sign in sign up
<<
Home , FEAL, Multiple encryption

Cryptanalysis of Multiple Mo des of Op eration

Eli Biham

Computer Science Department

Technion Israel Institute of Technology

Haifa Israel

Abstract

In recent years several new attacks on DES were introduced These attacks

have led researchers to suggest stronger replacements for DES and in particular

new mo des of op eration for DES The most p opular new mo des are triple

DES variants which are claimed to b e as secure as triple DES To sp eed up

hardware implementations of these mo des and to increase the avalanche many

suggestions apply several standard mo des sequentially In this pap er we study

these multiple cascade mo des of op eration This study shows that many

multiple mo des are much weaker than multiple DES and their strength is

comparable to a single DES

We conjecture that op eration mo des should b e designed around an under

lying without any attempt to use intermediate data as feedback

or to mix the feedback into an intermediate round Thus in particular triple

DES used in CBC mo de is more secure than three single DESs used in triple

CBC mo de Alternatively if several are applied to each blo ck the

b est choice is to concatenate them to one long and build the mo de

of op eration around it

Introduction

The has several mo des of op eration in which it can

b e used These mo des were devised to have a limited error propagation to allow syn

chronization in data communications to hide patterns in the and to protect

against chosen attacks on the underlying cryptosystem and against dictio

nary attacks In the Blo ck Chaining CBC mo de and the Cipher Feedback

Technion - Computer Science Department Technical Report CS0833 1994

CFB mo de each blo ck dep ends on all the previous plaintext blo cks by

using the previous ciphertext blo ck during encryption The Output Feedback OFB

mo de was designed to allow precomputation of a ma jor part of the encryption pro

cess and to act as a pseudorandom bit generator In this mo de a chosen plaintext E E E E

ECB CBC CFB OFB

Figure DES Mo des of Op eration

attack do es not let an attacker more information than a known plaintext attack The

CFB and OFB mo des also allow encryption with a variety of blo cksizes

Although these mo des were designed to protect against chosen plaintext attacks

there is no attempt to protect against known plaintext attacks In the mo des of

op eration of DES if an attacker knows b oth the plaintext blo cks and the ciphertext

blo cks he can calculate the values of actual inputs and outputs of the underlying

cryptosystem and can mount any known plaintext attack

Since the DES mo des of op eration were introduced they are describ ed in Fig

ure many new nonstandard mo des were suggested The rst of which is the

counter mo de in which a counter is incremented and used as a feedback while there

is no feedback from other plaintext blo cks Other examples of suggested mo des are

PCBC which was also used as a MAC function in the Kerb eros system and PFF

Plaintext Feed Forward which is similar to decryption under CBC except that

it uses encryption rather than decryption internally All these mo des are designed

around one encryption function without innerfeedbacks We will call such mo des

single modes

In the recent years several new attacks on DES were introduced These

attacks have led many p eople in the cryptographic community to suggest stronger

replacements to the DES which can b e either new or new mo des

of op eration for the DES The most p opular new mo des are the multiple modes

which are combined from several consecutive applications of single mo des In

particular triple modes combined from three consecutive applications of single mo des

were suggested These triple mo des were claimed to b e as secure as triple DES

although they do not have triple DES as a building blo ck An advantage of the triple

mo des and multiple mo des when implemented in hardware is that their sp eed is just

