Transcript An Optimal Attack On Cryptosystems With Pre/Post

An Optimal Attack on Cryptosystems
Using Pre/Post Whitening Keys
Orr Dunkelman and Adi Shamir
Computer Science Dept
The Weizmann Institute
Israel
Whitening Keys
A
cheap way to increase the
key size of block ciphers:
Key size in
DES: 56 bits
P
DES
K
C
Whitening Keys
 Add
independent prewhitening key K1
and postwhitening key K2:
Key size in
DESX: 184 bits
P
+
DES
+
K1
K3
K2
C
An Extreme Example: The EvenMansour Scheme (Asiacrypt 1991)
 Replace
the middle part by a single
publicly known keyless permutation F:
Key size: 2n bits
P
+
K1
F
+
K2
C
The Main Question:
 How
much security is actually added by
these 2n new key bits?
 If
the inner encryption is bad (e.g., a linear
mapping), both the original and modified
scheme can be totally insecure
 The
model we consider: Assume that the
inner encryption is a collection (indexed by
K) of unrelated truly random permutations
In The Even-Mansour Cryptosystem
 Given
D=2 known plaintext/ciphertext pairs,
we can break the scheme in time T=2n
 What
happens when you have more pairs?
 The
Even-Mansour paper proved the
following lower bound:
DT >= 2n
 This
lower bound is information theoretic,
and does not care if the plaintexts are
known or chosen
Previous Results:
 At
Asiacrypt 1992, Joan Daemen described
a differential attack with any D,T
satisfying DT = 2n, which matched the lower
bound curve, but required chosen plaintexts
 At
Eurocrypt 2000, Biryukov and Wagner
described an advanced slide attack against
Even-Mansour, which used only known
plaintexts, but matched the lower bound
curve only at one point: D=2n/2 and T=2n/2
Can you exploit a smaller number of
known plaintext/ciphertext pairs?
 Since
data is much harder to get than
time, D=T=2n/2 is not the ideal point
on the tradeoff curve DT = 2n
A
slide attack (like many other
cryptanalytic attacks) can not
effectively exploit a small number of
known plaintexts, since it has to wait
for some lucky event to happen by
chance, and only then start the attack
Our New Attack Is Extremely Simple:
 Given
any number D of known pairs (pi, ci),
search for one triplet d, p1, p2 satisfying:
c1+F(p1+d)=c2+F(p2+d)
 The
number of random values d you have to
try is expected to be about 2n/D2
 Let
e be the common value above. Then with
high probability the keys K1 and K2 are:
K1=p1+p2+d
K2=c1+c2+e
The SLIDEX Cryptanalytic Technique:
Concluding Remarks:
 The
SLIDEX known plaintext attack can
also be applied to keyed schemes such as
DESX, and completely solves the 20-year
old open problem of the security of
schemes with pre/post whitening keys
 In the case of Even-Mansour with n=80,
the scheme has 160 key bits, but we can
break it in practical 256 time if we have
224 known plaintext blocks (about the size
of the wikileak archive…)