How to protect DES against exhaustive keysearch

1
How to protect DES against exhaustive key-search

• Joe Killian , Phillip Rogaway
• July 28, 1997

2
1. Introduction
3
Problem

• Susceptibility of DES to exhaustive key search
• 1994 1 million dollar key search engine ? 3.5
  hours on average
• (Wiener)
• Many approaches to reduce this vulnerability
• f.i. DES-based block cipher with longer key
• triple DES
• DESX (Rivest) a much cheaper alternative!

4
Problem (contd)

• Rivest an extension of DES, called DESX, defined
  by
• DESXk.k1.k2(x) k2 ? DESk(k1 ? x).
• hardly any computional overhead over ordinary
  DES
• no longer susceptible to brute-force attacks of
  anything near 256 time.

5
1.1 Our Model

• key-search strategies treat a cipher as a
  black-box transformation.
• ? key length for a block cipher
• n its block length
• ideal block cipher a random map F0,1? ?0,1n
  ? 0,1n subject to the constraint that for
  every k ? 0,1?, F(k,.) is a permutation on
  0,1n
• a key-search adversary A an algorithm that is
  given two oracles
• a F(.,.) oracle that on input (k,x) returns
  F(k,x) and
• a F-1(.,.) oracle that on input (k,y) returns
  F-1(k,y).

6
Our model (contd)

• To apply this to DESX generalize the DESX
  construction. Given any block cipher F we define
  FX0,1?2n ?0,1n ? 0,1n by FX(k.k1.k2,x)
  k2 ? F(k,k1 ? x).
• Notations Fk(x) and FXK(x) instead of F(k,x)
  and FX(k.k1.k2,x) met K k.k1.k2.
• To investigate the strength of FX against key
  search we consider a key-search adversary A with
  oracles for F and F-1 and determine how well A
  can play the FX-or-? game. A is given an
  encryption oracle E that has been randomly
  chosen in one of two ways each with probability
  ½.
• A must guess which way E was chosen...

7
1.2 Our main result
Let m bound the number of ltx, FXK(x)gt pairs that
the adversary can obtain. Suppose the adversary
makes at most t queries to her F/F-1
oracles. Then the adversarys advantage over
random guessing is at most m t . 2- ? -n1 t .
2- ? -n1lg m. Consequence the effective key
length of FX, with respect to key search, is at
least ? n-1-lg m bits. ? infeasibility of key
search!
8
1.3 Outline of the lecture

• basic notation and definition
• state and prove of main theorem on the security
  of the DESX construction
• discussion
• show that the analysis underlying our main result
  is tight.

9
2. Basic notation and definition
10
Preliminaries

• Pn the space of all permutations on n-bits
• F 0,1? ? 0,1n ? 0,1n is a block cipher if
  for every k ? 0,1?, F(k,.) ? Pn.
• B?,n the space of all block ciphers with
  parameters ? and n as above.
• Given F ?B?,n, we define the block cipher FX ?
  B?,n by FX(K,x) k2 ? Fk(k1 ? x), where K
  k.k1.k2, k ? and k1k2n.

11
Preliminaries (contd)

• Given a partially defined function F from a
  subset of 0,1m to a subset of 0,1n we denote
  the domain and range of F by Dom(F) and Range (F)
  and define (F) 0,1m - Dom(F)
  and (F) 0,1n - Range (F).
• Denote by x S the act of choosing x
  uniformly from S.

12
Preliminaries (contd)

• Definition 2.1 A key-search adversary is an
  algorithm A with access to three oracles, E(.),
  F.(.) and F.-1(.). Thus, A may make queries of
  the form E(P), Fk(x) or Fk-1(y). An (m,t)
  key-search adversary is a key-search adversary
  that makes m queries to the E(.) oracle and a
  total of t queries to the F.(.) and F.-1(.)
  oracles.