the same as of single mo des since the single mo des can b e pip elined

Technion - Computer Science Department Technical Report CS0833 1994

In this pap er we cryptanalyze many multiple mo des of op eration In particular

we show that many triple mo des are much weaker than triple DES and that some

triple mo des are not much more secure than a single DES

Our attacks may b e based up on any known attack on the underlying cryptosys

tems and in particular up on dierential im

proved Davies attack and exhaustive search For reference we assume that the

47

following complexities are required by these attacks chosen plaintexts are re

61 43

quired for dierential cryptanalysis of DES and if indep endent keys are used

60

known plaintexts are required for linear cryptanalysis of DES and if inde

55 56

p endent keys are used Exhaustive search requires steps For Feal

24 24 64

the complexities are see and resp ectively Note that all

the complexities of dierential cryptanalysis hold for the ECB CBC and the CFB

mo des under chosen plaintext or chosen ciphertext attacks and that the linear

cryptanalysis complexities hold for the ECB CBC CFB and the OFB mo des under

a known plaintext attack Note that an attack on the bit CFB mo de of DES with

a reduced number of rounds was describ ed in The b est fullround dierential

63

characteristic of DES has probability ab out and the b est fullround dierential

16

characteristic of Feal has probability Unless otherwise indicated we assume

that DES is the underlying cryptosystem of the attacked mo des Throughout this

pap er whenever we refer to the CFB and the OFB mo des we actually mean their

full feedback variants ie the bit CFB and the bit OFB resp ectively

Our attacks are of three ma jor kinds Chosen plaintext attacks are applicable to

the ECB mo de and p otentially to other mo des which were not designed to b e immune

to chosen plaintext attacks We concentrate on chosen ciphertext attacks which are

applicable to many of the mo des which are immune to chosen plaintext attacks For

example the CBC and the CFB mo des are vulnerable to chosen ciphertext attacks

with attacks much simpler than the ones describ ed in this pap er

The third kind of attacks which we do not actually apply in this pap er generalizes

the chosen plaintext and chosen ciphertext attacks into chosen plaintext and cipher

text attacks in which the attacker can decide for each blo ck whether he chooses the

plaintext or the ciphertext These attacks are not adaptive the attacker can choose

all the plaintextciphertext blo cks b efore he receives the rst encrypteddecrypted

blo ck This mo del is very strong since in practice no encryption chip or software

allows changing direction from encryption to decryption and vice versa during the

pro cess of encryptiondecryption We can slightly reduce this demand by viewing an

equivalent mo del which do es not require changing encryptiondecryption direction

for each blo ck In this mo del two chips loaded with the same are required one

of them always encrypts and the other always decrypts In this mo del the attacks

are adaptive chosen plaintext on one chip and an adaptive chosen ciphertext on the

other chip b oth executed in parallel Whenever in the original attacks we have to

encrypt a blo ck we feed the encrypting chip with the plaintext blo ck and feed the

decrypting chip with the resultant ciphertext Whenever in the original attacks we

have to decrypt a blo ck we feed the decrypting chip with the ciphertext blo ck and

Technion - Computer Science Department Technical Report CS0833 1994

feed the encrypting chip with the resultant plaintext This mo del is more realistic

in the sense that each chip either encrypts or decrypts but the adaptive attack re

quirement causes this attack to work almost only when two such loaded chips may

b e directly manipulated by the attacker The chosen plaintext and ciphertext attacks

are particularly applicable to double mo des They can cryptanalyze many mo des that

cannot b e attacked by the simpler attacks and can attack other mo des with a smaller

complexity than other attacks

We show that many multiple mo des are weaker than the corresp onding multiple

ECB mo de when chosen plaintext chosen ciphertext or chosen plaintext and cipher

text attacks are applicable If a multiple mo de combines several single mo des in

which in each of them a dierent cryptosystem is used and in which the keys of the

various single mo des are indep endent the strength of the multiple mo de might not

exceed the strength of the strongest single mo de comp onent If the various keys are

not indep endent the strength of the multiple mo de might even b e the same as of

its weakest comp onent Twokey triple DES triple ECB mo de is such an already

known example

We conjecture that op eration mo des should b e designed around an underlying

cryptosystem without any attempt to use intermediate data as feedback or to mix

the feedback into an intermediate round Alternatively if several encryptions are

applied in each blo ck the b est choice is to concatenate them to one long encryption

and build the mo de of op eration around the result

This pap er is divided to the following sections In Section we show that multiple

mo des are at least as strong as the strongest single mo de contained within when the

keys of all the various single mo des are indep endent In Section we analyse many

multiple mo des and describ e our analysis techniques In Section we summarize the

results

The Strength of Multiple Mo des

In this section we show that multiple mo des of op eration are not less secure than

their strongest single mo de comp onent whenever the keys of the various comp onents

are indep endent This result holds in mo dels in which the attacker has access to the

plaintexts and not only to their statistics This result was already proved in the

