 We spoke about the data encryption standard. We tried to illustrate the concepts using a very small example, simplified desks to illustrate the operations that are used. And we saw that quite easy operations, permutations, substitution boxes, exclusive ore. That's about it. Lookups on S boxes, rearrange and exclusive ore, but we combine them. Simplified desks was two rounds, real desks expands up to 16 rounds. And real desks is considered secure from the perspective of the algorithm design. The algorithm is considered secure. The primary limitation is that the key with real desks is so small or is small such that a brute force attack is possible. Because there's only 56 bits that the attacker needs to guess, so they need to make two to the power of 56 attempts, and that's easy to do in today's computers. So that's the problem with real desks. Well, that leads to a potential idea for a solution. Why don't we just encrypt and use the same algorithm, but use a longer key? And a simple way to do that is to encrypt your plaintext using desks, using one key, and then encrypt the output again using a different key, such that the attacker needs to guess both keys. So instead of having to guess a 56-bit key, they now have to guess a 112-bit value, and that's not possible with a brute force attack. So that's the concept of double desks, and it can be applied to other ciphers as well. So assuming we know that desks, the algorithm, is good, we'd like to be able to reuse that same algorithm, not have to design a new one, not have to create new implementations. Reuse it, but effectively expand the key length, and that's the idea of a double desk. So we'll go through an example of double desk, and we'll see it's not a good idea. So we'll try and illustrate why that's the case. And double desks is not a good idea, we'll see why, and therefore people come up with triple desks. The concept of double desks, or double encryption, for any cipher, you want to encrypt some plaintext using your algorithm, desk, for example. You choose a key, K1 here. You encrypt that plaintext with your cipher, and you get some ciphertext as output. But we'll denote that as X. And for double encryption, we take that output value, and then encrypt that using the same algorithm, desk, but in this case, a different key. We use K2. So the user, they choose K1 and K2, and how do we choose keys? When you choose a key for encryption with symmetric key encryption, how do you choose that key? I ask you to choose a 56-bit value, how are you gonna choose it? Just tell me some value, randomly. Important that the key is chosen randomly because if it's not chosen randomly, maybe it's chosen because you convert your name from ASCII into binary, and you use that as your key. Well, that's not random, and the attacker can guess that much easier than a brute force attack. So we always assume that the symmetric key algorithms, the keys chosen are random values. So the user chooses K1 and K2 for desk, that means they choose effectively two 56-bit values. The ciphertext that comes out is C, the input plaintext was P, this intermediate value we can delete, we don't need that. And the ciphertext that comes out is just as secure as we did applying the single encryption, the desk. So we don't lose any security from encrypting twice. What we gain here is that the brute force attack is no longer possible because the attacker must guess both K1 and K2. That's the idea. And now that's a value which is effectively 112 bits, and that's not possible with brute force. To decrypt, just do the opposite. You take your ciphertext, decrypt with one of the second key, get the intermediate value, decrypt with the first key and you get the plaintext. So that's the normal operation. This operation of encrypting twice builds upon our similar concepts we saw with classical ciphers. Apply operations multiple times adds to security. So it's a good approach. But the problem with encrypting multiple times is it takes more time to do so. The performance goes down. It turns out that there's a significant problem in this approach in that there's an attack that's possible which is called a meet in the middle attack. We'll go through that attack with our simple five-bit block cipher that we have on that handout to show how it's performed and then compare the performance of a meet in the middle attack versus a brute force attack. We wanna see if I do a brute force attack how long would it take? If I did a meet in the middle attack how long would it take? And a successful attack would be one that takes less time than brute force. So let's go through that. So we're not gonna use real desk. We're going to use our example cipher here. So let's just illustrate the concepts. For this cipher we have a five-bit plaintext block coming in, a five-bit plaintext ciphertext block coming out and a three-bit key. So we could draw that, just draw it up the top saying that our simple cipher can someone give it a name? Give our cipher a