On the Security of the XOR Sandwiching Paradigm for Multiple Keyed

Block Ciphers

Ruth Ng Ii-Yung

, Khoongming Khoo

and Raphael C.-W. Phan

The College, University of Chicago, 5801 S. Ellis Avenue, Chicago IL 60637, U.S.A.

∗

DSO National Laboratories, 20 Science Park Drive, S118230, Singapore City, Singapore

Faculty of Engineering, Multimedia University, Persiaran Multimedia, 63100 Cyberjaya, Selangor, Malaysia

Keywords:

Data-encryption Standard, Block Ciphers, Meet-in-the-Middle, Related-key.

Abstract:

While block cipher design is relatively mature, advances in computational power mean that the keylength

of block ciphers, upon which the security relies entirely, becomes less resistant to cryptanalysis over time.

Therefore, the security for a block cipher with a particular keylength typically is seen to last for at most some

decades. One common approach to strengthen a block cipher’s security is based on increasing its keylength.

In the literature, two strategies have emerged: multiple keyed multiple encryption and multiple keyed XOR

sandwiching. Known attacks on these such as Meet-in-the-Middle(Merkle and Hellman, 1981; van Oorschot

and Wiener, 1991; Lucks, 1998) and Related-Key (J. Kelsey and Wagner, 1996; Choi et al., 1996; Vaudenay,

2011; Phan, 2004) attacks, show that Triple Encryption is signiﬁcantly weaker than a brute-force attack would

suggest, especially for block ciphers with small keys, such as the Data Encryption Standard (DES). This paper

provides a comprehensive analysis on the security of the XOR sandwiching paradigm against known attacks

for the case of multiple keyed triple encryption, without loss of generality, using DES as the underlying block

cipher. In particular, we focus on DES-XEXEXEX variants, based on 2-Key and 3-Key Triple-DES, which

involve performing the XOR for key-whitening before and after each encryption with an additional 64-bit

key. One of the conclusions to be drawn from this work is the increased strength obtained from the XOR

sandwiching paradigm while requiring little in terms of additional computational resources.

1 INTRODUCTION

Work on the Data Encryption Standard (DES) in the

areas of Meet-in-the-MiddleAttacks and Related-Key

Attacks have revealed 2-Key and 3-Key Triple DES

to be much weaker than a na¨ıve attack would suggest.

We therefore hope to strengthen such encryption by

increasing key-length.

Perhaps the most obvious response would be

to increase these Triple Encryption DES variants

to Quadruple Encryption DES variants. However,

a quick calculation by a traditional Meet-in-the-

Middle attack will reveal that both Triple-DES and

Quadruple-DES can be attacked with a time complex-

ity of 2

113

, an ominous sign suggesting that the ex-

tra computational time of the added DES encryption

is both needlessly cumbersome and insufﬁcient to in-

crease security.

∗

A part of this research was done while the author was

at DSO National Laboratories

1.1 Our Contribution

What we propose is to use an XOR-sandwiching

paradigm to include an additional 64-bit key into a

multiple encryption scheme. Speciﬁcally, we pro-

pose an XEXEXEX model (Figure 1) as an extension

to both 2-Key-Triple-Encryption and 3-Key-Triple-

Encryption, by XORing an additional 64-bit key in

between each encryption call. These are also easy

to implement in existing triple-encryption systems.

As in DES-EXE and DES-X, the use of the XOR

function for key-whitening strengthens the encryption

scheme with negligible computational overhead.

We present recent attacks to justify the choice of

such an encryption scheme. As far as we know, major

Figure 1: DES-XEXEXEX variants proposed.

305

Ng Ii-Yung R., Khoo K. and C.-W. Phan R..

On the Security of the XOR Sandwiching Paradigm for Multiple Keyed Block Ciphers.

DOI: 10.5220/0004505903050312

In Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT-2013), pages 305-312

ISBN: 978-989-8565-73-0

 2013 SCITEPRESS (Science and Technology Publications, Lda.)

steps in breaking Triple-Encryption include the basic

Meet-in-the-Middle (MITM) attack and its optimiza-

tion (Lucks, 1998), MITM variants that targets 2-key

triple-DES (Merkle and Hellman, 1981; van Oorschot

and Wiener, 1991). In addition, we study Related-

Key (RK) MITM attacks that exploits key differ-

ences (J. Kelsey and Wagner, 1996; Choi et al., 1996)

and RK-MITM attacks that exploits key-permutation

(Phan, 2004; Vaudenay, 2011). In this research, we

argue that our XEXEXEX encryption variant signif-

icantly strengthens Triple-Encryption against known

attacks, through the example of DES.

