BRICS BRICS RS-94-38 Damg Basic Research in Computer Science ard & Knudsen: Enhancing the Strength of Conventional Cryptosystems ˚ Enhancing the Strength of Conventional Cryptosystems Ivan B. Damgard˚ Lars Ramkilde Knudsen BRICS Report Series RS-94-38 ISSN 0909-0878 November 1994 Copyright c 1994, BRICS, Department of Computer Science University of Aarhus. All rights reserved. Reproduction of all or part of this work is permitted for educational or research use on condition that this copyright notice is included in any copy. See back inner page for a list of recent publications in the BRICS Report Series. Copies may be obtained by contacting: BRICS Department of Computer Science University of Aarhus Ny Munkegade, building 540 DK - 8000 Aarhus C Denmark Telephone:+45 8942 3360 Telefax: +45 8942 3255 Internet: [email protected] Enhancing the Strength of Conventional Cryptosystems Ivan B Damgard BRICS Aarhus University Lars Ramkilde Knudsen Aarhus University September Abstract Welookatvarious ways of enhancing the strength of conventional cryptosystems such as DES by building a new system which has longer keys and which uses the original system as a building blo ck We pro p ose a new variantoftwokey triple encryption which is not vulnerable to the meet in the middle attackbyvan Oorschot and Wiener Under an appropriate assumption on the security of DES we can prove that our system is at least as hard to break as single DES Intro duction Since its intro duction in the late seventies the American Data Encryption Standard DES has b een the sub ject of intense debate and cryptanalysis Likeany other practical cryptosystem DES can b e broken by searching ex haustively for the key One natural direction of research is therefore to nd attacks that will b e faster than exhaustivesearch measured in the numb er of necessary en cryption op erations The most successful attack known of this kind is the linear attackby Matsui This attack requires ab out known plain text blo cks Although this is less than the exp ected encryptions required Basic Research in Computer Science Centre of the Danish National Research Foundation for exhaustivekey search the attackisby no means more practical than exhaustive search There are two reasons for this rst one cannot in prac tice neglect the time needed to obtain the information ab out the plaintext secondly when doing exhaustivekey search the enemy is free to invest as much in technology as he is capable of to make the searchmoreecient in aknown plaintext attack he is basically restricted to the technology of the legitimate owner of the key and to the frequency with whichthekey is used In virtually any practical application a single DES key will b e applied to much less than blo cks even in its entire life time The dierence b etween the two kinds of attacks is illustrated in a dramatic wayby the results of Wiener who shows by concrete design of a key searchmachine that if the enemy is willing to make a one million dollar investment exhaustivekey search for DES is certainly not infeasible As a result wehave a situation where DES has proved very resistantover a long p erio d to cryptanalysis and therefore seems to b e as secure as it can b e in the sense that by far the most practical attack is a simple brute force searchforthekey The only problem is that the key is to o short given to days technology and that therefore dep ending on the value of the data you are protecting plain DES may not b e considered secure enough anymore What can b e done ab out this problem One obvious solution is to try to design a completely new algorithm This can only b e a very long term solution a new algorithm has to b e analysed over a long p erio d b efore it can b e considered secure also the vast numb er of p eople who haveinvested in DES technology will not like the idea of their investments b ecoming worthless overnight An alternative is to devise a new system with a longer key using DES as a building blo ck This way existing DES implementations can still b e used We are in the situation where wehave a blo ck cipher that has proved to be very strong the only problem b eing that the keys are to o small and a sim ple bruteforce attack has b ecome p ossible Thus this section is motivated by the following general question Given cryptosystem X whichcannotin practice b e broken faster than exhaustivekey search how can we build a new system Y such that Keys in Y are signicantly longer than keys in X eg twice as long Given an appropriate assumption ab out the securityof X Y is provably as hard to break as X under any natural attack eg ciphertext only known plaintext etc It can b e convincingly argued that Y can in fact not b e broken faster than exhaustivekey search and is therefore