RELATED-KEY ATTACK AGAINST TRIPLE ENCRYPTION BASED

ON FIXED POINTS

Serge Vaudenay

EPFL, CH-1015 Lausanne, Switzerland

Keywords:

Triple-encryption, Cryptanalysis.

Abstract:

Triple encryption was proposed to increase the security of single encryption when the key is too short. In

the past, there have been several attacks in this encryption mode. When triple encryption is based on two

keys, Merkle and Hellman proposed a subtle meet-in-the-middle attack which can break it at a price similar to

breaking single encryption (but with nearly all the code book). When triple encryption is based on three keys,

Kelsey, Schneier, and Wagner proposed a related-key attack which can break it at a price similar to breaking

single encryption.

In this paper, we propose a new related-key attack against triple encryption which compares to breaking single

encryption in the two cases. Our attack against two-key triple-encryption has exactly the same performances

as a meet-in-the-middle on double-encryption. It is based on the discovery of ﬁxed points in a decrypt-encrypt

sequence using related keys.

In the two-key case, it is comparable to the Merkle-Hellman attack (except that is uses related keys). In the

three-key case, it has a higher complexity than the Kelsey-Schneier-Wagner attack but can live with known

plaintexts.

1 INTRODUCTION

A classical security model for symmetric encryption

is the key recovery under chosen plaintext or cipher-

text attacks. Since ciphers are broken by generic at-

tacks such as exhaustive search, we must live with

these attacks and hope that their complexity is the

minimal cost for breaking the cipher. Indeed, a cipher

is secure if there is no attack better than exhaustive

search, i.e. if its complexity is lower than 2

ℓ

where ℓ

is the key length.

In the 90’s Biham and Knudsen proposed the no-

tion of related-key attack in which an adversary can

impose to change the secret key following some cho-

sen relation ϕ (Biham, 1993; Biham, 1994; Knudsen,

1992). One problem is that related-key attacks open

the way to new generic attacks such as the ones by

Biham (Biham, 1996). So, exhaustive search may no

longer be the reference for assessing the security of a

cipher.

As an example of related-key attack, Kelsey,

Schneier, and Wagner presented an attack against

three-key triple encryption which shows that this

is not more secure than single encryption (Kelsey,

Schneier, Wagner, 1996).

In this paper, we ﬁrst discuss on various ways to

compare the complexity related-key attacks. Follow-

ing a full-cost model, an attack is signiﬁcant

< 2

ℓ

where r is the number of related keys, t (resp. m) is the

time (resp. memory) complexity, and p is the proba-

bility of success. In a more conservative approach,

we shall compare max





with 2

ℓ

. We can also

consider comparison in a restricted attack model in

order to limit some characteristics such as the number

of related keys. Then, we provide a related-key attack

against two-key triple encryption.

Related Work on Triple-DES. As far as we know,

the only related-key attacks against triple-DES are

the generic attack from Biham, the Kelsey-Schneier-

Wagner attack, and an attack from Phan (Biham,

1996; Kelsey, Schneier, Wagner, 1996; Phan, 2004).

There are other attacks using no related keys such

as attacks based on meet-in-the-middle by Merkle

and Hellman, known plaintext variants by Van

Oorschot and Wiener, and a nice optimization by

Lucks (Merkle and Hellman, 1981; Lucks, 1998;

van Oorschot and Wiener, 1990; van Oorschot and

Wiener, 1999). We use the table from Phan to com-

Vaudenay S..

RELATED-KEY ATTACK AGAINST TRIPLE ENCRYPTION BASED ON FIXED POINTS.

DOI: 10.5220/0003450900590067

In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2011), pages 59-67

ISBN: 978-989-8425-71-3

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

pare these attacks with ours (Phan, 2004). The ﬁg-

ures

are given on Table 1. Previous attacks are dis-

cussed in this paper.

Our Contribution. In this paper, we present a new

attack on triple encryption which is based on the dis-

covery of ﬁxed points for the mapping

x 7→ Enc

◦ Enc

−1

ϕ(K)

for some relation ϕ. This discovery requires the en-

tire code book in a Broadcast Known Plaintext (BKP)

attack for Enc

and Enc

ϕ(K)

which makes our data

complexity high. In the BKP model, the adversary

obtains a random plaintext and its encryption under

different keys. Once we have a (good) ﬁxed point,

our attack becomes similar to a standard meet-in-the-

middle attack. So, it has a pretty low complexity. Fi-

nally, we show that our attack compares well to the

best ones so far. In the 2-key case, it becomes the best

known-plaintext attack.

