This preview shows page 1. Sign up to view the full content.
Unformatted text preview: t one, is not smart. For the same algorithm, it does not affect the complexity of a bruteforce search. (Remember, you assume a cryptanalyst knows the algorithm including the number of encryptions used.) For different algorithms, it may or may not. If you are going to use any of the techniques in this chapter, make sure the multiple keys are different and independent. 15.1 Double Encryption
A naìve way of improving the security of a block algorithm is to encrypt a block twice with two different keys. First encrypt a block with the first key, then encrypt the resulting ciphertext with the second key. Decryption is the reverse process. C = EK2(EK1(P)) P = DK1(DK2(C)) If the block algorithm is a group (see Section 11.3), then there is always a K3 such that C = EK2(EK1(P)) = EK3(P) If this is not the case, the resultant doublyencrypted ciphertext block should be much harder to break using an exhaustive search. Instead of 2n attempts (where n is the bit length of the key), it would require 22n attempts. If the algorithm is a 64bit algorithm, the doublyencrypted ciphertext would require 2128 attempts to find the key. This turns out not to be true for a knownplaintext attack. Merkle and Hellman [1075] developed a timememory tradeoff that could break this doubleencryption scheme in 2n + 1 encryptions, not in 22n encryptions. (They showed this for DES, but the result can be generalized to any block algorithm.) The attack is called a meetinthemiddle attack; it works by encrypting from one end, decrypting from the other, and matching the results in the middle. In this attack, the cryptanalyst knows P1, C1, P2, and C2, such that C1 = EK2(EK1(P1)) C2 = EK2(EK1(P2)) For each possible K, he computes EK(P1) and stores the result in memory. After collecting them all, he computes DK(C1) for each K and looks for the same result in memory. If he finds it, it is possible that the current key is K2 and the key in memory is K1. He tries encrypting P2 with K1 and K2; if he gets C2 he can be pretty sure (with a probabili...
View Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details