DES-X (Or DESX) DES-X Is a 64-Bit Block Cipher with a 2 64 + 56 = 184-Bit Key, Which Is a Simple Extension of DES

DES-X (or DESX) DES-X is a 64-bit block cipher with a 2 64 + 56 = 184-bit key, which is a simple extension of DES. The construction was· suggested by Rivest in 1984 in order to overcome the problem of the short 56-bit key-size which made the cipher vulnerable to exhaustive key search attack. The idea is just to XOR a secret 64-bit key K1 to the input of DES and to XOR another 64-bit secret key K2 to the output of DES: C = K2 DESK (P K1). The keys K1,K2 are called whitening keys and are a popular⊕ element of⊕ modern cipher design. The construction itself goes back to the work of Shannon [5, pp.713], who suggested to use ﬁxed mix- ing permutation whose input and output are masked by the secret keys. This construction has been shown to have provable security by Even-Mansour [4] if the underlying permutation is pseudorandom (i.e. computationally indistin- guishable from a random permutation). A thorough study of DES-X was given in the work of Kilian-Rogaway, which builds on [4] and uses a blackbox model of security. Currently best attack on DES-X is a known-plaintext slide attack discovered by Biryukov-Wagner [1] which has complexity of 232.5 known plaintexts and 287.5 time of analysis. Moreover the attack is easily converted into a ciphertext-only attack with the same data complexity and 295 oﬄine time complexity. These attacks are mainly of theoretical interest due to their high time complexities. However, the attack is generic and would work for any cipher F used together with post- and pre-whitening with complexity 2(n+1)/2 known plaintexts and 2k+(n+1)/2 time steps (here n is the block size, and k is the key- size of the internal cipher F . A related key-attack on DES-X is given in [6]. Best conventional attack, which exploits the internal structure of DES, would be a linear cryptanalysis attack, using 261 known plaintexts [2]. –Alex Biryukov.

References

[1] A. Biryukov, D. Wagner, Advanced Slide Attacks Lecture Notes in Computer Sci- ence 1807, Advances in Cryptology – EUROCRYPT’2000, pp.589–606, Springer- Verlag, 2000. [2] B. Kaliski, M. Robshaw, Multiple encryption: weighing security and performance, Dr. Dobb’s Journal, pp.123–127, Vol.1, 1996. [3] J. Kilian, P. Rogaway, How to Protect Against Exhaustive Key Search, Lecture Notes in Computer Science 1109, Advances in Cryptology – CRYPTO’96, pp.252– 267, Springer-Verlag, 1996. [4] S. Even, Y. Mansour, A Construction of a Cipher from a Single Pseudorandom Permutation, Journal of Cryptology, Vol.10, No.3, pp.151–161, Springer-Verlag, 1997. [5] C. Shannon, Communication Theory of Secrecy Systems, Bell Sys. Tech. J., Vol. 28, pp. 656–715, October 1949. (A declassiﬁed report from 1945.) [6] J. Kelsey, B. Schneier, D. Wagner, Related-Key Cryptanalysis of 3-WAY, Biham- DES,CAST, DES-X, NewDES, RC2, and TEA, proceedings of ICICS, pp.233– 246, 1997.

1 Ciphertext-Only Attack

Ciphertext-Only attack scenario assumes that the attacker has only passive capability to listen to the encrypted communication. The attacker thus only knows ciphertexts Ci,i = 1,...N but not their corresponding plaintexts. He may however rely on certain redundancy assumptions about the plaintexts, for example that plaintext is ASCII encoded English text. This scenario is the weak- est in terms of capabilities of the attacker and thus it is the most practical in real life applications. In certain cases conversion of a known-plaintext attack [2] or even chosen plaintext attack [1] into a ciphertext-only attack is possible.

References

[1] A. Biryukov and E. Kushilevitz, “From diﬀerential cryptanalysis to ciphertext-only attacks,” in Advances in Cryptology – CRYPTO’98 (H. Krawczyk, ed.), vol. 1462 of Lecture Notes in Computer Science, pp. 72–88, Springer-Verlag, 1998. [2] M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptol- ogy – EUROCRYPT’93 (T. Helleseth, ed.), vol. 765 of Lecture Notes in Computer Science, pp. 386–397, Springer-Verlag, 1993.