2 MEET-IN-THE-MIDDLE

ATTACK

The traditional MITM attack is described diagram-

matically (Figure 2) below, comparing the original

Triple-Encryption with the one which we propose.

Figure 2: Traditional MITM attack on Triple-DES and

DES-XEXEXEX variants.

For 3-Key Triple-DES, we obtain (P,C), a known

Plaintext-Ciphertext (PT-CT) pair, and consider the

possible K

separately from possible (K

, K

), seek-

ing E

(P) = E

−1

(C)). Note that we accept val-

ues of (K

, K

) satisfying the above equation if the

encryption is true for ⌈log

168

⌉ = 3 PT-CT pairs.

Notice that this attack requires a time complexity in

the order of 2

113

encryptions and a memory complex-

ity of (64+ 56)2

≈ 2

bits.

A very similar search for E

(P ⊕ K

) ⊕ K

−1

(C⊕ K

) ⊕ K

) can be carried out for our 4-

Key DES-XEXEXEX model. However, to remove

signiﬁcant memory complexity we consider this at-

tack individually for each value of K

since that is

constant in the encryption scheme. We accept val-

ues of (K

, K

) if the results are consistent over

⌈log

212

⌉ = 4 PT-CT pairs. This attack will have

a time complexity in the order of 2

177

and a memory

complexity of approximately 2

As for 2-Key Triple DES, through a similar logic

as suggested above, we consider each value of K

sep-

arately. We expect that ⌈log

112

⌉ = 2 known PT-

CT pairs will conﬁrm the correct value of K

and K

with a time complexity of 2

113

and a negligible mem-

ory requirement. The logical extension will mean that

for our 3-Key DES-XEXEXEX model we consider

each (K

, K

) individually, and accept values that are

consistent over ⌈log

176

⌉ = 3 PT-CT values. We

arrive at a time complexity of 2

177

and a negligible

memory complexity.

The addition of an additional key in the proposed

XEXEXEX model has thus increases the time com-

plexity of a basic MITM attack by 2

, an identical

increase to what we would expect from a na¨ıve attack.

2.1 Merkle-Hellman MITM Attack

The Merkle-Hellman MITM attack (Merkle and Hell-

man, 1981) is a chosen-plaintext alternative to this.

The common application of this attack is in the case of

2-Key Triple Encryption (Figure 3). In 2-Key Triple-

DES, we decrypt some 64-bit value A based on all 2

possible values of K

. For each A, we make a chosen

plaintext encryption query to obtain the correspond-

ing ciphertext and decrypt each A via the guessed K

as before. We then store these values and exhaustively

search all K

such that E

−1

(Enc(E

−1

(A))) = E

−1

(A)

(where Enc is the chosen plaintext encryption query).

We accept a value of (K

, K

) when ⌈log

112

⌉ = 2

PT-CT pairs are consistent with those keys. This at-

tack has a time complexity of 3(2

) ≈ 2

57.6

Encryp-

tions (neglecting that of obtaining the ciphertexts of

chosen-PT) and a memory complexity of 2

Figure 3: Merkle-Hellman MITM attacks on 2-Key Triple-

DES and both DES-XEXEXEX variants.

As for our 3-Key variant of the above attack,

we consider combinations of (K

, K

) separately

from K

, as represented diagrammatically above

(Figure 3). Speciﬁcally, the equality we search

for is E

−1

(Enc(E

−1

(A ⊕ K1) ⊕ K1) ⊕ K1) ⊕ K1 =

SECRYPT2013-InternationalConferenceonSecurityandCryptography

306

−1

(A). We accept a value of (K

, K

) when

⌈log

176

⌉ = 3 PT-CT pairs are consistent with

those keys. This has a time complexity of 2

121.6

and

a memory complexity of 2

. This also requires the

entire codebook of PT-CT pairs.