2 COMPARING RELATED-KEY

ATTACKS

Given a dedicated attack against a cipher, it is tempt-

ing to compare it with exhaustive search and declare

the cipher broken if the attack is more efﬁcient. This

is however a bit unfair because the attack model may

already have better generic attacks than exhaustive

search.

As an example, Biham’s generic attack (Biham,

1996) applies standard time-memory tradeoffs in the

related key model. His attack consists of collect-

ing y

= Enc

(x) for a ﬁxed x and r related keys.

That is, we use r chosen plaintexts. Then, it builds

a dictionary (y

,i) and run a multi-target key recov-

ery to ﬁnd one K such that Enc

(x) is in the dictio-

nary. With t attempts, the probability of success is

p = 1 − (1− r2

−ℓ

)

≈ 1− e

−rt2

−ℓ

. The dictionary has

size m = r(ℓ + logr) bits. For simplicity, we approx-

imate m ≈ r. In particular, for t = r = 2

ℓ/2

, we have

p ≈ 1 − e

−1

≈ 63%, so this is much cheaper than ex-

haustive search.

The complexity of a related-key attack can be

characterized by a multi-dimensional vector consist-

ing of

with sightly different units: our time complexities are

measured in terms of triple encryption instead of single en-

cryption; our memory complexities are measured in bits in-

stead of 32-bit words; our number of keys include the target

one and not only the related ones

• the number of related keys r (the number of keys

which are involved is r, i.e. r = 1 when the attack

uses no related keys);

• the data complexity d (e.g. the number of

chosen plaintexts), where we may distinguish

known plaintexts (KP), broadcast known plain-

texts (BKP), chosen plaintexts (CP), and chosen

ciphertexts (CC) as the may be subject to differ-

ent costs in the attack model;

• the time complexity of the adversary t, where we

may distinguish the precomputation complexity

and the online running time complexity;

• the memory complexity m, which may further

distinguish quick-access or slow-access memory,

read/write memory or read-only memory;

• the probability of success p.

There are many other possible reﬁnements.

We can compare attacks by using the partial order-

ing p on vectors (r,d,t,m,

), i.e.

(r,d,t, m, p) ≤

′

, p

′

)

r ≤ r

′

and d ≤ d

′

and t ≤ t

′

and m ≤ m

′

and p ≥ p

′

When a category such as the data complexity d has

a sub-characterization (d

BKP

), the d ≤

′

implies an other partial ordering on these sub-

characteristics. We can say that an attack is insigniﬁ-

cant if there is a generic attack with a lower complex-

ity vector. It is not always possible to compare two

multi-dimensional vectors. So, it is not clear whether

an attack is signiﬁcant when it is not insigniﬁcant. So,

it is quite common to extend the partial ordering ≤

using different models which are discussed below.

Conservative Model. Traditionally, t, m, and p are

combined into a “complexity” which is arbitrarily

measured by max





. We could equivalently

adopt

+ m since these operations yield the same or-

ders of magnitude.

The idea behind this arbitrary notion is that we

can normalize the success probability p by using

sessions of the attack. So, t has a factor

corre-

sponding to

different sessions. Clearly, the running

time of every session adds up whereas their memory

complexity does not. If we make no special treatment

for r and d, we can just extend this simple notion by

adding them in the time complexity t (since the ad-

versary must at least read the received data). We can

thus replace t by max(r,d,t). This leads us to

conservative

(r,d,t, m, p) = max





SECRYPT 2011 - International Conference on Security and Cryptography

Table 1: Attacks against Triple-DES.

parameters complexity

target data memory time #keys C

conservative

reference

2K-3DES 2 (KP) 2

112

1 2

112

exhaustive search

(CP) 2

(Biham, 1996) (generic)

(KP) 2

112

1 2

112

(van Oorschot and Wiener, 1990; van

Oorschot and Wiener, 1999)

(KP) 2

91.5

2 2

91.5

(Phan, 2004)

(KP) 2

2 2

this paper

(BKP) 2

2 2

this paper

(KP) 2

1 2

(Merkle and Hellman, 1981) variant

(CP) 2

1 2

(Merkle and Hellman, 1981)

3K-3DES 3 (KP) 2

168

1 2

168

exhaustive search

(CP) 2

(Biham, 1996) (generic)

(KP) 2

104

1 2

104

(Lucks, 1998)

3 (CP) 2

110

1 2

110

(Merkle and Hellman, 1981)