13
Preliminaries (contd)

• We now define what it means for a key-search
  adversary A to have an attack of a certain
  specified effectiveness.
• choose a random block cipher F having ?-bits and
  n-bit blocks
• give A three oracles
• one computes F.(.)
• another computes F.-1(.)
• the final oracle E(.) either computes FXK(.) for
  a random (? 2n)-bit key K or computes ?(.) for a
  random permutation ? Pn.
• As job is to guess which type of encryption
  oracle she has. Her advantage is her probability
  of guessing right, normalized so that 0 indicates
  a worthless strategy and 1 indicates a perfect
  strategy.

14
Preliminaries (contd)

• Definition 2.2 Let ?,n ? 0 be integers, and let ?
  be a real number.
• Key-search adversary A is said to ? - break the
  FX-scheme with parameters ?, n if
• AdvA Pr F B?,n K 0,1? 2n
  1 - Pr F
  B?,n ? Pn
  1 ? ? .

15
3. Security of the DESX construction
16
Main theorem

• We will prove the following bound on the
  security of FX against key-search attack.
• Theorem 3.1 Let A be an (m,t) key-search
  adversary that ? - breaks the FX-scheme with
  parameters ?, n. Then ? ? mt . 2- ? -n1.

17
Proof of main theorem

• We will consider two different games that A
  might play. This amounts to specifying how to
  simulate a triple of oracles, lt E, F, F-1gt for
  the benefit of A
• - A first game R
• - A second game X

18
Proof of main theorem (contd)

• Assume
• A is deterministic
• A always asks m queries of her first oracle,
  called the E oracle
• A always asks exactly t queries (total) to her
  second and third oracles, called the F and F-1
  oracles
• A never repeats a query to an oracle
• If F(k,x) returns an answer y, then there is no
  query of F-1 (k,y) .

19
Game R

• Initially, let F.(.) and E(.) be undefined. Flag
  bad is initially unset. Randomly choose
• Then answer each query the adversary makes as
  follows

20
Game X

• Initially, let F.(.) and E(.) be undefined. Flag
  bad is initially unset. Randomly choose
• Then answer each query the adversary makes as
  follows

21
Proof of main theorem (contd)

• We have now seen two games R and X. We have
  reduced our analysis to bounding PrBAD.
• We will now play game R a little bit differently
  instead of choosing k, k1, k2 at the
  beginning, we choose them at the end. Then we set
  bad to be true or false depending on whether or
  not the choices we made would have caused bad to
  be set to true in Game R.
• We call the new game R.

22
Game R

• Initially, let F.(.) and E(.) be undefined.
  Answer each query the adversary makes as follows

23
Proof of main theorem (contd)

• Run the body of game R not having yet chosen
  k, k1, k2 and let us count how many of the
  2k2n choices for (k, k1, k2) will result in
  bad getting set.
• Fix any possible values for E and F which can
  arise in Game R.
• E number of defined values E(P) m
• F number of defined values Fk(x) t
• Fix E and F.

24
Proof of main theorem (contd)

• Call (k, k1, k2) collision-inducing (with
  respect to E and F) if there is a some defined y
  Fk(x) and some defined C E(P) such that k
  k and ( P ? k1 x or C ? k2 y).
• If (k, k1, k2) sets bad ? (k, k1, k2) is
  collision-inducing.
• Thus, it suffices to upper bound the number of
  collision-inducing (k, k1, k2) .

25
Proof of main theorem (contd)

• Claim 3.7 Fix E, F where Em and Ft. There
  are at most 2mt.2n collision-inducing (k, k1,
  k2) ? 0,1? ? 0,1n ? 0,1n.
• In Game R, we choose a triple at random,
  independent of E and F, so the chance that this
  triple is collision-inducing is at most 2mt.2n /
  2? 2n mt.2-? -n1. ?

26
4. Discussion
27
Discussion

• Health warnings
• Structure in the block cipher F when F DES
• Differential and linear cryptanalysis. Operations
  besides XOR.