1

context of cascade in

Let A and B b e two mo des and let C b e the combined double mo de CAB whose

comp onent keys K and K are chosen indep endently The following theorem shows

A B

that C is not weaker than either of its comp onents It is similar to Theorem in

whose pro of holds in our case as well

Theorem The cracking problem of either A or B is eciently reducible to the

Technion - Computer Science Department Technical Report CS0833 1994

cracking problem of CAB

1

It do es not hold when the attacker has access only to the statistics of the plaintexts In our

mo del the attacker always knows b oth the plaintexts and the P0 P1 P2 P3 P4

Feal Feal Feal Feal Feal IV1 (K1) (K1) (K1) (K1) (K1)

Feal Feal Feal Feal Feal IV2 (K2) (K2) (K2) (K2) (K2)

DES DES DES DES DES IV3 (K1) (K1) (K1) (K1) (K1)

C0 C1 C2 C3 C4

Figure The triple CBC mo de using Feal Feal and DES

Conclusion A multiple mo de may not b e weaker than its strongest comp onent if

the comp onent keys are chosen indep endently

We show that this theorem holds only if the various comp onents keys are indep en

dent In particular it do es not hold for twokey triple mo des such as encrypt with K

1

encrypt or decrypt with K and encrypt with K again since it might b e that one

2 1

key K is used b oth in the strongest comp onent and the weakest comp onent and

1

then we might nd it by attacking the weakest comp onent For example we study

the case of a triple CBC mo de which uses Feal in its rst two comp onents

and DES in the third while the same key K is used in b oth the rst comp onent

1

and the third comp onent see Figure By metho ds describ ed in the next section

18

we can nd the key K of the rst comp onent using chosen ciphertexts The key

1

of the third comp onent is the same as the key of the rst comp onent The key of

24

the second comp onent can then b e easily found using chosen ciphertexts or

known plaintexts Therefore the whole secret key of the multiple mo de is found

18

using ab out chosen ciphertexts within a few minutes Note that the third comp o

nent which uses DES by itself is much more resistant than the whole system and

cannot b e attacked successfully by any known metho d with complexity smaller than

43

Technion - Computer Science Department Technical Report CS0833 1994

Analysis

For the cryptanalysis of the mo des of op eration we use several techniques Most of

these techniques select one of the encryption b oxes in the mo des of op eration inside

one of the single mo des and feed it with the data required for dierential or linear

cryptanalysis After the key of the encryption b ox is found other or the same

techniques are used to nd the remaining keys one at a time

In the following sections we describ e six cryptanalysis techniques which introduce

the most useful principles used to cryptanalyze multiple mo des Additional techniques

can b e developed using these principles Each of the techniques nds one key Unless

otherwise indicated the complexities quoted in the descriptions of these techniques

are the complexities to nd this one key The total complexities of the attacks on the

various mo des are describ ed in the summary A few of the full attacks might b ecome

adaptive however in most cases the attacks remain nonadaptive

We refer the encryption op erations used in the mo des of op eration as encryption

boxes and number them with the index of the mo de during the multiple encryption

The encryption b oxes can actually apply decryption op erations in particular single

mo des in which during mo de decryption an encryption op eration is to b e used

In our discussion we use the terms input and output of the encryption b oxes to

b e their inputoutput during mo de encryption regardless of whether we talk ab out

mo de encryption or mo de decryption and regardless of the particular op eration in

the encryption b ox ie encryption or decryption We keep the words plaintext and

ciphertext to b e the plaintextciphertext of the multiple mo de rather than to b e the

inputoutput of the encryption b oxes We also assume that the keys entering the

encryption b oxes are indep endent We denote the key entering encryption b ox i by

K and the initial value of the ith single mo de if any by IV See Figure

i i

Technique A The Basic Technique

Our basic technique for analyzing multiple mo des of op eration is to feed one of the

underlying encryption b oxes in one of the single mo des with the data required for

dierential cryptanalysis This may b e done by choosing pairs of tuples of blo cks in

such a way that most blo cks are the same in b oth pairs and these blo cks cause many

internal values to b e xed when b oth tuples are encrypteddecrypted One blo ck

should dier by the dierence required for dierential cryptanalysis and it should

cause this dierence to app ear in the input or output of one of the encryption b oxes