For the original 3-Key Triple-DES and 4-Key

DES-XEXEXEX algorithm, this gives us no advan-

tage over the original MITM attack. Note that while

the attack, with the entire codebook of PT-CT pairs,

we can consider possible K

separately from the re-

maining keys, this gives negligible time advantage.

Therefore, similar to the original MITM attack,

our variant of 2-Key Triple DES has succeeded in in-

creasing the complexity of a chosen plaintext MITM

attack by a factor of 2

2.2 Van Oorshot - Wiener MITM

Attack

Van Oorshot and Wiener’s proposal to extend Merkle-

Hellman’s chosen plaintext attack to a known-

plaintext attack is applicable to the case of 2-Key

Triple DES, where the Merkle-Hellman attack gives

us a signiﬁcant reduction in complexity on the orig-

inal MITM attack (van Oorschot and Wiener, 1991).

We choose 2

values of P. For each P, we calcu-

late all 2

possible values of E

−1

(P) and check these

against the 2

PT-CT pairs. For the matches we ﬁnd,

we compute B = E

−1

, B) using at

most 2

memory entries. On each of these, we con-

duct an exhaustive search of K

and test resultant can-

didate (K

, K

) pairs with additional PT-CT pairs. We

repeat this process for different values of P until the

correct key is found. With 2

known PT-CT pairs,

this attack has time complexity of 2

encryptions and

a memory complexity of (64+ 56)2

≈ 2

Similarly, we apply this to the Merkle-Hellman

attack on our 3-key DES-XEXEXEX variant as de-

scribed in Section 2.1. Starting with 2

PT-CT pairs,

we accept a value of (K

, K

) when ⌈log

176

⌉ =

3 PT-CT pairs are consistent with those keys. This at-

tack expects a time-complexity of 2

153

and memory-

complexity of 2

Therefore, in the case of 2-Key Triple DES and its

variant, we have shown that the time complexity in-

crease in the implementation of the XEXEXEX vari-

ant is 2

, similar to the attacks discussed above.

2.3 Lucks MITM Attack

As for 3-Key Triple DES, Lucks proposes an opti-

mization which reduces the time complexity with in-

creased memory (Lucks, 1998). He presents a variety

of attacks, however, we select the attack with com-

parable requirements to other attacks we present and

which considers DES as an ideal cipher, for fair com-

parison. His most efﬁcient attack involves a set 2

PT-CT pairs (p

, c

), . . . (p

, c

) and a second set

S ⊂ { 0, 1}

and |S| = 2

. Due to the complexity of

his attack, we paraphrase his attack below:

1. For a ∈ S, we deﬁne the set M

= {(i, K

) ∈

{1, . . . 2

} × {0, 1}

| E

) = a}, which re-

quires time-complexity of 2

× 2

= 2

2. For b ∈ {0, 1}

, i ∈ {1, . . . 2

}, we deﬁne N

b,i

∈ {0, 1}

| E

(b) = c

}. It can be computed

with complexity 2

× 2

= 2

, by computing

b = E

−1

) for all 2

and for all 2

, and

placing K

into the corresponding set N

b,i

3. For K

∈ { 0, 1}

, a ∈ Sm, search for N

b,i

such that

−1

(a) = b. Then, for (K

, a, b) where (i, K

) ∈

, K

∈ N

b,i

, enter (K

, K

) into a hash table.

4. When some (K

, K

) has entered the hash ta-

ble twice, we test the set of keys with 1 other val-

ues of (p

, c

). Notice that this is sufﬁcient since

we accept the keys when ⌈log

168

⌉ = 3 PT-CT

pairs are consistent with them.

We refer the reader to (Lucks, 1998) for detailed

calculations to derive the requirements of the attack.

values of a ∈ S, 2

PT-CT pairs, 2

encryptions

and 2

(56) ≈ 2

93.8

memory-complexityare required.

We then attempt to apply this to our 4-Key DES-

XEXEXEX variant. We considered two possible

methods of adapting the attack. The ﬁrst is to sim-

ply repeat the attack by guessing values of K

, and re-

peating this for all values of K

. This would mean that

the time complexity would simply be 2

· 2

= 2

154

single encryptions and memory complexity, reusable

for each K

, will be 2

93.8

bits. Note, though, that as

⌈log

176

⌉ = 4, “tripletest” will now need to test the

candidate keys on two additional PT-CT pairs.