1 Codebook Attack

Codebook attack is an example of a known plaintext attack scenario in which the attacker is given access to a set of plaintexts and their corresponding encryptions (for a ﬁxed key): (Pi, Ci),i =1,...N. These pairs constitute a code-book which he could use to listen to further communication and which could help him partially decrypt the future messages even without the knowledge of the secret key. He could also use this knowledge in a replay attack by replacing blocks in the communication or by constructing miningfull messages from the blocks of the codebook. Codebook attack may even be applied in a passive traﬁc analysis scenario, i.e. as a ciphertext-only attack, which would start with frequency analysis of the received blocks and attempts to guess their meaning. Ciphers with small block-size are vulnerable to the Codebook attack, especially if used in the simplest Electronic Codebook mode of operation. Already with N =2n/2 known pairs, where n is the block-size of the cipher, the attacker has good chances to observe familiar blocks in the future communications of size O(2n/2), due to the birthday paradox. If communication is redundant the size of the codebook required may be even smaller. Modern block ciphers use 128-bit block size to make such attacks harder to mount. A better way to combat such attacks is to use chaining modes of operation like Cipher-Block Chaining mode (which makes further blocks of ciphertext dependent on all the previous blocks) together with the authentication of the ciphertext.

1 Dictionary Attack

Dictionary attack is an exhaustive cryptanalysis approach in which the attacker computes and stores a table of plaintext-ciphertext pairs (P, Ci = EKi (P ),Ki) sorted by the ciphertexts Ci. Here the plaintext P is chosen in advance among the most often encrypted texts like “login:”, “Hello John”, etc. and the key runs through all the possible keys Ki. If P is encrypted later by the user and the attacker observes its resulting ciphertext Cj , the attacker may search his table for the corresponding ciphertext and retrieve the secret key Kj. The term dictionary attack is also used in the area of password guessing, but with a diﬀerent meaning.

1 Known Plaintext Attack

Known plaintext attack is a scenario in which the attacker has access to the pairs (Pi, Ci),i = 1,...N of known plaintexts and their corresponding ciphertexts. This attack is considered to be highly practical, especially if the amount of pairs N is not too large. This attack scenario is more practical than the chosen plaintext attack. Probable word method which is a popular technique for solving classical simple substitution or transposition ciphers is an example of a known-plaintext attack. Another example is the cryptanalysis of the German Enigma cipher [1] using the so called bombs. It relied heavily on the properly guessed opening words of the cryptograms (which were at the time called cribs). One of the most popular cribs was “Nothing to report”. In modern cryptography linear cryptanalysis is a typical example of a known plaintext attack.

References

[1] C. A. Deavours, L. Kruh, Machine Cryptography and Modern Cryptanalysis, Artech House, 1985.

1 Chosen Plaintext Attack

Chosen plaintext attack is a scenario in which the attacker has the ability to chose plaintexts Pi and to view their corresponding encryptions – ciphertexts Ci. This attack is considered to be less practical then the known plaintext attack, but still a very dangerous attack. If the cipher is vulnerable to a known plaintext attack it is automatically vulnerable to a chosen plaintext attack as well, but not necessarily the opposite. In modern cryptography differential cryptanalysis is a typical example of a chosen plaintext attack. It is also a rare technique for which conversion from chosen plaintext to known plaintext is possible (due to its work with pairs of texts). If chosen plaintext differential attack uses m pairs of texts for an n bit block cipher, then it can be converted to a known-plaintext n attack which will require 2 2 √2m known plaintexts, due to birthday paradox- n like arguments. Furthermore as shown in [1] the factor 2 2 may be considerably reduced if the known plaintexts are redundant (for ex. for the case of ASCII en- n−r coded English text to about 2 2 where r is redundancy of the text), which may even lead to a conversion of differential chosen-plaintext attack into a differential ciphertext-only attack.