In addition we should b e able to collect the output or input of this encryption blo ck

up to XOR with some of the xed internal values This situation allows us to attack

Technion - Computer Science Department Technical Report CS0833 1994

the encryption b ox by the regular dierential attacks to which it is vulnerable if it

is vulnerable This basic technique can b e based on any dierential cryptanalytic

attack and any successful Rattack either R R R or Rattack can b e applied P0 P1 P2 P3 P4

E E E E E box 1

(K1) (K1) (K1) (K1) (K1)

E E E E E box 2 IV2 (K2) (K2) (K2) (K2) (K2)

E E E E E box 3 IV3 (K3) (K3) (K3) (K3) (K3)

C0 C1 C2 C3 C4

Figure The triple mo de ECBjCBCjCBC

One of the simplest forms of this technique attacks the ECBjCBCjCBC mo de

see Figure using a chosen ciphertext attack Our aim is to feed the output of

encryption b ox in the single ECB comp onent with pairs diering by the dierences

required for dierential cryptanalysis After these pairs are decrypted the inputs of

the encryption b ox are just the plaintexts we receive from the decryption of the triple

mo de Thus the regular dierential cryptanalytic techniques such as counting can

b e applied Note that due to the symmetry of DES and most blo ckciphers there

is no technical dierence b etween a chosen plaintext and a chosen ciphertext attack

Note also that if the same value of two successive ciphertext blo cks is rep eated twice

in dierent p ositions in a ciphertext message encrypted under the same keys with the

ECBjCBCjCBC mo de the same feedbacks result in b oth p ositions and any third

blo ck is decrypted into the same plaintext in b oth p ositions

For the attack the attacker chooses many pairs of tuples of blo cks C C C

0 1 2

and C C C where C C and C are some arbitrary blo ck values and

0 T 1 2 0 1 2 T

is the dierence required for dierential cryptanalysis If a dierential attack with

requires n pairs to attack an ECB mo de the attacker should choose n tuples C

T 0

C C and request to decrypt the n blo cks consisting of all the pairs C C C

1 2 0 1 2

and C C C

0 T 1 2

It is evident that the dierence of the tuples is for each pair Due to T

Technion - Computer Science Department Technical Report CS0833 1994

the structure of the triple mo de the dierences cause dierences in the input

of b ox and after XORing these dierences with the dierences of the feedbacks

we result with dierences in the output of b ox where denotes an

T

unpredictable value Similarly the dierences at the output of b ox are

T

Therefore in the third blo cks of the tuples the dierences of the output of b ox are

just as chosen by the attacker Since the input of b ox is the plaintext received

T

by decryption of the triple mo de all the requirements for dierential cryptanalysis

of b ox are satised As a result we can nd the key used in b ox by applying

dierential cryptanalytic attacks

The attack describ ed ab ove assumes that the characteristic is set in the last rounds

of b ox and that the Rattack is done on the rst rounds This attack can use quar

tets o ctets or structures of any size by xing C and C and playing with structures

1 2

of C

0

This technique as describ ed ab ove do es not apply to the dierential attack on the

full round DES since the later requires the knowledge of actual plaintext in

our case ciphertext bits and not only their dierences However the plaintext

ciphertext bits required by the attack are not known to the attacker just b ecause

they are XORed with a bit constant This constant can b e found together with

the key using a more extensive analysis

Since the analysis phase of the attack on the full round DES is faster by a factor