The second method involved, for an arbitrary

(P,C) pair, deﬁne a = E

(p⊕ K

) and b = E

−1

(c⊕

). We then calculate M

a,K

and N

b,i,K

, sets iden-

tical to that which we studied before, but restricted

to each K

. The rest of the attack proceeds by con-

sidering each value of K

individually then searching

for values to “tripletest” (searching for E

−1

(a⊕K

) =

b⊕ K

). However, this would come at the cost of 2

times more memory and would wind down to a com-

parable time complexity because each K

would still

be considered as an individual case. Therefore, with

the ﬁrst method preferable, we can once again report

an additional 2

increase in time complexity of an at-

tack with the addition of the 64-bit K

key.

Note that the Lucks’ attack is inefﬁcient when the

OntheSecurityoftheXORSandwichingParadigmforMultipleKeyedBlockCiphers

307

ﬁrst and third DES encryption make use of the same

key since much recalculation would be done. To this

end, the Merkle-Hellman or Van Oorshot-Wiener at-

tack is much more efﬁcient. Therefore, we did not

consider an application of Lucks’ attack on 2-Key

Triple-DES and our 3-Key variant of it as part of our

study.

3 RELATED-KEY ATTACKS

We also consider their security under Related-Key at-

tacks, something which is posited to be not as purely

theoretical as it seems in recent years (Phan, 2004).

3.1 Kelsey-Wagner-Schneier

Related-Key Attack

We begin with the original Kelsey-Wagner-Schneier

Related-Key Attack (J. Kelsey and Wagner, 1996).

This attack on Triple-DES involves a known PT-CT

pair, (P,C) encrypted on unknown keys (K

, K

)

and the resultant ciphertext being decrypted under

keys (K

⊕ ∆, K

, K

), where ∆ is known, to arrive at

′

. Then, a exhaustive search can be done for K

since

(P) = E

⊕∆

′

). From here, a MITM attack can

be performed on the remaining two keys, similar to

that which is performed on double-DES. Notice that

this will require approximately 3(2

) ≈ 2

57.6

encryp-

tions and 2

memory complexity. Note that since

⌈log

168

⌉ = 3, we would also need to test resultant

pairs against 2 other known PT-CT values.

A similar attack can be arranged for 4-Key DES-

XEXEXEX, given related keys (K

, K

) and

⊕ ∆, K

, K

). A known PT-CT pair is en-

crypted on the former and the resultant ciphertext

decrypted on the latter. This allows us to do a ex-

haustive search on combinations of (K

, K

), and con-

duct a MITM attack to ﬁnd possible (K

, K

) for

each candidate (K

, K

). Notice that we will ac-

cept a combination of keys if it is consistent over

⌈log

232

⌉ = 4 PT-CT pairs. We expect a time com-

plexity of 2

121

encryptions and a memory complexity

of 2

(56 + 64) = 63. This attack is not applicable

to 2-Key Triple-DES and our 3-Key DES-XEXEXEX

variant.

3.2 Choi et al. Related-key Attack

Given that a chosen-plaintext attack is considered un-

feasible at present (van Oorschot and Wiener, 1991),

a chosen-CT attack is even less useful. In this re-

gard, most studies look to the known PT-CT attack

presented by Choi et al (Choi et al., 1996) as diagram-

matically represented below (Figure 4).

With 2

known PT-CT pairs encrypted under

the keys and another 2

known PT-CT pairs en-

crypted under the Related-Keys, we search for col-

lisions as indicated by the arrows. For 2-Key Triple

DES, we search for (P,C), (P

′

) and K

such that

(P) = E

⊕∆

′

) and E

−1

⊕∆

′

) are

both satisﬁed. For 3-Key Triple DES, we search for

(P,C), (P

′

) and K

such that E

(P) = E

⊕∆

′

)

and C = C

′

. We expect to exist by the Birthday Para-

dox. With these candidates, we do a MITM search

for the remaining keys. We will accept the keys when

they are consistent across ⌈log

168

⌉ = 3 PT-CT

pairs for Three-Key Triple-DES and ⌈log

112

⌉ = 2

PT-CT pairs for Two-Key Triple-DES.

Figure 4: RK attacks on 2-Key Triple DES and 3-Key Triple

DES.

