding to P be

E D E P Compatibility with a single encryption can b e obtained

K K K

by setting K K As one can see this uses a particular very simple way

of generating the three keys from K K For twokey triple encryption there

is a result similar to Theorem

Theorem Under a chosen plaintextciphertext attack twokey triple en

cryption is at least as hardtobreak as the underlying cipher

Pro of Assume that wehave an algorithm B whichoninputn chosen plain

texts breaks a twokey triple encryption scheme Z where W is the under

lying cipher Cho ose one key K at random Whenever B asks for the

encryption of plaintext P we encrypt P using the key K yielding PP

Then we get the decryption CC of PP in the chosen ciphertext setting from

W Now encrypt CC using again the key K yielding C whichisinputto

B Since by assumption B breaks the twokey triple scheme it will output

a candidate for the key in the second round ie for the secret key of W

Even though this result establishes some connection b etween the secu

rityoftwokey triple encryption with the underlying cipher it holds only

for a chosen plaintextciphertext attack and still do es not meet our second

demand

For the twokey triple encryption scheme eachof K and K only inu

ences particular parts of the encryption pro cess Because of this variants

of the meetinthemiddle attack are p ossible that are even faster than ex

haustive search for K K In Merkle and Hellman describ es an attack

on twokey triple DES encryption requiring chosen plaintextciphertext

pairs and a running time of encryptions using words of memoryThis

attackwas rened in into a known plaintext attack on the DES whichon

input n plaintextciphertext pairs nds the secret key in time n using n

words of memory The attacks can b e applied to anyblock cipher

Since the attacks exploit that the keys used in the rst and third encryp

tion are equal an initial attempt to thwart the attacks could b e to let the

third key b e dep endent on b oth the rst and second key Dene encryption

K K Compatibilitywitha P where K E E D by E

K K K K

single encryption can still b e obtained by setting K D in that way

K K By the security of the DMscheme the DaviesMeyer hashing

scheme knowing K or K do es not give immediate knowledge ab out K

and the scheme seems invulnerable to the attacks by Merkle and Hellman

However we found no pro of that this scheme is at least as secure as a single

encryption

We therefore prop ose what we b elieve to b e stronger metho ds for gener

ating the keys Our main idea is to generate them pseudorandomly from

X keys using a generator based on the securityof X In this way an en

emy trying to break Y either has to treat the keys as if they were really

random which means he has to break X according to Theorem or he

has to use the dep endency b etween the keys this mean breaking the gen

vethwarted erator whichwas also based on X Thus even though weha

attacks like MerkleHellman and van OorschotWiener byhaving a strong

interdep endency b etween the keys we can still if X is secure enough get a

connection b etween securityof X and Y

Multiple encryption with minimum key

General Description of Y

Let a blo ck cipher X be given as describ ed ab ove The key length of X

is denoted by k ByE P we denote X encryption under K of blo ck P

while D C denotes decryption of C We then dene a new blo ck cipher Y

using a function G

GK K X X X

which maps X keys to X keys Wedisplay later a concrete example of a

p ossible Gfunction This is constructed from a few X encryptions Keys in

Y will consist of pairs K K ofX keys Encryption in Y is dened by

E P E E E P

K K X X X

where X X X GK K Decryption is clearly p ossible by decrypt

ing using the X s in reverse order

Relation to the securityof X

Wewould like to b e reasonably sure that wehavetaken real advantage of

the strength of X when designing Y Oneway of stating this is to saythat

Y is at least as hard to break as X By Theorem this would b e trivially

true if the three keys used in Y were statistically indep endent This is of

course not the case since the X s are generated from only keys But if the

generating function G has a pseudorandom prop erty as stated b elow then

the X s are as go o d as random and we can still prove the result wewant

Denition Consider the fol lowing experiment an enemy B is presented

with three k bit blocks X X X He then tries to guess which of two cases

has occurred

The X s are chosen independently at random

The X s areequal to GK K for randomly chosen K K

Let p be the probability that B guesses given that caseoccurs and p

