How to decrypt or even substitute DES-encrypted messages in 228 steps

In this paper we analyze the complexity of recovering cryptographic keys when messages are encrypted under various keys. We suggest key-collision attacks, which show that the theoretic strength of a block cipher (in ECB mode) cannot exceed the square root of the size of the key space. As a result, in some circumstances, some keys can be recovered while they are still in use, and these keys can then be used to substitute messages by messages more favorable to the attacker (e.g., transfer $1000000 to bank account 123-4567890). Taking DES as our example, we show that one key of DES can be recovered with complexity 228, and one 168-bit key of (three-key) triple-DES can be recovered with complexity 284. We also discuss the theoretic strength of chaining modes of operation, and show that in some cases they may be vulnerable to such attacks.

[1]  Eli Biham,et al.  Cryptanalysis of Multiple Modes of Operation , 1994, Journal of Cryptology.

[2]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[3]  Hans Eberle,et al.  A High-Speed DES Implementation for Network Applications , 1992, CRYPTO.

[4]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[5]  Ueli M. Maurer,et al.  New Approaches to the Design of Self-Synchronizing Stream Ciphers , 1991, EUROCRYPT.

[6]  Gideon Yuval,et al.  How to Swindle Rabin , 1979, Cryptologia.

[7]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[8]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[9]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[10]  Lars R. Knudsen,et al.  Block Ciphers: Analysis, Design and Applications , 1994 .

[11]  Martin E. Hellman,et al.  On the security of multiple encryption , 1981, CACM.

[12]  A. Shimizu,et al.  Fast data encipherment algorithm FEAL-8 , 1978 .

[13]  Paul C. van Oorschot,et al.  A Known Plaintext Attack on Two-Key Triple Encryption , 1991, EUROCRYPT.

[14]  Abraham Bookstein,et al.  Cryptography: A new dimension in computer data security ? and ?. Wiley-Interscience, New York (1982). xxi + 775 pp., $43.95. ISBN 0471-04892-5. , 1985 .

[15]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[16]  Eli Biham Cryptanalysis of Triple Modes of Operation , 1999, Journal of Cryptology.

[17]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[18]  Ivan Damgård,et al.  Multiple Encryption with Minimum Key , 1995, Cryptography: Policy and Algorithms.

[19]  Don Coppersmith,et al.  Another Birthday Attack , 1986, CRYPTO.

[20]  Bruce Schneier,et al.  Applied cryptography (2nd ed.): protocols, algorithms, and source code in C , 1995 .

[21]  Walter Tuchman,et al.  IV. `Hellman presents no shortcut solutions to the DES¿ , 1979, IEEE Spectrum.

[22]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[23]  Shoji Miyaguchi,et al.  The FEAL Cipher Family , 1990, CRYPTO.

[24]  Marc Girault,et al.  A Generalized Birthday Attack , 1988, EUROCRYPT.

[25]  Jennifer Seberry,et al.  Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI , 1991, ASIACRYPT.

[26]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[27]  Johan Håstad,et al.  On Using RSA with Low Exponent in a Public Key Network , 1985, CRYPTO.