This has an expected time complexity of 2

en-

cryptions and a memory complexity of 2

for 2-

Key Triple-DES. For 3-Key Triple-DES, this is a

time complexity of 2

57.6

single encryptions and 2

of memory complexity (Choi et al., 1996).

Extending this to our XEXEXEX variants, we

make use of the key-relation (K

, K

) and

, K

⊕ ∆, K

, K

) or (K

, K

) and (K

, K

⊕

∆, K

). As before, there is the solution of simply re-

peating the entire attack for all guesses of K

, modi-

fying the collision search to include the relevant XOR

functions. This will leave us with identical memory

complexity for both attacks and a time complexity of

153

encryptions for 3-Key DES-XEXEXEX and 2

121

for 4-Key DES-XEXEXEX. Notice, however, that we

would only accept a set of keys after ⌈log

212

⌉ = 4

PT-CT pairs are consistent with the results. However,

we present an alternative here, which might occur as

SECRYPT2013-InternationalConferenceonSecurityandCryptography

308

Figure 5: Alternate RK attacks on DES-XEXEXEX vari-

ants.

a logical extension to a reader (Figure 5).

For both DES-XEXEXEX variants, we search

among 2

known PT-CT pairs encrypted under keys

, K

) or (K

, K

) and their Related-

Keys, (K

, K

⊕ ∆, K

) and (K

, K

⊕ ∆, K

, K

). We

instead guess all (K

, K

) and search for a (P,C) pair

such that E

(P⊕K

) = E

⊕∆

′

⊕K

) and E

−1

(C⊕

) = E

−1

⊕∆

′

⊕ K

), in the case of 3-Key DES-

XEXEXEX, and that E

(P⊕ K

) = E

⊕∆

′

⊕ K

)

and C = C

′

, in the case of 4-Key DES-XEXEXEX.

We then do a exhaustive search for the remaining

keys. However, this wastefully computes and stores

all encryptions of all possibilities of K

, in memory,

without performing better than the ﬁrst method.

3.3 Vaudenay RK Attack

The RK attack proposed by Vaudenay (Vaudenay,

2011) on Three-Key Triple-DES notes that if we

were to encrypt a plaintext, P, according to keys

, K

) then decrypt the ciphertext according to

Related-Keys φ(K

, K

) = (K

, K

) to give a

second ciphertext, C. This allows us to yield the fol-

lowing relation: (E

◦ E

−1

)

(P) = C. From this, we

streamline a list of plaintexts, x, which yield “ﬁxed

points” where (E

−1

(x)) = x under keysK

, K

With candidate K

, K

proposed, and the respective x,

we can then do a exhaustive search for K

Vaudenay presents an attack based on known PT-

CT pairs and another based on Broadcast Known

Plaintexts (BKP). However, since we are more inter-

ested in comparing Triple-DES to our variants, and

not so much on comparing the results of various at-

tacks, we will study the BKP variant and acknowledge

that our results can be trivially adapted to the known

Plaintext variant of Vaudenay’s attack.

We refer the reader to Vaudenay’s report (Vau-

denay, 2011) for the exact procedure of Vaudenay’s

rather complex attack and calculations of complexity.

For 3-Key Triple-DES, he propose n = 3, (number

of pairs of Related-Keys), meaning we will encrypt

known PT-CT pairs under K, φ(K), K ⊕ ∆

, φ(K ⊕

∆

), K ⊕ ∆

, φ(K ⊕ ∆

) with known ∆

, ∆

. Thus,

we require 2

BKP and R

, the expected number of

wrong keys that are considered in the second part of

the attack, is approximately 2

−1.72

, yielding an ex-

pected time complexity of 2

· 3 ≈ 2

58.6

and an ex-

pected memory complexity of approximately 2

As for Two-Key Triple-DES, we instead consider

Encryption of some plaintext P by keys (K

, K

) and

decryption of the ciphertext by Related-Keys (K

, K

)

to giveC. This yields the equation (E

◦ E

−1

)