(KP) 2

2 2

(Phan, 2004)

(KP) 2

6 2

this paper

(BKP) 2

6 2

this paper

2 (BKP) 2

2 2

(Kelsey, Schneier, Wagner, 1996)

For instance, the Biham attacks (Biham, 1996) have

complexity 2

ℓ

In some cases, there may be a special treatment

for r and d though, especially regarding the

fac-

tor. Actually, the current

factor corresponds to the

worst case where iterating an attack requires new re-

lated keys. In many cases, related keys could just be

reused, which means that the total number of related

keys may be r instead of

. We can just keep in mind

that the C

conservative

formula may not be well adapted

to attacks with a probability of success far from 1.

We should rather normalize the attack using the most

appropriate technique before applying the formula on

the normalized attack.

This kind of rule of the thumb is pretty conve-

nient because two attacks can always be compared by

conservative

: let

(r,d,t, m, p) ≤

conservative

′

, p

′

)

conservative

(r,d,t, m, p) ≤ C

conservative

′

, p

′

)

This deﬁnes a total ordering. An attack is said conser-

vative-signiﬁcant if it is better than generic ones fol-

lowing the conservative ordering. That is, an attack is

conservative-signiﬁcant if and only if

conservative

(r,d,t, m, p) < 2

ℓ

Strictly speaking, we shall have a

factor correspond-

ing to p = 63% but this would give the same order of mag-

nitude and this simple formula aims at comparing orders of

magnitude.

Limited Related-key Models. Arguably, related

keys (or event chosen plaintexts or ciphertexts) are

harder to obtain, compared to spending time in the

attack. Namely, an attack of complexity 2

ℓ

, r = 1,

and d = 1 is declared not signiﬁcant with ≤

conservative

because of the Biham attack (Biham, 1996) of com-

plexity 2

ℓ

, which is a bit unfair. So, we could either

go back to some partial ordering or to some attack

model restrictions. For instance, a common model

(when we do not care about related-key attacks) con-

sists of limiting to r = 1. A natural model would

consists of limiting r ≤ B

for some bound B

. Fi-

nally, we can compare an attack with the best generic

one using no more related keys. That is, we say that

an attack is conservative-signiﬁcant in the RK-limited

model if its conservative complexity is better than

the one for all generic attacks using no more related

keys. If (t,r,d,m, p) is the complexity vector of the

attack, we shall compare C

conservative

(r,d,t, m, p) with

the one of all (t

′

,1 − e

−r

′

−ℓ

) for all t

′

and

′

≤ r. Clearly, the minimal complexity is reached for

′

= r and t

′

= 2

ℓ

′

. So, the attack is conservative-

signiﬁcant in the RK-limited model if

conservative

(r,d,t, m, p) <

ℓ

Other Limited Models. We may also consider

other limited models. For instance we can restrict

to attacks using known plaintexts only. All combi-

nations of limitations can be imagined. The relevance

RELATED-KEY ATTACK AGAINST TRIPLE ENCRYPTION BASED ON FIXED POINTS

of these limited models shall be drivenby signiﬁcance

for applications.

Full-cost Model. Wiener introduced the full cost

expressed as O (t +

+ t

cρ

) where c is the num-

ber of processors and ρ is the rate of access to

the memory of all processors per time unit (Wiener,

2004). (We assume here that parameters are normal-

ized so that we can assume p = 1.) Using a single

processor and ρ = 1, this simpliﬁes to O (tm). Again,

we replace t by max(r,d,t) to integrate r and d. So,

we could also consider

full

(r,d,t, m, p) = max(r,d,t)

(1)

and deﬁne

(r,d,t, m, p) ≤

full

′

, p

′

)

full

(r,d,t, m, p) ≤ C

full

′

, p

′

)

The total ordering which takes parallelism tricks is a

bit more complicated. Without using any parallelism

trick, Biham’s generic attacks have d = r, t = 2

ℓ

/r,

and m = r. So, their full cost if max(r

ℓ

). Again,

this is relevant for r ≤ 2

ℓ

only and the full cost is 2

ℓ

no matter r. In this case, exhaustivesearch with r = 2

ℓ

has the same full cost. An attack is full-signiﬁcant if

and only if

full

(r,d,t, m, p) < 2

ℓ

As a rule of the thumb, we could adopt the simple

criterion

< 2

ℓ

Note that Equation (1) only gives an upper bound

on the full cost which can be pessimistic. For in-

stance, it was shown that meet-in-the-middle (Difﬁe

and Hellman, 1977) with a key of size ℓ

has a full

cost of 2

ℓ

and may also be reduced to 2

ℓ

using

parallelism (Wiener, 2004). So, the comparison based

on full cost shall be done with great care.

