How to Forge DESEncrypted Messages in Steps 1 Eli Biham Abstract In this pap er we suggest keycollision attacks and show that the theoretic strength of a cipher cannot exceed the square ro ot of the size of the key space As a result in some circumstances some DES keys can b e recovered while they are still in use and these keys can then b e used to forge messages in 28 particular one key of DES can b e recovered with complexity and one key 84 of threekey tripleDES can b e recovered with complexity Keywords Cryptanalysis Data Encryption Standard DES TripleDES Multiple Encryption Birthday Paradox KeyCollision Attacks Introduction Cryptographic keys are used as secret information during encryption and whose knowledge is required to decrypt the ciphertexts Most currently used ciphers use keys of bits bits and bits and some ciphers use keys of bits Ciphers k with k bit keys can b e used with distinct keys and therefore it is b elieved that the complexity of attacking ciphers with k bit keys or forging messages encrypted with k such ciphers is not less than unless the design of the cipher is weak It is also b elieved that forging messages is as dicult as breaking the cipher and that frequent key replacements increase the security of the cipher or at least cannot reduce its strength In this pap er we show that all these b eliefs are wrong In the particular case of the Data Encryption Standard DES several attacks 47 were suggested Dierential cryptanalysis requires chosen plaintexts and com 43 plexity in order to nd the key linear cryptanalysis requires known plaintexts 50 Technion - Computer Science Department Technical Report CS0884 1996 and complexity and the improved Davies attack requires known plaintexts However the main threat for the security of DES is exhaustive search for the keys on 1 Computer Science Department Technion Israel Institute of Technology Haifa Israel Email bihamcstechnionacil WWW httpwwwcstechnionacilbiham 56 sp ecial purp ose machines which can try keys so fast so that all the p ossible keys can b e searched within only a few hours In order to increase the strength of ciphers multiple encryption was suggested of which tripleencryption b ecame the most p opular variant after doubleencryption was shown to b e theoretically no more secure than single encryption by meet in the middle attacks Tripleencryption is usually dened as C E D E P K K K 3 2 1 where the key K of the triple encryption is formed from three indep endent single encryption keys K K K K For sake of simplicity and since it do es not aect 1 2 3 the results we refer to triple encryption as doing encryption in all its comp onents C E E E P A triple encryption variant which uses two keys where K K K 3 2 1 K K was b elieved to b e roughly as secure as threekey tripleencryption but 3 1 was shown to b e theoretically but not practically no more secure than a single encryption Another seemingly more secure twokey tripleDES variant was suggested in Nowadays tripleencryption and its twokey variant are candidates for an ANSI standard The most successful attacks on multiple encryption are meet in the middle at tacks Multiple encryption with an even number m of encryptions such as double k m2 encryption m or quadruple encryption m can b e analyzed with k (m+1)2 steps However multiple encryption with an o dd m requires steps and in 112 particular tripleDES requires steps for a meet in the middle attack although the key size is bits this complexity is the same as required for a similar attack on quadrupleDES with key bits The ciphers are usually used in environments that require frequent key replace ments For example bank communications transfer huge amounts of money and the banks need to change keys b efore any of the used keys are to b e found by an attacker even if the attacker sp ends as much in the cryptanalysis as he might get by forging encrypted messages Therefore the attacker might receive many encrypted messages encrypted under many distinct keys while the amount of data encrypted under any particular key is small and hop efully do es not help for the cryptanalysis of that key However in many such cases the headers of the encrypted messages are similar ei ther due to added prex in communication messages or due to some standard prex a of a le format or a programming language like the L T X documentstyle or the E PostScript PSAdobe prexes A similar situation o ccurs when a disk con tains many les Current disks have more than a gigabyte space in a typical such disk there might b e an order of les If all the les are encrypted and esp e cially if the les are automatically encrypted under random keys by a cryptographic le system and all of them are written in the same formatlanguage we can also receive the prex encrypted under many distinct keys Technion - Computer Science Department Technical Report CS0884 1996 An hidden assumption is that not only it is dicult to recover keys of particular ciphertexts it is also dicult to recover even one of the keys since it is unacceptable that even one messages b e forged successfully The imp ortance of this assumption is clear esp ecially in nancial communications This b ehavior motivates the following denition We dene the theoretic strength of a cipher as the minimal complexity t such that given up to t plaintextciphertext pairs p ossibly encrypted under dierent keys an analysis taking up to t steps can recover at least one of the keys with a high probability Dierential and linear cryptanalysis suggest that the theoretic strength of 47 43 DES is b ounded by and resp ectively In the case of dierential cryptanalysis 14 this result holds even if every structure of ciphertext blo cks is encrypted under a dierent key in this case the attack nds one of the keys while it is still in use The use of the birthday paradox in cryptography is well known but is usually limited to analysis of hash functions and compressed enco dings This paradox suggests that in a class of children there is probability more than a half to have two children with the same birthday date In general if some prop erty the birthday might get n distinct values there is a high probability that even in ab out p n entities there is a pair with the same value of the prop erty A variant of this p paradox shows that given two classes each of ab out n entities there is a high probability that some entity of the rst class has the same value of the prop erty as some entity in the second class In this pap er we use the birthday paradox to show that the theoretic strength of a cipher is b ounded by the square ro ot of the size of the key space We describ e a k 2 new attack which given ab out encrypted messages whose headers are the same and each is encrypted under a dierent key can nd one of the keys with complexity k 2 Most computation can b e done in advance so that only one table lo okup is required online for each given ciphertext and thus the key is found while it is still viable and can b e used to forge messages We conclude that the theoretic strength of 28 28 DES is not more than encryption of plaintexts takes only seconds on the DEC gigabitp ersecond GaAs DES chip or only minutes in software on an Alpha computer When keys are frequently changed and the required information 28 for the attack can b e obtained it might b e p ossible in practice to precompute 28 encryptions and to nd one of the keys while it is still in use this key can then b e used to forge messages We suggest two tradeos b etween the number of given encrypted messages and the complexity of the attack so that if fewer messages are given the complexity of nding one key grows by the same factor and if the number of encrypted messages is larger the average investment in each key b ecomes smaller In an extreme situation only one trial encryption is required in average for each found key We use this metho d together with the meet in the middle attack to show that the Technion - Computer Science Department Technical Report CS0884 1996 mk 2 theoretic strength of multiple encryption is not more than for any m given k 2 only encrypted messages and in particular the theoretic strength of threekey 84 28 tripleDES is not more than given encrypted messages The results of this pap er show that if the same plaintext blo cks are encrypted under many keys the attacker can derive the key of one or more messages Anal ogous results are already known for public key cryptosystems and in particular for the RSA cryptosystem Assume e is small and the same in e distinct public keys with mo duli n n n Then if the ciphertexts of some secret message m under 1 2 e e the e keys are known the attacker can derive m mo d n n n from the 1 2 e e ciphertexts m mo d n and compute the secret message m as the nonmo dular i eth ro ot of it We emphasis that the attacks describ ed in this pap er are applicable to all types of ciphers and in particular to blo ckciphers and stream ciphers and to any multiple encryption or even multiple mo de of op eration The attacks can b e used with chosen plaintext known plaintext and even ciphertext only contexts if the le language or communication headers are xed and publicly known Although these attacks also apply to public key cryptosystems the results in such systems are usually worse than directly solving factoring the keys of those systems In Section we describ e the attacks and their p ossible tradeos In Section we describ e the extension to multiple encryption Finally we summarize the results and describ