10

of from the data collection phase and since in our case the encryption times of

the data collection phase costs times more DES encryptions than the attack

on the ECB mo de we conclude that the data analysis in our case takes ab out the

same time as the data collection phase Therefore the complexity of a dierential

47

cryptanalytic attack on the rst key of this triple mo de is chosen ciphertexts

47

chosen ciphertext tuples Using auxiliary structuring techniques the number of

47

chosen ciphertexts can b e reduced to

Technique B Enhancement of the Basic Technique

An enhancement of the basic technique allows attacking mo des whose plaintexts are

mixed with feedbacks b efore they are fed into the rst encryption b ox Examples of

such mo des are CBCjECBjCBC and CBCjCBCjECB These mo des are describ ed in

Figures and This enhanced technique may also use any Rattack but requires

nding more than one subkey Thus the number of required plaintexts is similar to

the number of plaintexts required by the indep endent key variant of the dierential

cryptanalytic attack

In these mo des we choose the dierences of the tuples just as we do in the basic

technique but we receive less information from the received plaintexts In the basic

technique the inputs of encryption b ox are known to the attacker In the generalized

mo des attacked by this enhanced technique the inputs of the encryption b ox in the

Technion - Computer Science Department Technical Report CS0833 1994

ECB mo de b oxes and resp ectively are not known to the attacker However

the value of this input XORed with an unknown xed value same in b oth members

of the pair is known This xed value may b e mixed to the subkeys to form actual

subkeys The indep endentkey variant of the dierential cryptanalytic attack can P0 P1 P2 P3 P4

E E E E E box 1 IV1 (K1) (K1) (K1) (K1) (K1)

E E E E E box 2

(K2) (K2) (K2) (K2) (K2)

E E E E E box 3 IV3 (K3) (K3) (K3) (K3) (K3)

C0 C1 C2 C3 C4

Figure The triple mo de CBCjECBjCBC

P0 P1 P2 P3 P4

E E E E E box 1 IV1 (K1) (K1) (K1) (K1) (K1)

E E E E E box 2 IV2 (K2) (K2) (K2) (K2) (K2)

E E E E E box 3

(K3) (K3) (K3) (K3) (K3)

C C C C C

Technion - Computer Science Department Technical Report CS0833 1994 0 1 2 3 4

Figure The triple mo de CBCjCBCjECB

now nd all the actual subkeys actually only three actual subkeys are required By

analyzing the actual subkeys we can nd indep endent parity bits of the DES key

bits of the xed value and one additional parity bit of b oth By trying the two

values of the unknown bit of the key we can nd the complete key The complexity of

this attack is similar to the complexity of the indep endent key variant of the original

attack on the ECB mo de

Whenever this enhancement uses a counting metho d to nd the key rather than

the metho d used in the attack on the full round DES we must ensure that the

xed value is the same in all the tuples For this we have to choose the same C s

1

and C s in all the pairs

2

In the CBCjCBCjECB mo de the other keys can b e found by technique D as in

the attack on the triple CBC mo de describ ed later In the CBCjECBjCBC mo de

K can b e found easily since the input of b ox can b e easily calculated then K

3 1

can also b e completed

Technique C A Technique using Linear Cryptanalysis

The basic technique can also b e applied using linear cryptanalysis In this technique

we do not choose pairs of messages and study their dierences as we do when dier

ential cryptanalysis is used Instead we x many blo cks which are mixed with the

inputsoutputs of the attacked encryption b ox and we end up with the knowledge

of the inputs and the outputs of the attacked encryption b ox XORed with some un

known xed values Since linear cryptanalysis is not aected by the combination of

such xed values we can do the whole linear cryptanalysis just as is done in the

regular mo del ie single ECB mo de we just end up with parity bits combining

key bits and bits of the xed values Since linear cryptanalysis can nd the subkeys

also when indep endent keys are used ie when all the subkeys are indep endent

we can complete the encryption keys even in this more complex case after we nd

several subkeys rather than just one or two

This technique can b e applied to the mo des attacked by techniques A and B For

example to attack the CBCjECBjCBC mo de it requires choosing many tuples of

ciphertexts C C C where C and C should b e xed in all the tuples and C can

0 1 2 1 2 0

b e chosen at random The resultant plaintext blo ck P is of the form D C V V

2 K 0 1 2

2

where V and V are xed values dep ending on the choice of the xed ciphertext blo cks