(P) =

C. Fixed points of the same form as above are sieved

out. However,wrong key-guessesare easily discarded

by a consistency check, meaning n = 1. This requires

BKP and yields a time complexity of 2

57.6

single

encryptions and a memory complexity of 2

The purpose of ﬁnding ﬁxed points in this attack

is to be able to consider the behaviour of a subset of

the keys. In this case, it is that of K

, by requiring

that the plaintext which enters the encryption scheme

be identical to the ciphertext before it is encrypted by

. In the case of 2-Key Triple DES, the same thing

is achieved for the last K

. This is done by exploiting

the second DES function in the encryption scheme be-

ing a decryption and the speciﬁc key relation. Notice,

however, that in an XEXEXEX variant, if we hold the

guessed K

constant, whether we perform iterations

of encryptions, decryptions or some combination of

the two, the identical XOR function performed after

the triple-encryption and the start of the second triple

encryption will cancel out. However, the XOR func-

tions between the encryptions are not affected. This

means that the resultant function will not be repeating

in the way that we were able to achieve in Vaudenay’s

attack since the encryptions can no longer take on a

consistent pattern.

However, consider instead 2

(P,C⊕ K

) values,

for some guessed K

. We can then attack 3-Key

DES-XEXEXE by guessing all possible K

. Simi-

larly, by guessing K

, we can compute 2

(P ⊕ K

)

values for each K

and attack 4-Key DES-EXEXEX.

To this end, notice that now we can perform the

same combination, of an encryption and decryption,

on P to arrive at C, with Related Keys (K

, K

)

and (K

, K

) for the 3-Key Variant as well as

for (K

, K

) and (K

, K

) for the 4-Key

OntheSecurityoftheXORSandwichingParadigmforMultipleKeyedBlockCiphers

309

variant. Deﬁne a function, x ⊕ K

= f(x), then, we

can arrive at equations similar to those above where

( f ◦ E

◦ f ◦E

−1

)

(P) = C for the 3-Key Variant and

( f ◦ E

◦ f ◦ E

−1

)

(P) = C for the 4-Key Variant.

Notice then that we need to change the value of n

(number of pairs of K, φ(K) we consider) since key-

length has been increased, in 4-Key DES-EXEXEX.

We therefore have the following calculations (adapted

from (Vaudenay, 2011), Section 3.1, pg 5-6):

First, we calculate the expected f n

∗

, the number

of lists with an odd number of ﬁxed points. Let n = 6,

E(n

∗

) = 1+ (n− 1)

1− e

−

≈ 2.94 (1)

Then, we have that there are 2

2(56)+(64)

possible

combinations of keys but an equation to satisfy on

(2.94)(64) bits. This gives us the respective value

of R

(expected number of wrong keys in R given n

Related-Key pairs) as:

≈ 2

2(56)+(64)−(2.94)(64)

= 2

−12.16

(2)

Notice that the value of n does not impact the

choice to repeat the entire attack 2 times (i.e. N

unrelated to n so long as a > 0). Therefore, with an

identical success rate, we require 6(2

64+1

) ≈ 2

BKP.

The only difference in the time complexity which

sees a 2

increase in the calculations to arrive at a

ﬁxed point, since each K

must be guessed separately.

Note that the XOR functions to derive each set of

(P,C⊕K

) or (P⊕ K

,C) values are assumed to be of

negligible complexity. This has a time complexity of

2(2· 2

56+64

+ 2

· 2

−12.16

) + 2

≈ 2

122

encryptions.

Memory can be reused for each guess of K

, there-

fore, we have that the memory complexity is 2

For the Three-Key DES-XEXEXE, we can adopt

the same method of ﬁnding ﬁxed points, however, as

in the original attack on Two-Key Triple-DES, take

n = 1. This has time complexity of 4(2

56+64

) = 2

122

encryptions and a memory complexity of 2

Notice that in both these cases, the time complex-

ities are comparable to that of the attack we con-

sidered on DES-XEXEXEX. This, we realized, is

because Vaudenay’s attacks on DES-EXEXEX and

DES-XEXEXE involve guessing each K

in turn, re-

turning to an attack very reminiscent of that of DES-

XEXEXEX. This makes the memory space 2

times

less, and reduces the required value of n, other in-

dicators that the attack is identical in nature. There-

fore, we have shown the robustness of our method of

strengthening Triple-DES, in that, even if RK attacks

such as Vaudenay’sattack could be more than trivially

applied, we still achieve a 2

complexity increase for

the 64-bits of added keylength.

3.4 Phan RK Attack

Phan’s RK slide-attack can be applied to both the 2-

Key and the 3-Key Triple Encryption effectively, as

discussed in his paper (Phan, 2004). We refer the

reader to his paper for the exact details of each attack.