As an application we can look at recent at-

tacks on AES working with p = 1. (See

Table 2.) As we can see, the Biryukov-

Khovratovich attack (Biryukov and Khovratovich,

2009) on AES-192 is only conservative-signiﬁcant

in the RK-limited model, thanks to the low num-

ber of related keys, but it is not conservative-

signiﬁcant. The Biryukov-Khovratovich-Nikoli´c at-

tack (Biryukov, Khovratovich, Nikoli´c, 2009) on

AES-256 is conservative-signiﬁcant in the RK-

limited model, thanks to the low number of re-

lated keys, but it is not conservative-signiﬁcant.

The Biryukov-Khovratovich attack (Biryukov and

Khovratovich, 2009) on AES-256 is signiﬁcant for all

criteria.

3 SEMI-GENERIC

RELATED-KEY ATTACKS

AGAINST 3DES

We propose here a related-key attack against 3DES.

It is semi-generic in the sense that is does not depend

on DES but only on the structure of triple encryption

which is used in 3DES, that is the encrypt-decrypt-

encrypt structure. We consider two cases: the 3-key

and 2-key triple encryptions deﬁned by

Enc

= C

◦C

−1

◦C

Enc

= C

◦C

−1

◦C

We denote by ℓ

the length of the K

subkeys and by

ℓ

the block length.

3.1 3-Key Triple Encryption Case

We use the relation ϕ(K

) = (K

). We

observe that for K = (K

), we have

Enc

◦ Enc

−1

ϕ(K)



◦C

−1



The idea of the attack consists of looking for a plain-

text x such that Enc

(x) = Enc

ϕ(K)

(x). By enumer-

ating the codebook we can ﬁnd one such x with com-

plexity 2

ℓ

. Indeed, this would be a ﬁxed point for the

above permutation.

Given a random permutation over a domain of size

ℓ

, the expected number of ﬁxed points is 1. Addi-

tionally, there are

cycles of length 2, on average.

So, C

◦C

−1

has a number a of ﬁxed points such that

E(a) = 1 and a number b of length-2 cycles such that

E(b) =

. In



◦C

−1



, the a ﬁxed points are still

ﬁxed points, but elements of length-2 cycles become

ﬁxed points as well. We call them bad ﬁxed points.

After enumerating the codebook, we have a+2b ﬁxed

points. When a = 0, there are no good ﬁxed points

and it is a bad luck. This happens with probability

−1

. Our attack succeeds when a > 0, so with a suc-

cess probability of p = 1 − e

−1

. Note that if a + 2b is

odd, we are ensured that there is a good ﬁxed point.

Assuming that x is a good ﬁxed point, it is a ﬁxed

point of C

◦C

−1

. We can enumerate all ℓ

-bit keys

and ﬁnd pairs (K

) such thatC

(x) = C

(x) with

complexity 2

ℓ

using a meet-in-the-middle algorithm.

The correct (K

) pair is always suggested if x is a

good ﬁxed point. Other pairs are called wrong pairs.

We eliminate wrong pairs by using several iterations

of this method.

Concretely, our attach starts as shown on Fig. 1.

So, we use r = 2n related keys, d = n2

ℓ

broadcast

SECRYPT 2011 - International Conference on Security and Cryptography

Table 2: Attacks on AES.

parameters complexity signiﬁcance

target data memory time #keys C

conservative

conservative RK-limited reference

AES-128 1 1 2

128

1 2

128

exhaustive search

AES-192 1 1 2

192

1 2

192

exhaustive search

4 4 2

190

4 2

190

(Biham, 1996)

123

152

176

4 2

176

no yes (Biryukov and Khovra-

tovich, 2009)

AES-256 1 1 2

256

1 2

256

exhaustive search

4 4 2

254

4 2

254

(Biham, 1996)

221

(Biham, 1996)

128

(Biham, 1996)

131

no yes (Biryukov, Khovra-

tovich, Nikoli´c, 2009)

100

4 2

100

yes yes (Biryukov and Khovra-

tovich, 2009)

1: select c

= 0 and c

,...,c

at random

2: for i = 1 to n do

3: set a list L

to the empty list

4: repeat

5: get a new BKP x with keys K⊕c

and ϕ(K ⊕

)

6: let y (resp. z) be the encryption of x under

key K ⊕ c

(resp. ϕ(K ⊕ c

))

7: if y = z then

8: add y in list L

9: end if

10: until until all x cover the entire code book

11: end for

12: set I to the set of all i such that #L

> 0

Figure 1: Attack on Triple Encryption (First Part — Broad-

cast Known Plaintext).