the probability that B guesses given that case occurs The generator

function G is said to be pseudorandom if for any B spending time equal to

T encryption operations

jp p j

where V is the total number of possible values of the pair K K

The intuition b ehind this is that B could always sp end his time simply

trying random pairs of keys seeing if they could b e a p ossible value of K K

and guessing that he is in case if he nds a solution If case really o ccurs

he nds the rightvalue with probability at most TV we assume here that

he would need at least one encryption to test a pair In case there is most

likely no solution Thus the denition says that if G is pseudorandom there

is no b etter metho d for B than this naive attack Denition is inspired

by the complexity theoretic denition of a strong pseudorandom generator

intro duced by Blum and Micali

In the rest of this subsection we consider attacks against X and Y in a

xed scenario with a given plaintext distribution and a given form of attack

such as known plaintext chosen plaintext etc We do not sp ecify these

things further b ecause the reasoning b elowwillwork for anysuch scenario

The time unit will b e encryptions op erations in system X

The next theorem shows the promised connection b etween securityof X

and Y ie in a given amount of time an attack cannot do much b etter

against Y than what is p ossible against X

Theorem Let p be the success probability of the best attack against X

T Assume now that an attacker A against our new system running in time

Y runs in time T and has success probability p If the function G usedto

construct Y is pseudorandom then

Pro of Let Y b e the same system as Y but with indep endentkeys X By

Theorem using A against Y leads to an attack against X with the same

success probability Hence by assumption As success probabilityagainst Y

will b e at most p But then we can use A to make an algorithm B that ts

Denition Given X X X B uses these as keys in the triple encryption

system and simulate As attack If A is successful B will guess that the X s

are generated from K K if not B will guess that they are indep endent

Since in one case A will b e attacking Y and in the other case Y it is clear

that for this B wehaveby Denition

jp p j

As an example of what the statement of the theorem means consider

an ideal case where the b est an attack against X can do is to sp end its

time cho osing random keys and test whether they t with the information

available The success probability for time T would then b e T assuming

akey can b e tested in encryption Then the ab ove theorem says that if G

is pseudorandom the success probabilityofany attack against Y running in

k k

time T can b e at most T T This is larger than the original success

probability against X by a factor of only

A Concrete Twokey Triple Encryption Construc

tion

We prop ose here a new construction for triple encryption called TEMK for

Triple Encryption with Minimum Key In this construction X X X are

all used as keys for encryption We dene this construction of GK K

X X X by

E D E IV X

K K K

X E D E IV

K K K

X E D E IV

K K K

where IV are three initial values eg IV C i where C is a constant

i i

It is seen that twokey triple encryption is used

Here the reader may ask a very legitimate question why are we using

ordinary twokey triple DES here when wehavejustspent half a pap er

arguing that it do es not provide go o d enough security The answer is that we

are using twokey triple DES in a sp ecial situation where we can guarantee

that for any particular pair of keys the enemy will get at most a known

plain text attack with three known plaintexts This follows from the fact that

the three constants IV IV IV are universally xed such that the pair of

keys K K will never b e applied to anything else than the IV s The b est

known attack against twokey triple DES with three known plaintexts is the

one byvan Oorschot and Wiener which has the complexity

Since in our case the keys are only bits we conjecture that

this G is pseudorandom with the value V The most natural attack

Scheme Key size KS EN Total Wk Cp

TEMKDES No No

DES Yes Yes

Twokey tripleDES Yes Yes

Threekey tripleDES Yes Yes

Table Comparison of the prop osed schemes and the existing ones all used

with DES

against pseudorandomness of G seems to b e to guess either K or K and

try to nd the other value faster than exhaustive search

The key scheduling in the ab ove construction is slower than for the two