28
5. Our bound is tight
29
Our bound is tight

• The adversarys advantage ? ? t . 2-n-? 1lg m
  ? ? . 2 n ? -1-lg m ? t .
• We will show that for a wide range of m, an
  attacker can achieve an ? advantage using very
  close to 2 n ? 4-lg m queries to the F/F-1
  oracles.

30
Our bound is tight

• Theorem 5.1 Let m be even, m lt 2n and ? lt 1. Let
  block cipher F be uniformly distributed over B?,n
  and let key K be uniformly distributed over
  0,1?2n. There exists an attacker A(m, ?) that
  initially makes m distinct queries t1,..,tm to an
  oracle computing FXK. A then makes
• ( 2n? 1-lg m 2n 2? ) (? ?2 )
• expected queries to the F(.)/F-1(.) oracles.
  With probability at least ? it returns a K such
  that FXK(ti) FXK(ti) for 1 ? ti? m.

31
Our bound is tight

• For reasonable values of m, the task performed by
  A(m, ?) is at least as strong as simply
  distinguishing FX from a purely random
  transformation
• consider any familie of permutations FXK on
  0,1n, where K ? 2n
• ? is plausibel if for some K, ?(xi) FXK(xi) for
  1 ? i ? m
• if ? is chosen at random, the probability that it
  is plausible is at most
• ?(k,n,m)

32
Our bound is tight

• Remark we want to convert the expectation into a
  worst case bound the resulting attack uses at
  most
• t ? ( 2n? 2-lg m 2n1 2? 1 ) (2?
  4?2)
• ? ( 2n? 4-lg m 2n3 2? 3 ) ?
• worst-case queries to the F.(.)/F.-1(.) oracles.
• Since the advantage is ? - ?(?,n,m) we can set ?
  to be ?(?,n,m) bigger than the desired advantage.

33
Our bound is tight

• Corollary 5.2 Let m be even, m lt 2n and ? lt ½ -
  ?(?,n,m). Let block cipher F be uniformly
  distributed over B?,n, key K be uniformly
  distributed over 0,1?2n and permutation ? be a
  uniformly distributed over Pn. There exists an
  attacker A(m, ?) that makes m queries to oracle E
  (computing either FXK or ? ) and makes
• ( 2n ? 4-lg m 2n3 2 ? 3 ) (? ?(?,n,m))
• queries to the F.(.)/F.-1(.) oracles. A solves
  the FX-or- ? game with advantage at least ?.

34
Our bound is tight

• We will now prove theorem 5.1
• Motivation of the attack view the FX block
  cipher as choosing a random key k and then apply
  the Even-Mansour construction to the function Fk.
• We can adapt Daemens chosen plaintext attack on
  the Even-Mansour construction. We dont know the
  value of k, so we try all possible ones.

35
5.1 Preliminaries

• Assume that m is even, m ? 2n and ? lt ½. Fix a
  constant C ?0,1n-0n. For any function G,
  define G?(x) G(x ? C) ? G(x).
• Let the secret key K k.k1.k2. Let E be a
  synonym for FX.
• EK?(x) FK?(x ? k1) FK?(x ? k1 ? C).

36
5.2 The key-search attack

• A uses oracles computing FXK(.) and F.(.).
  Attacker A takes as parameters m (the max number
  of queries it is allowed to make to the FXK
  oracle) and ? (a required lower bound on its
  probability of producing a key K that gives
  consistent results on the m queries).

37
The key-search attack (contd)
38
5.3 Analysis of the attack

• r is good if it is equal to xj ? k1 or xj ? k1 ?
  C for some j.
• If r is good then for kk the attacker will
  obtain the correct values for k1 and then k2.
• We now bound the expected cost of trying each r
• for each random r selected, a total of at most 2?
  1mm2 ? -n expected queries are required.
• We must now bound the number of rs that must be
  tried in order to select a good r with
  probability at least ?.
• l ?

?