name? Bob, okay. Plaintext comes in and our cipher, I need some space, sorry. Bob, that's the name of our cipher. It's not desk. It takes a key in and produces ciphertext that comes out. The length of those in our case are five bits. The key is three bits and the ciphertext is five bits. That's the single version of our cipher, Bob. That's the normal operation. From the perspective of a brute force attack, what's the worst case time to break Bob? So we do a brute force. What's the worst case number of operations I need to break this? Eight, why eight? Two to the power of three, our key is three bits. We have eight possible values, two to the power of three possible values. What if I replace Bob with desk on our drawer? But let's say we just changed the algorithm. Do you remember the key length or the effective key length in desk? The effective key length, 56. The actual key that you choose is 64 bits or eight of the bits are unused in encryption. So we'll say 56 bits here because in practice, the attacker needs to try and find those 56 bits only. So with 56 bits, with desk, a brute force, worst case, two to the power of 56, that's a six. We'll just keep track of both of them. We'll go through the simple example and compare. So that's the normal case. Of course, our simple cipher is subject to a brute force attack. And in fact, desk today is considered subject to a brute force attack. 56 bits is not long enough. So the concept of a double cipher, double encryption, we take our plain text in, we apply our cipher. We use one key to encrypt that. We'll get a value that comes out. We'll denote as x, some intermediate value. And then we take that and encrypt that again. But this time using a different key. Same cipher, different key, and get cipher text out. Still same lengths for our simple cipher bob. Five bits of plain text. X value will also be five bits. C is five bits. The keys each are three bits. So just apply the cipher twice. Note if we take a plain text, we get some x that comes out. X should be random with respect to the plain text. That's the idea of the encryption. That is, we'll get a different value out. Then we encrypt that different value. We should get another random value output. So we'll get a secure cipher text. Now we use two different keys. The chooser chooses those two keys. So effectively the user chooses a six bit key. They choose a six bit random value. The first three bits will be used for the first step. The second three bits used for the second step. Let's call this double bob. We've applied bob twice, brute force. What's a brute force attack on double bob bank? Two to the power of six operations. Again, the attacker has to guess both values of k one and k two if they wanna do brute force. So six bits to guess. Two to the power of six operations. Similar with double desks. How many bits? Well, we expand our key from 56 up to 112 bits. We just use two different keys, or two random keys. With double desks, a brute force would take two to the power of 112 operations. And if you look up, if you go back to that table, we gave some example times for brute force attacks. You'll see that with computers today, that's probably not possible. If we try to do calculations of how fast computers are, if you had thousands of computers, it's still gonna take many years to do a brute force attack. So that's the idea. Make a brute force attack not possible. Let's see why we can try a different attack to still defeat double desks. And the attack is called meet in the middle. What we will do, we will assume that the attacker has a pair of plain text ciphertext. That is, this attack requires the attacker to have a little bit of extra information to work. The assumption is that the attacker knows from some past encryption by the user, they know plain text and the corresponding ciphertext. So knowing a ciphertext is easy. Intercept and you learn the ciphertext. But we also assume that they know what was the plain text for that case. They don't know the key, but they know one pair of plain text ciphertext where the ciphertext was obtained using the Bob encryption algorithm using some secret key, K1 and K2. We want to find K1 and K2. How can our user or our attacker know a pair of ciphertext and plain text without knowing the key? What we need is somehow that let's say we can learn ciphertext easy, intercept. How do we learn the plain text? Well, the idea of encryption is we can't learn the plain text if we don't have the key. We don't have the key. How can we assume that the attacker knows the plain text? Well, it may be in some cases possible. Sometimes the ciphertext is encrypted and it only needs to stay encrypted for a certain period of time. Maybe the plain text is released publicly later. Okay, so let's say I encrypt a message, I send the ciphertext to someone. The message only makes sense for one day. After two days, it doesn't matter if someone knows what the plain text message is. So the attacker may discover this old