key triple encryption In most software applications of the DES the key

scheduling takes ab out twice the time of a single encryption Using this es

timate the key scheduling in the triple encryption scheme ab ovetakes time

ab out DESencryptions For comparison the key schedules for twokey

triple DES and triple DES with three indep endentkeys take and encryp

tions resp ectively In encryption with our new construction the key schedule

should b e p erformed once and the three round keys stored In that way en

cryption with TEMKDES is as fast as for other triple encryption schemes

with xed keys

We conjecture that for the ab ove construction the fastest attackisa

simple meet in the middle attack which will b e of time complexity at least

In particular we conjecture that b ecause of the strong interdep endency

between the X s attacks like the ones from will not b e p ossible Finally

we note that the absence of weak keys are guaranteed since the three round

on prop erty do es not hold In keys are never equal and the complementati

Table we givea schematic overview of the dierences b etween our prop osed

scheme and the existing ones KS and EN are the numb ers of DES key

schedules and DES encryptions resp ectively needed in the key schedule of

the triple encryption scheme Total is the total numb er of encryptions in

the new key schedule using the ab ove estimate Finally we state if weak keys

exist and if the complementation prop erty holds

Extensions

In the preceding sections we fo cused on triple encryption schemes It is clear

that our ideas can b e extended to quadruple quintuple nfold schemes

Let X b e a comp onent cipher with key size k In general a ifold encryption

scheme based on X is vulnerable to a meet in a middle attack using

words of memory taking time ab out Similarlya i fold encryption

scheme based on X is vulnerable to a meet in a middle attackusing words

i k

of memory taking time ab out Therefore one do es not get the security

of the full key length It is obvious that by generating the i i keys

pseudorandomly dened in a similar manner as Denition from i i

keys one can prove a similar result as Theorem

References

M Blum and S Micali How to generate cryptographically strong se

quences of pseudorandom bits SIAM Journal on Computing pages

M Matsui Linear cryptanalysis metho d for DES cipher In T Helleseth

editor Advances in Cryptology Proc Eurocrypt LNCS pages

Springer Verlag

M Matsui The rst exp erimental cryptanalysis of the Data Encryption

Standard In Y G Desmedt editor Advances in Cryptology Proc

Crypto LNCS pages Springer Verlag

Cascade ciphers The imp ortance of b eing U Maurer and JL Massey

rst Journal of Cryptology

R Merkle and M Hellman On the securityofmultiple encryption Com

munications of the ACM

W Tuchman Hellman presents no shortcut solutions to DES IEEE

Spectrum July

PC van Oorschot and MJ Wiener A knownplaintext attackontwo

key triple encryption In IB Damgard editor Advances in Cryptology

Proc Eurocrypt LNCS pages Springer Verlag

MJ Wiener EcientDESkey search Technical Rep ort TR Scho ol

of Computer Science Carleton University Ottawa Canada May

Presented at the Rump Session of Crypto Recent Publications in the BRICS Report Series

RS-94-38 Ivan B. Damgardû and Lars Ramkilde Knudsen. Enhanc- ing the Strength of Conventional Cryptosystems. Novem- ber 1994. 12 pp. RS-94-37 Jaap van Oosten. Fibrations and Calculi of Fractions. November 1994. 21 pp. RS-94-36 Alexander A. Razborov. On provably disjoint NP-pairs. November 1994. 27 pp. RS-94-35 Gerth St¿lting Brodal. Partially Persistent Data Structures of Bounded Degree with Constant Update Time. November 1994. 24 pp. RS-94-34 Henrik Reif Andersen, Colin Stirling, and Glynn Winskel. A Compositional Proof System for the Modal

-Calculus. October 1994. 18 pp. Appears in: Proceed- ings of LICS ’94, IEEE Computer Society Press. RS-94-33 Vladimiro Sassone. Strong Concatenable Processes: An Approach to the Category of Petri Net Computations. Oc- tober 1994. 40 pp. RS-94-32 Alexander Aiken, Dexter Kozen, and Ed Wimmers. De- cidability of Systems of Set Constraints with Negative Con- straints. October 1994. 33 pp. RS-94-31 Noam Nisan and Amnon Ta-Shma. Symmetric Logspace is Closed Under Complement. September 1994. 8 pp. RS-94-30 Thore Husfeldt. Fully Dynamic Transitive Closure in Plane Dags with one Source and one Sink. September 1994. 26 pp. RS-94-29 Ronald Cramer and Ivan Damgard.û Secure Signature Schemes Based on Interactive Protocols. September 1994. 24 pp. RS-94-28 Oded Goldreich. Probabilistic Proof Systems. September 1994. 19 pp.