1 2

C and C Linear cryptanalysis can nd the key K and the xed values V and V

1 2 2 1 2

except one bit due to the complementation prop erty simultaneous complementation

of K V and V do es not change the results Then attacks to nd K and K can

2 1 2 1 3

55 56

b e mounted even exhaustive search for each of them requires now only steps

Technion - Computer Science Department Technical Report CS0833 1994

and faster attacks are feasible

60

This technique requires chosen tuples of ciphertext to nd the key of the ECB

comp onent The other keys of CBCjECBjCBC can b e found even by exhaustive

55

search with complexity ab out The other keys of the ECBjCBCjCBC and the

CBCjCBCjECB mo des should b e found by techniques D or F

A similar technique can use the improved Davies attack but its complexity

is exp ected to b e higher than with linear cryptanalysis

Technique D

In technique B we used the single ECB comp onent within the multiple mo de to allow

a xed value to b e XORed to the input pairs of the ECB comp onent and thus we

could handle the additional mixing of the plaintexts b efore they are entered to the

encryption b oxes Whenever we do not have a single ECB comp onent in our mo de

like in the triple CBC mo de CBCjCBCjCBC we can use another enhancement of

the basic technique that allows to nd the keys of the encryption b oxes

For the triple CBC mo de we choose the pairs of fourblo ck tuples C C C

0 1 2

C and C C C C with the dierence with the same C

3 0 1 T 2 3 T 0

C and C in all the pairs The various pairs dier only in the values of C while the

1 2 3

two members of a single pair dier only in the value of C Thus the dierences are

1

developed during decryption to A at the output of encryption b ox and

T

to B at the output of encryption b ox where A and B are some xed

T

dierences in all the pairs since they dep end only on C C C and which are the

0 1 2 T

same in all the pairs As a result encryption b ox has dierence in the output of

T

the fourth blo ck and its input is known to the attacker as a plaintext blo ck XORed

with the unknown xed value B Once we nd the value of B technique B can b e

used to nd the key K

1

The value of B can b e found using a fullround characteristic of encryption b ox

63

If DES is used it has probability ab out which for many keys will allow iden

tifying the exp ected dierence of the input to this b ox Since the known plaintext

blo ck P is XORed with the feedback from the previous blo ck to form the input to

3

0

the b ox the dierences satisfy B P and B can b e calculated for any right

P

3

0

pair P is the dierence b etween the plaintext blo ck P and its counterpart The

3

3

true value of B should b e the most frequent resulting value if the probability of the

characteristic is not to o low and thus it can b e identied p ossibly using a huge

64

memory of onebyte counters This identication can b e somewhat easier if we

use the observation that we can nd bits of B even if we use only a round

55

characteristic whose probability is ab out since we can predict the b ehavior of

ve S b oxes in the th round which have zero input dierences

66

This enhanced technique requires ab out chosen ciphertext tuples to nd B

Technion - Computer Science Department Technical Report CS0833 1994

b oth feedbacks to P whose XOR is B and the key K It requires fulllength

3 1

characteristics whose number of rounds is the same as the number of rounds of the

attacked encryption b ox sometimes characteristics with one round less can b e used

and thus the number of required plaintexts is similar to the number of plaintexts

required by a Rattack Rattack This technique cannot use linear cryptanalysis

One could also design mo des with many feedbacks that would seem more secure

than mo des with a small number of feedbacks If we would take this suggestion to

extreme we could CBCfeedback every round of the tripleencryption resulting with

feedbacks This would make the intermediate data during the triple encryption

b e more dep endent on the previous blo cks and would increase the avalanche of the

previous blo cks However as we conclude from the triple CBC mo de ab ove any

multiple CBC mo de is not more secure that its basic b ox against Rattacks In

this suggestion the basic b ox is just one round which is trivial to break Thus

this extreme suggestion is also trivial to break An attack requires only few chosen

ciphertexts to nd all the subkeys even if indep endent keys are used

Technique E Using Exhaustive Search

The b est example of this technique analyzes the CBCjCBCjECB mo de This tech

nique nds the key of the last ECB encryption b ox using exhaustive search



The attacker chooses one pair of ciphertext tuples C C C and C C C

0 1 2 1 2

0

 

in which C C For this pair P P equals the dierence of the input of the

0 2

0 2

last encryption b ox of blo ck Thus we can exhaustively search all values of K by