With 2

PT-CT pairs each for the original key

and the Related-Key, we can expect 1 pair with the

desired relation by the Birthday Paradox. The ﬁrst

set of encryptions (for all possible K

on all values

of P) dominates the time complexity, meaning that

· 2

= 2

single-DES encryptions are required

for the attack. The memory complexity is also domi-

nated by this step, 2

· (56+ 64+ 64) ≈ 2

In the 3-Key Triple DES, we consider PT-

CT pairs encrypted under the keys (K

, K

)

and (K

, K

). We then search for (P,C), en-

crypted under (K

, K

) and (P

′

) encrypted un-

der (K

, K

) such that C

′

= E

(P) and C =

′

). Once again, we obtain 2

PT-CT pairs for

each set of keys and create a list of candidates for K

by encrypting each P and decrypting each C accord-

ing to each K

. Those satisfying the collision con-

ditions give candidate values for K

. This, as he re-

ports, requires 2

DES encryptions and a memory

complexity of 2

· (64+ 64) = 2

Notice that an exhaustive search for K

, K

via a

traditional MITM attack applies once K

has been

determined. This can be achieved with 2

memory

complexity by portioning the 2

candidates for K

into sets of 2

values, a separate MITM attack is then

performed using an exhaustive key-search for K

and

matching against possible ciphertext values given for

each group. The total time complexity of this search

should be2

(56−32)

· (2

) = 2

, negligible in compar-

ison to the time-complexity of the main attack.

Similar to our analysis in other sections of this pa-

per, to achievea time-complexity lower than 2

times

that of the original attack, the attack must segment

the keys into two mutually exclusive groups. No-

tice that should be attempt a slide attack on either

DES-XEXEXEX variant, to isolate one or more en-

cryptions, XOR functions both inside and outside the

shared segment of the encryption scheme encryption

under the pair of Related-Keys must follow, making

them not mutually exclusive. Therefore, our focus

turns to the search for a method for the Phan attack

to achieve this complexity.

For this, we obtain 2 sets of 2

PT-CT pairs, en-

crypted under (K

, K

), denoted (P

∗

), and

, K

), denoted (P

′∗

). We guess a par-

ticular K

and XOR all 2

PT-CT pairs by it, to arrive

at (P,C) = (P

∗

⊕ K

∗

⊕ K

) and (P

′

) = (P

′∗

⊕

′∗

⊕ K

), which is of negligible time-complexity.

SECRYPT2013-InternationalConferenceonSecurityandCryptography

310

Table 1: Summary of Complexities for MITM and RK Attacks on Triple-Encryptions and DES-XEXEXEX variants.

Encryption Attack PT-CT Pairs Time Memory

Scheme Requirement (Encryptions) (bits)

3K Triple-DES MITM 3 Known 2

113

3K Triple-DES Lucks 2

Known 2

93.8

3K Triple-DES Kelsey et. al 1 Chosen-Decryption 2

2 Known

3K Triple-DES Choi et. al 2

RK-Known 2

3K Triple-DES Vaudenay 2

RK-BKP 2

58.6

3K Triple-DES Phan 2

RK-Known 2

4K DES-XEXEXEX MITM 4 Known 2

177

4K DES-XEXEXEX Lucks 2

Known 2

154

93.8

4K DES-XEXEXEX Kelsey et. al 1 Chosen-Decryption 2

121

2 Known

4K DES-XEXEXEX Choi et. al 2

RK-Known 2

121

4K DES-XEXEXEX Vaudenay 2

RK-BKP 2

122

4K DES-XEXEXEX Phan 2

RK-Known 2

152

2K Triple-DES MITM 2 Known 2

113

Negligible

2K Triple-DES Merkle-Hellman 2

Chosen 2

57.6

2K Triple-DES Oorschot-Wiener 2

Known 2

2K Triple-DES Choi et. al 2

RK-Known 2

2K Triple-DES Vaudenay 2

RK-Known 2

57.6

2K Triple-DES Phan 2

RK-Known 2

3K DES-XEXEXEX MITM 3 Known 2

177

Negligible

3K DES-XEXEXEX Merkle-Hellman 2

120

Chosen 2

117

3K DES-XEXEXEX Oorshot-Wiener 2

Known 2

153

3K DES-XEXEXEX Choi et. al 2

RK-Known 2

153

3K DES-XEXEXEX Vaudenay 2

RK-Known 2

121

3K DES-XEXEXEX Phan 2

RK-Known 2

152

Then, the attack can proceed as diagrammatically dis-

played below (Figure 6). This yields an identical

memory complexity and a time complexity of 2

144

encryptions for 4-Key DES-XEXEXEX and 2

152

en-

cryptions for 3-Key DES-XEXEXEX.