References

1 Chosen Ciphertext Attack

Chosen plaintext attack is a scenario in which the attacker has ability to choose ciphertexts Ci and to view their corresponding decryptions – plaintexts Pi. It is essentially the same scenario as a chosen plaintext attack but applied to a decryption function, instead of the encryption function. The attack is considered to be less practical in real life situations than chosen ciphertext attacks. However there is no direct correspondence between complexities of chosen plaintext and chosen ciphertext attacks. A cipher may be vulnerable to one but not to the other and the opposite. Chosen ciphertext attack is a very important scenario in the public key cryptography, where known plaintext and even chosen plaitnext sce- narios are always available to the attacker due to publicly known encryption key. For example, plain RSA is not secure against adaptive chosen ciphertext attack.

1 Chosen Plaintext and Chosen Ciphertext Attack

In this attack the attacker is allowed to combine the chosen plaintext attack and chosen ciphertext attack together and to issue chosen queries both to the encryption and to the decryption functions.

1 Adaptive Chosen Plaintext Attack

Adaptive chosen plaintext attack is a chosen plaintext attack scenario in which the attacker has ability to make his choice of the inputs to the encryption function based on the previous chosen plaintext queries and their corresponding ciphertexts. The scenario is clearly more powerful than the basic chosen plaintext attack, but is probably less practical in real life since it requires interaction of the attacker with the encryption device.

1 Adaptive Chosen Ciphertext Attack

Adaptive chosen ciphertext attack is a chosen ciphertext attack scenario in which the attacker has ability to make his choice of the inputs to the decryption function based on the previous chosen ciphertext queries. The scenario is clearly more powerful than the basic chosen ciphertext attack, but is even less practical in real life. Still the attack may be practical against some implementations of public-key cryptography, as shown by Bleichenbacher [1].

References

[1] D. Bleichenbacher, “Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1,” in Proceedings of Crypto’98 (H. Krawczyk, ed.), no. 1462 in Lecture Notes in Computer Science, pp. 1–12, Springer-Verlag, 1998.

1 Adaptive Chosen Plaintext and Chosen Ciphertext Attack

In this attack the scenario allows the attacker to apply adaptive chosen plaintext and adaptive chosen ciphertext queries simultaneously. The attack is one of the most powerful in terms of the capabilities of the attacker. The only two exam- ples of such attacks known up to date are the boomerang attack [2] and the yoyo-game [1].

References

[1] E. Biham, A. Biryukov, O. Dunkelman, E. Richardson, and A. Shamir, “Initial ob- servations on skipjack: Cryptanalysis of skipjack-3xor,” in Selected Areas in Cryp- tography, SAC 1998 (S. E. Tavares and H. Meijer, eds.), vol. 1556 of Lecture Notes in Computer Science, pp. 362–376, Springer-Verlag, 1999. [2] D. Wagner, “The boomerang attack,” in Fast Software Encryption, FSE’99 (L. R. Knudsen, ed.), vol. 1636 of Lecture Notes in Computer Science, pp. 156–170, Springer-Verlag, 1999.

1 Diﬀerential-Linear Attack

Differential-Linear attack is a chosen plaintext two-stage technique of cryptanalysis (by analogy with two-stage rocket technology) in which the first stage is covered by differential cryptanalysis, which ensures propagation of useful prop- erties midway through the cipher. The the second stage is then performed from the middle of the cipher and to the ciphertext using linear cryptanalysis. The technique was discovered and demonstrated on example of 8-round DES by Lang- ford and Hellman [4]. Given a differential characteristic with probability p for the rounds 1 ...i and the linear characteristic with bias q for the rounds i 1,...R, the bias of resulting linear approximation would be 1/2+2pq2 and− the data complexity of the attack will be O(p−2q−4) [3, pp.65]. Thus the attack would be useful only in special cases when there are good characteristics or linear approx- imations half-way through the cipher, but no good patterns for the full cipher. Their attack enhanced with such refinements as packing data into structures and key-ranking (or list decoding) can recover 10-bits of the secret key for 8-round DES using 512 chosen plaintexts. In [1] the same technique is used to break 8-round FEAL with 12 chosen plaintexts and expensive analysis phase. Further applications and refinements of the technique are given in [2]. –Alex Biryukov.