3

 

and verifying that the dierence of the results equals P P decrypting C and C

2 0

2 0

Unlike most of the techniques that we describ e this technique has a known plain

65

text variant Given ab out known plaintexts the birthday paradox predicts the

    

C C in which C C C C existence of two tuples C C C and C

2 1 0 1 2

2 1 2 1 0

The same technique might b e applied on this pair

Technique F The Birthday Technique

This technique has several variants of which only one is describ ed in this section All

these variants use the birthday paradox to nd go o d samples for cryptanalysis and

they can use dierential cryptanalysis linear cryptanalysis and exhaustive search for

nding the key of a single comp onent The variant we describ e in this section crypt

analyzes the last encryption b ox of the triple CBC mo de or any multiple CBCECB

mo de whose last comp onent is CBC and it nds the key of the last comp onent by

exhaustive search

33

This variant requires the attacker to choose ciphertext tuples of the form

Technion - Computer Science Department Technical Report CS0833 1994

C C C C where C is chosen at random and to receive the corresp onding plaintexts

P P P P of which only the P s are actually required

0 1 2 3 3

The CBC decryption of the third single CBC mo de of a tuple C C C C results

1

in H H H where H C DES C H is a pseudorandom function of C

k

3

33

and not a p ermutation of the values of C Thus given random C s with a high

probability two of the C s result with the same H Therefore for these two C s the

same value of P is exp ected False alarms can result from the rst two single CBC

3

mo des due to the same prop erty and thus the following analysis should b e rep eated

three times on average until K is found

3

33

Given the P s resulting from triple CBC decryption of the C C C C tuples

3

 

we search for pairs of C and C for which P P For such pairs we assume that

3

3



b oth C and C satisfy

1  1 

C DES C C DES C

k k

3 3

56

Then we exhaustively evaluate this equation for all the p ossible values of K

3

64

The equation is satised for a fraction of ab out of the wrong keys and thus we

can b e quite sure that a key satisfying this equation is the right key To decrease the

false alarm probability we can select only keys which satisfy the equation using two

dierent pairs of tuples Note that after we nd K the same technique can nd

3

K using the same data Then K can b e found by exhaustive search dierential

2 1

cryptanalysis or linear cryptanalysis

1

A more sophisticated variant of this technique can attack the CBCjCBC jCBC

66

CBC encrypt CBC decrypt CBC encrypt mo de with chosen ciphertexts and

complexity

Summary

We studied the strength of multiple mo des of op eration We showed that in many

cases these mo des are weaker than the corresp onding multiple ECB mo de In several

cases these mo des are not more secure than just one single encryption using the

same cryptosystem For example a triple CBC mo de doing CBCjCBCjCBC each

encrypts using a single DES and the mo des CBCjCBCjECB CBCjECBjCBC and

ECBjCBCjCBC are weaker than triple DES and their strength is comparable to the

1 1

strength of a single DES The triple mo de CBCjCBC jCBC where CBC is CBC

decryption is not much stronger

Tables and summarize the results obtained for the multiple mo des of op eration

when the underlying cryptosystems are DES and Feal resp ectively All the attacks

are chosen ciphertext attacks The complexities quoted are the complexities of nding

one key of one of the single mo des ie the easiest key to nd in terms of the number

of tuples required or the complexity of the analysis the largest of them To nd the

Technion - Computer Science Department Technical Report CS0833 1994

other keys the complexity might b e higher Table summarizes the total complexities

of attacking the multiple mo des of op eration and nding all their keys In the full

pap er we will describ e results on multiple mo des incorp orating additional single mo des

