Cryptanalysis of Multiple Mo des of Op eration Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa Israel Abstract In recent years several new attacks on DES were introduced These attacks have led researchers to suggest stronger replacements for DES and in particular new mo des of op eration for DES The most p opular new mo des are triple DES variants which are claimed to b e as secure as triple DES To sp eed up hardware implementations of these mo des and to increase the avalanche many suggestions apply several standard mo des sequentially In this pap er we study these multiple cascade mo des of op eration This study shows that many multiple mo des are much weaker than multiple DES and their strength is comparable to a single DES We conjecture that op eration mo des should b e designed around an under lying cryptosystem without any attempt to use intermediate data as feedback or to mix the feedback into an intermediate round Thus in particular triple DES used in CBC mo de is more secure than three single DESs used in triple CBC mo de Alternatively if several encryptions are applied to each blo ck the b est choice is to concatenate them to one long encryption and build the mo de of op eration around it Introduction The Data Encryption Standard has several mo des of op eration in which it can b e used These mo des were devised to have a limited error propagation to allow syn chronization in data communications to hide patterns in the plaintexts and to protect against chosen plaintext attacks on the underlying cryptosystem and against dictio nary attacks In the Cipher Blo ck Chaining CBC mo de and the Cipher Feedback Technion - Computer Science Department Technical Report CS0833 1994 CFB mo de each ciphertext blo ck dep ends on all the previous plaintext blo cks by using the previous ciphertext blo ck during encryption The Output Feedback OFB mo de was designed to allow precomputation of a ma jor part of the encryption pro cess and to act as a pseudorandom bit generator In this mo de a chosen plaintext E E E E ECB CBC CFB OFB Figure DES Mo des of Op eration attack do es not let an attacker more information than a known plaintext attack The CFB and OFB mo des also allow encryption with a variety of blo cksizes Although these mo des were designed to protect against chosen plaintext attacks there is no attempt to protect against known plaintext attacks In the mo des of op eration of DES if an attacker knows b oth the plaintext blo cks and the ciphertext blo cks he can calculate the values of actual inputs and outputs of the underlying cryptosystem and can mount any known plaintext attack Since the DES mo des of op eration were introduced they are describ ed in Fig ure many new nonstandard mo des were suggested The rst of which is the counter mo de in which a counter is incremented and used as a feedback while there is no feedback from other plaintext blo cks Other examples of suggested mo des are PCBC which was also used as a MAC function in the Kerb eros system and PFF Plaintext Feed Forward which is similar to decryption under CBC except that it uses encryption rather than decryption internally All these mo des are designed around one encryption function without innerfeedbacks We will call such mo des single modes In the recent years several new attacks on DES were introduced These attacks have led many p eople in the cryptographic community to suggest stronger replacements to the DES which can b e either new cryptosystems or new mo des of op eration for the DES The most p opular new mo des are the multiple modes which are combined from several consecutive applications of single mo des In particular triple modes combined from three consecutive applications of single mo des were suggested These triple mo des were claimed to b e as secure as triple DES although they do not have triple DES as a building blo ck An advantage of the triple mo des and multiple mo des when implemented in hardware is that their sp eed is just the same as of single mo des since the single mo des can b e pip elined Technion - Computer Science Department Technical Report CS0833 1994 In this pap er we cryptanalyze many multiple mo des of op eration In particular we show that many triple mo des are much weaker than triple DES and that some triple mo des are not much more secure than a single DES Our attacks may b e based up on any known attack on the underlying cryptosys tems and in particular up on dierential cryptanalysis linear cryptanalysis im proved Davies attack and exhaustive search For reference we assume that the 47 following complexities are required by these attacks chosen plaintexts are re 61 43 quired for dierential cryptanalysis of DES and if indep endent keys are used 60 known plaintexts are required for linear cryptanalysis of DES and if inde 55 56 p endent keys are used Exhaustive search requires steps For Feal 24 24 64 the complexities are see and resp ectively Note that all the complexities of dierential cryptanalysis hold for the ECB CBC and the CFB mo des under chosen plaintext or chosen ciphertext attacks and that the linear cryptanalysis complexities hold for the ECB CBC CFB and the OFB mo des under a known plaintext attack Note that an attack on the bit CFB mo de of DES with a reduced number of rounds was describ ed in The b est fullround dierential 63 characteristic of DES has probability ab out and the b est fullround dierential 16 characteristic of Feal has probability Unless otherwise indicated we assume that DES is the underlying cryptosystem of the attacked mo des Throughout this pap er whenever we refer to the CFB and the OFB mo des we actually mean their full feedback variants ie the bit CFB and the bit OFB resp ectively Our attacks are of three ma jor kinds Chosen plaintext attacks are applicable to the ECB mo de and p otentially to other mo des which were not designed to b e immune to chosen plaintext attacks We concentrate on chosen ciphertext attacks which are applicable to many of the mo des which are immune to chosen plaintext attacks For example the CBC and the CFB mo des are vulnerable to chosen ciphertext attacks with attacks much simpler than the ones describ ed in this pap er The third kind of attacks which we do not actually apply in this pap er generalizes the chosen plaintext and chosen ciphertext attacks into chosen plaintext and cipher text attacks in which the attacker can decide for each blo ck whether he chooses the plaintext or the ciphertext These attacks are not adaptive the attacker can choose all the plaintextciphertext blo cks b efore he receives the rst encrypteddecrypted blo ck This mo del is very strong since in practice no encryption chip or software allows changing direction from encryption to decryption and vice versa during the pro cess of encryptiondecryption We can slightly reduce this demand by viewing an equivalent mo del which do es not require changing encryptiondecryption direction for each blo ck In this mo del two chips loaded with the same key are required one of them always encrypts and the other always decrypts In this mo del the attacks are adaptive chosen plaintext on one chip and an adaptive chosen ciphertext on the other chip b oth executed in parallel Whenever in the original attacks we have to encrypt a blo ck we feed the encrypting chip with the plaintext blo ck and feed the decrypting chip with the resultant ciphertext Whenever in the original attacks we have to decrypt a blo ck we feed the decrypting chip with the ciphertext blo ck and Technion - Computer Science Department Technical Report CS0833 1994 feed the encrypting chip with the resultant plaintext This mo del is more realistic in the sense that each chip either encrypts or decrypts but the adaptive attack re quirement causes this attack to work almost only when two such loaded chips may b e directly manipulated by the attacker The chosen plaintext and ciphertext attacks are particularly applicable to double mo des They can cryptanalyze many mo des that cannot b e attacked by the simpler attacks and can attack other mo des with a smaller complexity than other attacks We show that many multiple mo des are weaker than the corresp onding multiple ECB mo de when chosen plaintext chosen ciphertext or chosen plaintext and cipher text attacks are applicable If a multiple mo de combines several single mo des in which in each of them a dierent cryptosystem is used and in which the keys of the various single mo des are indep endent the strength of the multiple mo de might not exceed the strength of the strongest single mo de comp onent If the various keys are not indep endent the strength of the multiple mo de might even b e the same as of its weakest comp onent Twokey triple DES triple ECB mo de is such an already known example We conjecture that op eration mo des should b e designed around an underlying cryptosystem without any attempt to use intermediate data as feedback or to mix the feedback into an intermediate round Alternatively if several encryptions are applied in each blo ck the b est choice is to concatenate them to one long encryption and build the mo de of op eration around the result This pap er is divided to the following sections In Section we show that multiple mo des are at least as strong as the strongest single mo de contained within when the keys of all the various single mo des are indep endent In Section we analyse many multiple mo des and describ e our analysis techniques In Section we summarize the results The Strength of Multiple