References

[1] K. Aoki and K. Ohta, “Differential-linear cryptanalysis of FEAL-8,” IEICE Trans. on Fundamentals of Electronics, Communications and Computer Sciences, vol. Vol. E79A, no. 1, pp. 1–8. [2] E. Biham, O. Dunkelman, and N. Keller, “New results on boomerang and rectangle attacks,” in Fast Software Encryption, FSE 2002 (J. Daemen and V. Rijmen, eds.), vol. 2365 of Lecture Notes in Computer Science, pp. 1–16, Springer-Verlag, 2002. [3] S. K. Langford, “Differential-linear cryptanalysis and threshold signatures,” Tech- nical report, 1995. Ph.D. Thesis, Stanford University. [4] S. K. Langford and M. E. Hellman, “Differential-linear cryptanalysis,” in Proceed- ings of Crypto’94 (Y. Desmedt, ed.), no. 839 in Lecture Notes in Computer Science, pp. 17–25, Springer-Verlag, 1994.

1 Boomerang Attack

Boomerang attack is a chosen plaintext and adaptive chosen ciphertext attack discovered by Wagner [5]. It is an extension of differential attack into two-stage differential-differential attack which is closely related to impossible differential attack as well as to the meet-in-the middle approach. The attack may use characteristics, differentials as well as truncated differentials. The attack breaks con- structions in which there are high-probability differential patterns propagating half-way through the cipher both from top and from the bottom, but there are no good patterns that propagate through the full cipher. The idea of the boomerang attack is to find good conventional (or truncated) differentials that cover half of the cipher but can not necessarily be concatenated into a single differential covering the whole cipher. The attack starts with a pair of plaintexts P and P ′ with a difference ∆ which goes to difference ∆∗ through the upper half of the cipher. The attacker obtains the corresponding ciphertexts C and C′, applies the difference to obtain ciphertexts D = C + and D′ = C′ + and decrypts them to plaintexts∇ Q and Q′. The choice∇ of is such that the∇ difference propagates to the difference ∗ in the decryption ∇direction through the lower half of the cipher. For the right∇ quartet of texts, difference ∆∗ is created in the middle of the cipher between partial decryptions of D and D′ which propagates to the difference ∆ in the plaintexts Q and Q′. This can be detected by the attacker. Moreover, working with quartets (pairs of pairs) provides boomerang attacks with additional filtration power. If one partially guesses the keys of the top round one has two pairs of the quartet to check whether the uncovered partial differences follow the propagation pattern, specified by the differential. This effectively doubles the attacker’s filtration power. The attack was demonstrated with a practical cryptanalysis of a cipher which was designed with provable security against conventional differential attack [4], as well as on round-reduced versions of several other ciphers. Related method of inside out attack was given in the same paper. Further refinements of the boomerang technique have been found in papers on so called amplified boomerang and rectangle attacks [3, 1]. In certain cases free round in the middle may be gained due to a careful choice of the differences coming from the top and from the bottom [5, 2]. –Alex Biryukov.

References

[1] E. Biham, O. Dunkelman, and N. Keller, “New results on boomerang and rectangle attacks,” in Fast Software Encryption, FSE 2002 (J. Daemen and V. Rijmen, eds.), vol. 2365 of Lecture Notes in Computer Science, pp. 1–16, Springer-Verlag, 2002. [2] A. Biryukov, C. De Cannire, and G. Dellkrantz, “Cryptanalysis of SAFER++,” in Proceedings of Crypto’03 (D. Boneh, ed.), Lecture Notes in Computer Science, Springer-Verlag, 2003. NES/DOC/KUL/WP5/028. Full version available at http:// eprint.iacr.org/2003/109/.

1 [3] J. Kelsey, T. Kohno, and B. Schneier, “Ampliﬁed boomerang attacks against reduced-round MARS and Serpent,” in Fast Software Encryption, FSE 2000 (B. Schneier, ed.), vol. 1978 of Lecture Notes in Computer Science, pp. 75–93, Springer-Verlag, 2001. [4] S. Vaudenay, “Provable security for block ciphers by decorrelation,” in STACS, Lecture Notes in Computer Science, pp. 249–275, Springer-Verlag, 1998. [5] D. Wagner, “The boomerang attack,” in Fast Software Encryption, FSE’99 (L. R. Knudsen, ed.), vol. 1636 of Lecture Notes in Computer Science, pp. 156–170, Springer-Verlag, 1999.