1: select c

= 0 and c

,...,c

at random

2: for i = 1 to n do

3: set a list L

to the empty list

4: dump the entire code book for key K ⊕ c

(Enc

K⊕c

(x) stored at address h(x))

5: repeat

6: get a new KP x with key ϕ(K ⊕ c

)

7: let z be the encryption of x under key ϕ(K ⊕

)

8: let y to the content of cell h(x)

9: if y = z then

10: add y in list L

11: end if

12: until until all x cover the entire code book

13: end for

14: set I to the set of all i such that #L

> 0

Figure 2: Attack on Triple Encryption (First Part — Known

Plaintext)

known plaintexts, and negligible time and memory so

far. There is a known plaintext variant on Fig. 2 which

uses d known plaintexts m = ℓ

ℓ

. Then, for each i

we have a list L

of ﬁxed points for



(i)

◦C

−1

(i)



If L

has an odd number of terms, we are ensured that

there is at least one ﬁxed point for C

(i)

◦C

−1

(i)

in it.

Then, the attack continues as shown on Fig. 3.

The loop on K

(i) takest =

ℓ

triple encryptions

and m = (ℓ

+ ℓ

ℓ

bits of memory. The loop on

(i) essentially takes t =

ℓ

triple encryptions (the

inner loop on the found K

(i) is negligible).

The loop on (K

,c) depends on the size of

R. We denote R

the expected number of remaining

wrong keys in R using parameter n. Let n

∗

− 1 be the

number of other lists which have an odd number of

ﬁxed points. We have 2

2ℓ

potential pairs but an equa-

tion to satisfy on n

∗

ℓ

bits to end up in R. So, we have

≈ 2

2ℓ

−n

∗

ℓ

. We have

E(n

∗

) = 1+ (n− 1)

∑

a odd

−1

= 1+ (n− 1)

1− e

−

which is nearly 0.6116 + 0.3884× n. So, this loop

takes t =

1+R

ℓ

triple encryptions for a good ﬁxed

point and t =

ℓ

for a bad one. In what follows we

adjust n so that R

≈ 0. Namely, for n = 6

ℓ

, we have

≈ 2

−0.3ℓ

−0.6ℓ

so we can neglect wrong pairs.

The main loop and the x loop iterate until it takes

a good ﬁxed point. For each L

we have exactly i

cycles of length u with probability

−

. Let assume

the probabilities for u = 1 and u = 2 are independent.

For instance, the best case is a > 1 (some good ﬁxed

points) and b = 0 (no bad ﬁxed points) with proba-

bility e

−

(1 − e

−1

) ≈ 0.38. We denote by N

(resp.

RELATED-KEY ATTACK AGAINST TRIPLE ENCRYPTION BASED ON FIXED POINTS

1: sort I in increasing order with ﬁrst the list of i’s

with #L

odd then the remaining ones

2: while I is not empty do

3: pick the ﬁrst i ∈ I and remove it from I

4: for all x in L

5: initialize a hash table H and a list R

6: for all K

(i) do

7: store (C

(i)

(x),K

(i)) in H

8: end for

9: for all K

(i) do

10: for each K

(i) such that

(i)

(x),K

(i)) ∈ H do

11: compute K

and K

from K

(i) and

(i) using c

and set c = 0

12: for each j ∈ I do

13: compute K

( j) and K

( j) from K

and K

using c

14: look if there is y ∈ L

such that

( j)

(y) = C

( j)

(y)

15: if there is such y then

16: increment c

17: end if

18: if there is no such y and j is odd then

19: exit the j loop and set c to 0

20: end if

21: end for

22: if c 6= 0, add (K

,c) in list R sorted

by decreasing c

23: end for

24: end for

25: end for

26: for each (K

,c) ∈ R sorted by c do

27: for all K

28: if (K

) consistent with data then

29: yield (K

) and exit

30: end if

31: end for

32: end for

33: end while

34: attack failed

Figure 3: Attack on 3-Key Triple Encryption (Second Part).