ciphertext corresponds with this plain text value. A simple example of that. Let's say the plain text message is the coordinates of where the military is going to bomb someplace, okay? So the headquarters of the military send the exact GPS coordinates. You need to bomb this location. They send it to the plane that's gonna bomb them and they bomb that location. The attacker, of course, they don't send the coordinates in plain text. They send them encrypted so that if someone intercepts they can't learn where they're going to bomb that location. So the attacker sees the ciphertext. They can't find the plain text, fine. But tomorrow, after they know that that location was bombed, they know the ciphertext and they know the coordinates of where it was bombed because it was actually bombed. So now they know the corresponding plain text with that ciphertext because that information was only really valid for up until the time that the bomb was hit the ground. So that's an extreme example but there's other cases where it's possible for the attacker to learn the plain text even if they don't have the key. So let's assume that they do. And I'll give you a pair. Let's, we'll use our table to do the encryption. Our meet in the middle attack. This attack assumes that the attacker knows a plain text ciphertext pair. And I'll give you one. And in fact, in practice, when we apply this attack to real desks, usually not just one pair that they have to know, they may need to know a set of pairs, more than one. And at the end, we'll analyze and see how many. Let's give you a second one just in case we need it. This is known by the attacker, another pair. What that means is that the attacker knows that when P1 is encrypted, we get C1. When we use keys K1 and K2, but we don't know the keys K1 and K2. The goal of the attack is to find the keys K1 and K2. They also know using those same two key values, encrypting the value of P2 gives C2. So this is learnt by the attacker in advance. They need this to be successful. Given that, now they start the meet in the middle attack. And it's quite simple. What they do, given one of the pairs that they know, say with the first pair, they take the plain text P1 and they do a brute force on that plain text using the single version of the cipher, Bob, and find all possible potential values that come out of that. That is what they're gonna do in the picture is they know P1, they're going to encrypt P1 with every possible key. They don't know K1, so let's try all possible values. We'll get multiple values of X coming out, potential values, not necessarily the correct one, but possible values and we'll store them. And then what we'll do is we'll take the known cipher text C1 and go backwards. That is we know what C1 is, we know what P1 was that we started with. We don't know K1 or K2. After we try for all possible values of K1 on P, we get potential values of X, then with the cipher text C1, we decrypt that with possible values of K2. And the idea is that if we know that P1 produced C1 as output, if you encrypt P1 with the correct key, you'll get some X value, and if you decrypt C1 with the correct key, you'll get the same X value. It must be the same because otherwise they wouldn't have produced that correct pair. So what we do is once we know the potential values of the X in one direction, we work backwards and see if we find a matching X from the cipher text. If we do, then that's a potential key pair. If it's not a match, then it's definitely not the correct key. So we'll try that. The first step, a brute force attack on P1 using our cipher bob and the key K1 is three bits. So we need to try eight possible keys. So the meat in the middle attack, we're going to start with P1 and encrypt with the eight possible keys. I'll list them, we know what they are. And we're going to get eight intermediate values of X. So look up in the table. Given plain text, 011, 01, key 0, 0, 0, what comes out for our cipher bob? Let's simply look up in the table, write it down, and then do it for the other keys. So we need to try it for all possible keys here. This is a brute force on the single version of our cipher. Quick, won't take long to find the answer. Eight values of X. How do they know the plain text? We set an example. There are some examples where the text is known. And because the message was only secret for a short period of time, then maybe the plain text is released later. Maybe the plain text was a message to say, buy these stocks in Apple, buy a thousand shares of Apple at this time, at this price, that was encrypted. Once they're bought the next day, then it's no longer to stay encrypted because if someone sees that you've bought them, after you've already bought them, you may not want to keep them secret. You want to keep it secret before you buy them so that someone doesn't know you're going to purchase stocks, for example. So some information, the plain text, is only need to be secret for a short period of time. If that's the case, then the attacker may discover that plain text. What do you get? Write down your values. Good. Look up your table and find out the values of X, which is just the ciphertext that comes out of our a bit block cipher. Eight keys, what was ours? Plain text, 0, 1, 1, 0, 1. 