4 CONCLUSIONS

The merits of the 3-Key and 4-Key DES-XEXEXEX

variants in strengthening Triple-DES against known

MITM and RK attacks have been extensively shown.

Due to the fact that we employ the XOR function, us-

ing the same key, across the entire encryption scheme,

we have arrived at a cipher which cannot readily be

portioned into segments with independent keys to be

attacked separately. These results are summarized in

Table 1. For a key-extension of 64-bits, we see a

strengthening of the cipher by a complexity of 2

. In

addition, the XOR function involves negligible com-

putation, thereby not affecting the implementation of

Figure 6: Phan attacks on 4-Key DES-EXEXEX and 3-Key

DES-XEXEXE.

the cipher. 3-Key or 4-Key Quadruple-DES is an ex-

ample of an intuitive solution that does not satisfy

these conditions.

Our contribution is useful to employing multiple-

OntheSecurityoftheXORSandwichingParadigmforMultipleKeyedBlockCiphers

311

encryption structures with insufﬁcient security af-

forded by its key-length. Beyond DES, similar results

will be obtained in application to any block cipher,

meaning, for a cipher with block-size n, we achieve a

increase in security for a n-bit key-length increase.

Recent literature, such as (Phan, 2004) and (Kil-

ian and Rogaway, 1996) support moving away from

XOR to addition modulo 64. This is because the in-

verse function of XOR is itself, whereas addition is

not symmetrical, invalidating some attacks. However,

Phan presents an attack that is applicable to DES-+

and not DES-X (Phan, 2004). Our brief study into

DES - +E+E+E+ models for Triple-Encryption re-

vealed similar results to DES-XEXEXEX with the

exception of the Vaudenay attack. Future work can

study addition in relation to this in more detail.

Also, we considered a general t + 1-key DES-

(XE)

X encryption scheme and we believe that sim-

ilar attacks can be applied to show that a 2

increase

in security is achieved. However, more research can

be done on this to study the signiﬁcance of this in-

crease as t increases, as well as other schemes involv-

ing less or more than t + 1 keys.

REFERENCES

Choi, J., Kim, J., Sung, J., Lee, S., and J.Lim (1996).

Related-key and meet-in-the-middle attacks on triple-

des and des-exe. In Proceedings of the 2005 interna-

tional conference on Computational Science and Its

Applications - Volume Part II. Springer-Verlag.

J. Kelsey, B. S. and Wagner, D. (1996). Key-schedule cryp-

toanalysis of idea, g-des, gost, safer, and triple-des. In

Proceedings of the 16th Annual International Cryptol-

ogy Conference on Advances in Cryptology. Springer-

Verlag.

Kilian, J. and Rogaway, P. (1996). How to protect des

against exhaustive key search. In Proceedings of the

16th Annual International Cryptology Conference on

Advances in Cryptology. Springer-Verlag.

Lucks, S. (1998). Attacking triple encryption. In Proceed-

ings of the 5th International Workshop on Fast Soft-

ware Encryption. Springer-Verlag.

Merkle, R. and Hellman, M. (1981). On the security of

multiple encryption.

Phan, R. (2004). Related-key and meet-in-the-middle at-

tacks on triple-des and des-exe. In In Topics in Cryp-

tology - The Cryptographer’s Track at RSA Confer-

ence (CT-RSA ’04). Springer.

van Oorschot, C. and Wiener, M. (1991). Related-key at-

tack against triple encryption based on ﬁxed points.

In Proceedings of the workshop on the theory and ap-

plication of cryptographic techniques on Advances in

cryptology. Springer-Verlag New York, Inc.

Vaudenay, S. (2011). Related-key attack against triple

encryption based on ﬁxed points. In SECRYPT.

SCITEPRESS.

SECRYPT2013-InternationalConferenceonSecurityandCryptography

312