∗

) the expected number of iterations of the i and x

loops (resp. in the case that the attack succeeds). In

the case of failure (a = 0), we have 2b iterations so

the expected number is 1 for each list. That is, the ex-

pected number of iterations before the attack fails is

n. Since this happens with probability e

−n

, we have

∗

− ne

−n

1− e

−n

Given a > 0 good ﬁxed points and 2b bad ones, the

expected number of iterations is

(a,b) =



a+2b



2b+1

∑

i=1



a+ 2b− i

a− 1



which does not depend on n. For a = 0, it is of

(0,b) = 2b + N

n−1

which does depend on n. Fur-

thermore, we have

∑

a,b

(a,b)

−

a!2

So,

∑

(2b+ N

n−1

)

−

∑

a>0,b

(a,b)

−

a!2

= (N

n−1

+ 1)e

−1

∑

a>0,b

(a,b)

−

a!2

where the sum does not depend on n. We computed

some values of N

in Table 3. So, the number of iter-

ations can be approximated to 2 in any success case.

Finally, the total complexity is of

r = 2n

d = n2

ℓ

t =





ℓ



ℓ

if success

t = n



ℓ



if failure

m =



(ℓ

+ ℓ

ℓ

for CP variant

max(ℓ

ℓ

,(ℓ

+ ℓ

ℓ

) for KP variant

p = 1 − e

−n

In general, we suggest n ≈ 6

ℓ

to get t =

ℓ

in a

success case.

In the case of DES, we have ℓ

= 56 and ℓ

= 64.

We take n = 3 to get n

∗

≈ 1.777 and R

≈ 2

−1.72

. So,

we use r = 6 keys. We use d = 2

chosen plaintexts

or ciphertexts, or known plaintexts. The time com-

plexity is t = 2

triple encryptions in the all cases.

The memory complexity is m = 2

bits in the chosen

message variant and m = 2

in the known plaintext

variant. The key to recover has 168 bits. The attack

succeeds with probability p = 95%. Note that this at-

tack is better than the generic related-key attack using

tradeoffs. It works in the ideal cipher model. Bellare

and Rogaway proved that the best (non-related-key)

generic attack in the ideal cipher model would require

at least 2

encryptions (Bellare and Rogaway, 2006).

This example shows that the result no longer holds in

the related-key model.

In the case we would like to use a triple AES en-

cryption, we obtain different results which are sum-

marized in Table 4.

SECRYPT 2011 - International Conference on Security and Cryptography

Table 3: Some values for the expected number of iterations N

and N

∗

n 1 2 3 4 5 6 7 8 9 10

1.264 1.729 1.900 1.963 1.987 1.995 1.998 1.999 2.000 2.000

∗

1.418 1.687 1.843 1.925 1.966 1.985 1.994 1.997 1.999 2.000

Comparison with the Kelsey-Schneier-Wagner At-

tack. Kelsey, Schneier, and Wagner presented a

related-key attack against 3-key triple encryption

which has similar performances (Kelsey, Schneier,

Wagner, 1996). It consists in using

ϕ(K

) = (K

⊕ ∆, K

)

Then, Enc

◦ Enc

−1

ϕ(K)

= C

◦C

−1

⊕∆

which only de-

pends on K

. So, exhaustive search can recover K

For DES, this attack has r = 2, d = 2 (known and cho-

sen plaintexts), t = 2

encryptions, m = 2

bits, and

p = 100%. So, it is better than our attack. Contrarily

to ours, it has no extension to 2-key triple encryption.

However, this attack extends to the encrypt-encrypt-

encrypt triple encryption mode whereas our attack re-

stricts to the encrypt-decrypt-encrypt construction.

Note that getting Enc

◦ Enc

−1

ϕ(K)

(y) = z on a

random y is equivalent to getting Enc

(x) = y and

Enc

ϕ(K)

(x) = z on a random x. So, this attack is in

the BKP model.

Comparison with the Phan Attack. In the cate-

gory of known plaintext attacks, Phan (Phan, 2004)

uses

ϕ(K

) = (K

)

(which is similar to our relation) and a slide attack. It

breaks 3-key triple encryption using r = 2, d = 2

(known and chosen plaintexts), t =

triple en-

cryptions, and m = 2

bits. This attack extends to

encrypt-encrypt-encrypt and to 2-key triple encryp-

tion (with a memory complexity inﬂated to m = 2

94.5

bits). Our known plaintext attack uses a quite lower

time complexity but a higher number of chosen plain-

texts.

