Efficient Dissection of Bicomposite Problems with Cryptanalytic Applications

In this paper, we show that a large class of diverse problems have a bicomposite structure which makes it possible to solve them with a new type of algorithm called dissection, which has much better time/memory tradeoffs than previously known algorithms. A typical example is the problem of finding the key of multiple encryption schemes with r independent n-bit keys. All the previous error-free attacks required time T and memory M satisfying $$\textit{TM} = 2^{rn}$$TM=2rn, and even if “false negatives” are allowed, no attack could achieve $$\textit{TM}<2^{3rn/4}$$TM<23rn/4. Our new technique yields the first algorithm which never errs and finds all the possible keys with a smaller product of $$\textit{TM}$$TM, such as $$T=2^{4n}$$T=24n time and $$M=2^{n}$$M=2n memory for breaking the sequential execution of $$\hbox {r}=7$$r=7 block ciphers. The improvement ratio we obtain increases in an unbounded way as r increases, and if we allow algorithms which can sometimes miss solutions, we can get even better tradeoffs by combining our dissection technique with parallel collision search. To demonstrate the generality of the new dissection technique, we show how to use it in a generic way in order to improve rebound attacks on hash functions and to solve with better time complexities (for small memory complexities) hard combinatorial search problems, such as the well-known knapsack problem.

[1]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[2]  Adi Shamir,et al.  Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems , 2012, CRYPTO.

[3]  Adi Shamir,et al.  Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities , 2019, Journal of Cryptology.

[4]  Paul C. van Oorschot,et al.  Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude , 1996, CRYPTO.

[5]  Mikko Koivisto,et al.  Space-Time Tradeoffs for Subset Sum: An Improved Worst Case Algorithm , 2013, ICALP.

[6]  Anne Canteaut,et al.  Sieve-in-the-Middle: Improved MITM Attacks , 2013, CRYPTO.

[7]  Antoine Joux,et al.  Improved Generic Algorithms for Hard Knapsacks , 2011, IACR Cryptol. ePrint Arch..

[8]  Vincent Rijmen,et al.  The Rebound Attack and Subspace Distinguishers: Application to Whirlpool , 2015, Journal of Cryptology.

[9]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[10]  Jung Hee Cheon,et al.  White-box AES implementation revisited , 2016, Journal of Communications and Networks.

[11]  Adi Shamir,et al.  Improved Attacks on Full GOST , 2012, IACR Cryptol. ePrint Arch..

[12]  Stefan Lucks,et al.  Attacking Triple Encryption , 1998, FSE.

[13]  Takanori Isobe A Single-Key Attack on the Full GOST Block Cipher , 2011, FSE.

[14]  María Naya-Plasencia How to Improve Rebound Attacks , 2010, IACR Cryptol. ePrint Arch..

[15]  Adi Shamir,et al.  A T=O(2n/2), S=O(2n/4) Algorithm for Certain NP-Complete Problems , 1981, SIAM J. Comput..

[16]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[17]  Daniel Lokshtanov,et al.  Saving space by algebraization , 2010, STOC '10.

[18]  Pierre-Alain Fouque,et al.  Time-Memory Trade-Off for Lattice Enumeration in a Ball , 2016, IACR Cryptol. ePrint Arch..

[19]  Oded Goldreich,et al.  On the power of cascade ciphers , 1985, TOCS.

[20]  Joshua R. Wang,et al.  Space-Efficient Randomized Algorithms for K-SUM , 2014, ESA.

[21]  Adi Shamir,et al.  Dissection: a new paradigm for solving bicomposite search problems , 2014, Commun. ACM.

[22]  Adi Shamir,et al.  Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities , 2019, Journal of Cryptology.

[23]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[24]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[25]  Martin E. Hellman,et al.  On the security of multiple encryption , 1981, CACM.

[26]  Antoine Joux,et al.  New Generic Algorithms for Hard Knapsacks , 2010, EUROCRYPT.

[27]  María Naya-Plasencia,et al.  Cryptanalysis of Full Sprout , 2015, CRYPTO.

[28]  Eli Biham Cryptanalysis of Triple Modes of Operation , 1999, Journal of Cryptology.

[29]  Neal Koblitz Advances in cryptology, CRYPTO '96 : 16th annual International Cryptology Conference Santa Barbara, California, USA, August 18-22, 1996 : proceedings , 1996, CRYPTO 1996.

[30]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[31]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[32]  Adi Shamir,et al.  New Attacks on Feistel Structures with Improved Memory Complexities , 2015, CRYPTO.

[33]  R. Gennaro,et al.  Advances in cryptology - CRYPTO 2015 : 35th annual cryptology conference Santa Barbara, CA, USA, August 16-20, 2015 : proceedings , 2015 .