in fact much stronger than X Possible answers to this question have already app eared in the literature The most well known example is known as twokey triple encryption where we encipher under one key decipher under a second key and nally encipher under the rst keyVan Oorschot and Wiener haveshown rening an attack of Merkle and Hellman that this construction is not optimal underaknown plaintext attack it can b e broken signicantly faster than exhaustivekey search We prop ose a new variantoftwokey triple encryption which has all the prop erties we require ab ove Multiple encryption In this section we lo ok at metho ds for enhancing cryptosystems based on the idea of encrypting plaintext blo cks more than once Following the notation of the intro duction we let X b e the original system and weletE resp D K K denote encryption resp decryption in X under key K We assume that the key space of X consists of all k bit strings and that the blo ck length of X is mInacascade of ciphers it is assumed that the keys of the comp onent ciphers are indep endent The following result was proved by Maurer and Massey Theorem The imp ortance of b eing rst Acascade of ciphers is at least as hardtobreak as the rst cipher By restricting ourselves to the most p owerful attack the chosen plaintext attack we can prove the following more general result Theorem The imp ortance of b eing there Acascade of ciphers is at least as hardtobreak under any attack as any of the component ciphers in the cascade under a chosen plaintext attack Pro of Assume that wehave an algorithm A which on input the encryp tions of n known or chosen plaintexts or on input just n ciphertexts breaks a cascade of N ciphers Y We will use A to break any of the comp onent c ciphers in a chosen plaintext attack Assume that X is the ith cipher of the N ciphers in the cascade and that we can get encryptions of anycho c sen plaintext Cho ose N keys at random for the ciphers exclusive X c Whenever A asks for the encryption of a chosen or known plaintext P we multiple encrypt P using the rst i keys yielding PP In a ciphertext only attackwecho ose a plaintext P ourselves Then we get the encryption CC of PP in the chosen plaintext setting from X Now use the remaining hwe input to ASince N i keys to multiple encrypt CC yielding C whic c by assumption A breaks the cascade it will output the N keys amongst c whichwe will get a candidate for the secret key of X Wehaveproved that if we can break the cascade we can break any of the comp onent ciphers under achosen plaintext attack Thus if a comp onent cipher X is secure against a chosen plaintext attack then a cascade of ciphers containing X is as secure against any attack A sp ecial case of a cascade of ciphers is when the comp onent ciphers are equal also called multiple encryption In the following we consider dierent forms of multiple encryption Double Encryption The simplest idea one could think of would b e to encrypt twice using twokeys K K ie let the ciphertext corresp onding to P be C E E P It is K K clear and wellknown however that no matter how K K are generated there is a simple meetinthe middle attack that breaks this system under a k k known plaintext attack using encryptions and blo cks of memory ie the same time complexityaskey search in the original system Even though the memory requirements may b e unrealistic it is clear that this is not a satisfactory improvementover X Triple Encryption Triple encryption with three indep endentkeys K K andK where the ciphertext corresp onding to P is C E E E P is also not a sat K K K isfactory solution for a similar reason as for double encryption A simple k meetinthemiddle attack will break this in time ab out encryptions and k space blo cks of memoryThus we do not get full return for our eort in tripling the key length as stated in demand in the intro duction wewould k like attacks to take time close to ifthekey length is k In addition to this if X DE S then a simple triple encryption would preservethe complementation prop erty and preserve the existence of weak keys It is clear however that no matter how the three keys in triple encryption are generated the meetinthemiddle attackmentioned is still p ossible and so the time complexity of the b est attack against any triple encryption variant k is no larger than It therefore seems reasonable to try to generate the three keys from two indep endent X keys K K since triple encryption will not provide security equivalent to more than keys anyway Twokey Triple Encryption wokey triple encryption pro One variant of this idea is wellknown as t p osed byWTuchmann we let the ciphertext corresp onding to P be E D E P Compatibility with a single encryption can b e obtained K K K by setting K K As one