3.2 2-Key Triple Encryption Case

We use the relation ϕ(K

) = (K

). We observe

that for K = (K

), we have

Enc

◦ Enc

−1

ϕ(K)



◦C

−1



Fixed points of Enc

◦ Enc

−1

ϕ(K)

are ﬁxed points of

(x) ◦ C

−1

or points in cycles of length 3. We just

proceed as in the previous attack. The probability to

have a ﬁxed points and b cycles of length 3 is

−

a!3

So, E(a) = 1 and E(b) =

. The number of values x

obtained is a + 3b. If it is no multiple of 3 then we

have a good ﬁxed point for sure.

The ﬁnal complexity is very similar to the 3-key

encryption case. The difference is that we no longer

need the exhaustive search on K

and wrong (K

)

pairs are discarded by a simple consistency check. We

can work with n = 1 and p = 63%. The formulas

become

(a,b) =



a+3b



3b+1

∑

i=1



a+ 3b− i

a− 1



(0,b) = 3b+ N

n−1

∑

a,b

(a,b)

−

a!3

= (N

n−1

+ 1)e

−1

∑

a>0,b

(a,b)

−

a!3

∗

− ne

−n

1− e

−n

The new table for N

gives identical results. So, the

new complexity is

r = 2n

d = n2

ℓ

t =



ℓ

if success

t =

ℓ

if failure

m =



(ℓ

+ ℓ

ℓ

for CP variant

max(ℓ

ℓ

,(ℓ

+ ℓ

ℓ

) for KP variant

p = 1 − e

−n

The ﬁrst part of the algorithm works like in the 3-

key case with two variants on Fig. 1 and Fig. 2. The

second part of the algorithm is shown on Fig. 4.

In the case of DES, we take n = 1, so r = 2. We

use d = 2

chosen plaintexts or ciphertexts. The

time complexity is t = 2

triple encryptions in the

all cases. The memory complexity is m = 2

bits and

the key to recover has 112 bits. The known plaintext

variant uses d = 2

known plaintexts and the mem-

ory complexity becomes m = 2

bits. The attack suc-

ceeds with probability p = 63%. Comparison with

other attacks is presented in Table 1.

Comparison with the Merkle-Hellman Meet-in-

the-middle Attack. Merkle and Hellman proposed

RELATED-KEY ATTACK AGAINST TRIPLE ENCRYPTION BASED ON FIXED POINTS

Table 4: Semi-Generic Attack against Triple Encryption (Chosen Message Variant).

2-key 3-key

cipher DES AES128 AES192 AES256 DES AES128 AES192 AES256

key size 116 256 384 512 168 384 576 768

ℓ

56 128 192 256 56 128 192 256

ℓ

64 128 128 128 64 128 128 128

#keys 2 2 2 2 6 8 14 18

#chosen plaintexts 2

129

131

132

time complexity 2

128

192

256

129

193

257

memory complexity 2

136

200

255

136

200

265

success probability 63% 63% 63% 63% 95% 98% 100% 100%

conservative

136

200

265

136

200

265

1: sort I in increasing order with ﬁrst the list of i’s

with #L

not multiple of 3 then the remaining ones

2: while I is not empty do

3: pick the ﬁrst i ∈ I and remove it from I

4: for all x in L

5: initialize a hash table H

6: for all K

(i) do

7: store (C

(i)

(x),K

(i)) in H

8: end for

9: for all K

(i) do

10: for each K

(i) such that

(i)

(x),K

(i)) ∈ H do

11: compute K

and K

from K

(i) and

(i) using c

and set c = 0

12: if (K

) consistent with data

then

13: yield (K

) and exit

14: end if

15: end for

16: end for

17: end for

18: end while

19: attack failed

Figure 4: Attack on 2-Key Triple Encryption (Second Part).

to use a simple collision algorithm to ﬁnd colli-

sions between the list of all C

−1

(0) and the list of

all C

−1

(Enc(C

−1

(0))) (Merkle and Hellman, 1981).

This requires to encrypt all chosen plaintexts C

−1

(0).

A variant with known plaintexts only can be done as

follows: ﬁrst we make a dictionary of all (C

(0,K

)

in addition to the dictionary of all (C

−1

(0),K

). Then,

every time we receive a plaintext/ciphertext pair (x,y)

we look if x is in the ﬁrst dictionary to ﬁnd K

. If

it is, we compute z = C

−1

(y) and get a new element

−1

(Enc(C

−1

(0))) = z. We can look for z in the sec-

ond dictionary. This doubles the memory complexity

and increase the data complexity to essentially the en-

tire code book.

