Increasing the Key Size for Block Ciphers

As we have seen, the DES design seems to be almost optimal. It has withstood decades of cryptanalytic attacks and an exhaustive key search still remains the best attack in practice. Thus, it is very natural to try to build a block cipher with a long key, using DES as a building block. In this section we will study such constructions.

Internal tampering versus black-box constructions. There are two possible approaches that one could take to this task. The first is to somehow try to modify the internal structure of DES, while increasing the key size. For example, one may leave the internalf-functions untouched and simply use a 128-bit key with a different key schedule (still choosing a 48-bit subkey in each round). The disadvantage of this approach is that by modifying the design of DES we lose the confidence that we have gained over the many years of its existence. Cryptographic constructions are very sensitive and even mild and seemingly insignificant changes can render the original scheme completely in-secure. This approach is therefore usually not recommended. An alternative approach that does not suffer from the above problem is to use the original DES as a “black box”. That is, no change is made to the original cipher, and the key is lengthened by somehow applying the complete original DES a num-ber of times to the input (while using different keys each time). For example, in double-DES, the block cipher is defined by two applications of DES to the input where each application uses an independent key. Another advantage of black-box constructions is that they can be applied to any underlying block cipher, because they make no reference to the internal structure. Indeed, in the constructions below we will often refer to an arbitrary block-cipher, and not just to DES.

5.4.0.2 Double Invocation

LetF be a block cipher and let k1 andk2 be two independent keys forF. Then, a new block cipher with a key that is twice the length of the original

one can be defined by

F_k⁰_1,k2(x) =Fk2(Fk1(x)).

IfF =DES then the result is a key of size 112, which is much too long for any exhaustive key search (for DES this method is typically called double-DES).

Unfortunately, as we will show now, a double invocation of a block cipher does not provide a high enough level of security. We describe a “meet-in-the-middle” attack on the double-invocation method. Denote the length of the keys ofF byn(thus the length of the keys ofF⁰ is 2n). The attack that we will describe now uses approximately 2ⁿ time and 2ⁿ space.

The adversary is given an input/output pair (x, y) wherey=F_k⁰_1,k2(x) = Fk2(Fk1(x)), and works as follows. First, it starts by building two lists of pairs. The first list is made up of all the pairs of the form (˜k1, z1) where z1 = F˜k1(x); that is, for every possible key ˜k1, the pair (˜k1, z1) is added to the list. The second list is made up of all the pairs of the form (˜k2, z2) where z2 =F_˜k⁻¹

2 (y). (Recall that x and y are the given input/output pair.) Notice now that there exists a valuez such thatFk1(x) =z=F_k⁻₂¹(y), where k1 and k2 are the keys that the adversary is searching for. Therefore, the aim of the adversary is to match up pairs in the first list with pairs in the second list, where a match is defined by the pairs having the samez portion (i.e., where z1=z2). Any such match defines a candidate key (˜k1,˜k2) forF⁰ becauseF˜k1(x) =z1=z=z2=F_˜⁻¹

k2 (y) and soy =Fk˜2(F˜k1(x)). This is the

“meet-in-the-middle” that we are looking for; see Figure??.

We therefore remain with an algorithmic problem which is to scan the two lists and find all matches. We leave the solution of this as an exercise (see Exercise 5.8), and note that it can be carried out in timeO(2ⁿ).

Assuming random behavior ofF, we have that approximately 2ⁿcandidates key-pairs (˜k1,˜k2) should be chosen. (This is because each z should appear approximately once in each table. Thus, eachzin the first table should have approximately one match in the second table. This yields 2ⁿ candidates.) The attack is then concluded by testing all of the candidate pairs on a new input/output pair (x⁰, y⁰) obtained by the adversary.

Complexity. Using counting sort, the lists can be constructed and sorted in timeO(2ⁿ). Furthermore, the search for all candidates can be carried out in time 2·2ⁿ. Overall, the time complexity of the attack is thereforeO(2ⁿ).

In other words, double-invocation is vulnerable to an attack that takes no longer than an exhaustive key search on the original block cipher. We stress that although this is true with respect to the time complexity of the attack, it requires 2·2ⁿ memory, which is a very high space complexity.

Double-DES.When applying double invocation to DES, we obtain that the result is vulnerable to an attack requiring time that is in the order of 2⁵⁶ (to be more exact, it would be something like 2⁶⁰). This is still within our computing capabilities today and so is highly problematic. Of course, the

attack also requires 2⁵⁷ space and this is far more problematic. Despite this, the margin of security for double-DES is not large enough and it is therefore not used.

5.4.0.3 Triple Invocation

In order to thwart meet-in-the-middle attacks, three invocations of the un-derlying block cipher can be used. We have no proof that no other shortcuts exist for this method. Despite this, it is widely believed that triple invocation of the block cipher provides a high level of security against brute force attacks.

There are two variants that are typically used for triple invocation:

1. Variant 1 – three independent keys: Choose 3 independent keysk1, k2, k3

and computey=F_k⁰_1,k2,k3(x) =Fk3(F_k⁻₂¹(Fk1(x))).

2. Variant 2 – two independent keys: Choose 2 independent keys k1, k2

and computey=F_k⁰_1,k2(x) =Fk1(F_k⁻₂¹(Fk1(x))).

Before comparing the security of the two alternatives we note that the middle invocation of F is actually F⁻¹. This makes no difference to the security because if F is a pseudorandom permutation then so too isF⁻¹ (see Defini-tion 3.28). The reason for this strange alternaDefini-tion between F, F⁻¹ andF is so that if one choosesk1=k2=k3, the result is a single invocation ofF with k1. This helps with backward compatibility (in order to reverse back to a sin-gle invocation, there is no need for special code and it suffices to just set the keys to all be equal). Regarding the security of the alternatives, no weakness whatsoever has been demonstrated with the first alternative. In contrast, it has been shown that for the second alternative it is possible to carry out an attack in time 2ⁿ and using 2ⁿ queries to the block cipher. However, as we have mentioned above, the possibility of obtaining 2ⁿ outputs of the block cipher on chosen inputs is so far fetched that it is not considered a concern at all. (This is in contrast with 2ⁿmemory that is far more feasible.) Therefore, both alternatives are reasonable, although it seems preferable to go with the first.

Triple-DES (3DES). Triple-DES is based on a triple invocation of DES, as described above. It is widely believed to be highly secure and in 1999 officially replaced DES as the NIST standard (although one would hope that the basic DES was already phased out well before this time). We remark that triple-DES is still widely used today and is considered a very strong block cipher. Its only drawbacks are its relatively small block-size (that can be problematic as discussed in the paragraph on “block length and security” in Section 3.6.4) and the fact that it is quite slow since it requires 3 full block cipher operations (in fact, even single DES is not that fast, making triple DES even worse). These drawbacks have led to its recent replacement in 2001 by the Advanced Encryption Standard (AES), presented in the next section.