such as CFB

Mo de Cryptanalysis Using Technique

A B C D E F

47 60 58

ECBjCBCjCBC

61 60 58

CBCjECBjCBC

61 60 56

CBCjCBCjECB

66 58

CBCjCBCjCBC

1 66

CBCjCBC jCBC

CBC feedback every round Few

Table Summary of the easiestkey chosen ciphertext attacks on multiple mo des

of DES

Mo de Cryptanalysis Using Technique

A B C D E F

24 66

ECBjCBCjCBC

24 66

CBCjECBjCBC

24 64

CBCjCBCjECB

17 66

CBCjCBCjCBC

1 66

CBCjCBC jCBC

CBC feedback every round Few

Table Summary of the easiestkey chosen ciphertext attacks on multiple mo des

of Feal

We conclude that strong mo des of op eration should not b e based on combining

simpler mo des nor use internal feedbacks We suggest to use single mo des and to

incorp orate multiple encryption as the underlying cryptosystems of the single mo des

Alternatively whenever we have a multiple mo de or any other mo de which uses

internal feedbacks it can b e strengthened by eliminating the use of the internal

feedbacks

Mo de Complexity Complexity

EDES EFeal

58 17

ECBjCBCjCBC

58 17

CBCjECBjCBC

58 17

CBCjCBCjECB

59 18

CBCjCBCjCBC

1 66 66

CBCjCBC jCBC

Technion - Computer Science Department Technical Report CS0833 1994

CBC feedback every round Few Few

Table Total complexities of the attacks on the multiple mo des

Acknowledgments

I would like to acknowledge Ross Anderson whose ideas motivated this research and

to Carl Ellison and Burt Kaliski whose valuable remarks and suggestions improved the

quality of this pap er Shimon Even has p ointed me to and Acknowledgment

This research was supp orted by the fund for the promotion of research at the Technion

References

On Matsuis Linear Cryptanalysis Lecture Notes in Computer

Science Advances in Cryptology pro ceedings of EUROCRYPT to app ear

Eli Biham Alex Biryukov An Improvement of Davies Attack on DES

Lecture Notes in Computer Science Advances in Cryptology pro ceedings of

EUROCRYPT to app ear

Eli Biham Adi Shamir Dierential Cryptanalysis of the Data Encryption

Standard SpringerVerlag

Eli Biham Adi Shamir Dierential Cryptanalysis of the ful l round DES

Lecture Notes in Computer Science Advances in Cryptology pro ceedings of

CRYPTO pp

D W Davies Investigation of a Potential Weakness in the DES Algorithm

private communication

Carl Ellison private communications

Shimon Even Oded Goldreich On the Power of Cascade Ciphers ACM

Transactions on Computer Systems Vol NO pp May

Burt Kaliski TripleDES A Brief Report RSA lab oratories private communi

cation Octob er

Mitsuru Matsui Linear Cryptanalysis Method for DES Cipher Lecture Notes in

Computer Science Advances in Cryptology pro ceedings of EUROCRYPT

pp

Ueli M Maurer James L Massey Cascade Ciphers The Importance of Being

First Journal of Cryptology Vol No pp

Sho ji Miyaguchi Akira Shiraishi Akihiro Shimizu Fast Data Encryption

Algorithm FEAL Review of electrical communications lab oratories Vol

Technion - Computer Science Department Technical Report CS0833 1994

No pp

National Bureau of Standards Data Encryption Standard US Department of

Commerce FIPS pub January

National Bureau of Standards DES Modes of Operation US Department of

Commerce FIPS pub December

Paul C van Oorschot Michael J Wiener A Known Plaintext Attack on TwoKey

Triple Encryption Lecture Notes in Computer Science Advances in Cryptology

pro ceedings of EUROCRYPT pp

Bart Preneel Marnix Nuttin Vincent Rijmen Johan Buelens Cryptanalysis of

the CFB Mode of the DES with a Reduced Number of Rounds Lecture Notes

in Computer Science Advances in Cryptology pro ceedings of CRYPTO

pp

Akihiro Shimizu Sho ji Miyaguchi Fast Data Encryption Algorithm FEAL

Lecture Notes in Computer Science Advances in Cryptology pro ceedings of

EUROCRYPT pp

Michael J Wiener Ecient DES Key Search technical rep ort TR School of

Computer Science Carleton University Ottawa Canada May Presented

at the Rump session of CRYPTO August

Technion - Computer Science Department Technical Report CS0833 1994