This attack has lower complexity parameters than

ours for the chosen plaintext variant. The known

plaintext variants are equivalent (except that we use

related keys and the Merkle-Hellman attack does not).

4 CONCLUSIONS

We presented a new attack on triple-encryption which

uses related keys. It can use chosen messages or

known plaintexts but require the entire code book for

related keys. Our attack is the best in the known

plaintext attack category in the 3-key case. Be-

sides, the best attacks remain the Merkle-Hellman

attack (Merkle and Hellman, 1981) in the 2-key

case and the Kelsey-Schneier-Wagner attack (Kelsey,

Schneier, Wagner, 1996) in the 3-key case.

REFERENCES

M. Bellare, P. Rogaway. The Security of Triple Encryp-

tion and a Framework for Code-Based Game-Playing

Proofs. In Advances in Cryptology EUROCRYPT’06,

St. Petersburg, Russia, Lecture Notes in Computer

Science 4004, pp. 409–426, Springer-Verlag, 2006.

E. Biham. New Types of Cryptanalytic Attacks Using

related Keys. In Advances in Cryptology EURO-

CRYPT’93, Lofthus, Norway, Lecture Notes in Com-

puter Science 765, pp. 398–409, Springer-Verlag,

1994.

E. Biham. New Types of Cryptanalytic Attacks Using Re-

lated Keys. Journal of Cryptology, vol. 7, pp. 229–

246, 1994.

E. Biham. How to Decrypt or even Substitute DES-

Encrypted Messages in 2

steps. Technical report

CS 884, 1996.

A. Biryukov, D. Khovratovich. Related-key Cryptanalysis

of the Full AES-192 and AES-256. In Advances in

Cryptology ASIACRYPT’09, Tokyo, Japan, Lecture

Notes in Computer Science 5912, pp. 1–18, Springer-

Verlag, 2009.

SECRYPT 2011 - International Conference on Security and Cryptography

A. Biryukov, D. Khovratovich, I. Nikoli´c. Distinguisher

and Related-Key Attack on the Full AES-256. In

Advances in Cryptology CRYPTO’09, Santa Barbara,

California, U.S.A., Lecture Notes in Computer Sci-

ence 5677, pp. 231–249, Springer-Verlag, 2009.

W. Difﬁe, M.E. Hellman. Exhaustive Cryptanalysis of the

NBS Data Encryption Standard. Computer, vol. 10,

pp. 74–84, 1977.

J. Kelsey, B. Schneier, D. Wagner. Key-Schedule Cryptanal-

ysis of IDEA, G-DES, GOST, SAFER, and Triple-

DES. In Advances in Cryptology CRYPTO’96, Santa

Barbara, California, U.S.A., Lecture Notes in Com-

puter Science 1109, pp. 237–251, Springer-Verlag,

1996.

L.R. Knudsen. Cryptanalysis of LOKI91. In Advances in

Cryptology AUSCRYPT’92, Gold Coast, Queensland,

Australia, Lecture Notes in Computer Science 718,

pp. 196–208, Springer-Verlag, 1993.

S. Lucks. Attacking Triple Encryption. In Fast Software En-

cryption’98, Paris, France, LectureNotes in Computer

Science 1372, pp. 239–253, Springer-Verlag, 1998.

R.C. Merkle, M.E. Hellman. On the Security of Multiple

Encryption. Communications of the ACM, vol. 24, pp.

465–467, 1981.

P.C. van Oorschot, M.J. Wiener. A Known-Plaintext Attack

on Two-Key Triple Encryption. In Advances in Cryp-

tology EUROCRYPT’90, Aarhus, Denemark, Lec-

ture Notes in Computer Science 473, pp. 318–325,

Springer-Verlag, 1991.

P.C. van Oorschot, M.J. Wiener. Parallel Collision Search

with Cryptanalytic Applications. Journal of Cryptol-

ogy, vol. 12, pp. 1–28, 1999.

R. C.-W. Phan. Related-Key Attacks on Triple-DES and

DESX Variants. In Topics in Cryptology CT-RSA’04,

San Francisco, California, U.S.A., Lecture Notes in

Computer Science 2964, pp. 15–24, Springer-Verlag,

2004.

M.J. Wiener. The Full Cost of Cryptanalytic Attacks. Jour-

nal of Cryptology, vol. 17, pp. 105–124, 2004.

RELATED-KEY ATTACK AGAINST TRIPLE ENCRYPTION BASED ON FIXED POINTS