0, 1, 1. Here's our plain text. Encrypt with the first key and we get this value as output. The second key, the next column and so on. So we just get these eight values as output here. Let's write them down. And I'll give them values, I'll say it's X. The first value of X, 1, 1. We'll give these eight potential values of X. This we'll call X, 1, 8. Keep track of how many operations we do. Because at the end we need to count how many operations do we do in total or in a typical case and compare it to brute force attack. Here we've encrypted our plain text eight times. So the number of operations is eight or two to the power of three. It depends upon the key length here. Now, we give these eight values, we store them in memory. So we have to save them. And then the next step is that with the corresponding ciphertext C1, we decrypt that with potential key values. We know C1, it was given to us, five ones. So decrypt with the potential keys, see what we get. This was X, 1. We're gonna get another X value here, X, 2. What we do is we take this ciphertext, decrypt with our first possible key. We don't know what the value of the key is. We try this one. What do we get? Look up the table. Five ones decrypted with key 0, 0, 0. We did it before. So decrypt those values as you go. Find the cipher page 107 and decrypt the value 1111 with the key 0, 0. What do we get for the first value of X? 1, 0, 0, 0, 1. We did that before. Let's just check that. The key was three zeros. The ciphertext, five ones, which is here. Decrypt this and you get 1, 0, 0, 0, 1. And then we do that for the next key. This is the X value, X, 2, 1, we'll denote it as. And you keep going with the other keys. You'll tell me if I write down any errors. This is our last value. So the first stage, encrypt the plaintext with all possible keys. The second stage, take the corresponding known ciphertext for that plaintext that we started with, c1, and decrypt that with what we did with all possible keys. We'll come back later and sometimes we may not need to do all possible keys in the second phase, but we will do that. So in our block model, what we did, p1 encrypted with eight keys, get potential values of X, X1, so X1, 1, X1, 2, up to X1, 8. With c1, decrypt with all possible keys, K2, and get X2, X2, 1, X2, 2, and so on. And we know if we've got the correct K1 and K2, then the X value should match. X1 should equal X2 because we know that X is the intermediate value when we encrypt to get the ciphertext. So this tells us what are the potential values of K1 and K2. And it's quite easy to see. We look at the values where the X are the same on both sides. Does this value, X1, 1, match any of these? Find, see if you find this value in this set. Actually, we'll do it the other way. We'll try with X2 first because that's what's done in practice. Does 1, 0, 0, 0, 1 appear in the first set of X values? No, it's not there. Okay, so the next value. Does this appear in the first set? Check carefully. No, it's not there. The third one? No. Fourth one? Are we unlucky today? Fifth one? Yes, that's there somewhere. There's a match there. We know that if we've used the right keys of K1 and K2, when the potential values of K1 are those that we used when we obtained X1 and the potential values of K2 are those values of the key we used when we obtained X2. So we know if we've used the correct values of K1 and K2, the X values must match. Here we find a match. Any other matches? Which ones? The last value of X2 matches two different places. And that's possible. All the others don't match, which means that the potential values of K1 and K2, well, there are three potential values, three pairs. K1 could be the value we used to get X1, 2, 0, 0, 1, and K2 could be the value we used to get X2, 5, which was 1, 0, 0. So that's a potential key pair. We're actually looking for the entire six bits, but I'll write it down as a pair of keys. K1, K2, we're trying to find. The first potential values are 0, 0, 1 and 1, 0, 0. But there's other potential values, 0, 1, 1 with 1, 1, 1 and the last one 1, 0, 0. So the attacker now knows that the keys used by the user are one of those three pairs. We want to know exactly which one. How do we find out? Try print a new message. Well, in fact, I gave you a second one because I knew that's what we would need here. If the attacker has a second plain-text ciphertext pair, like the one given here, they can check which of those three potential key values, if we take our plain-text 2, 1, 1, 0, 0, 1, encrypt with potential value of K1, you get X, encrypt that with a potential value of K2, if you get this ciphertext value, then you're very confident that it's the correct one, maybe not for sure. If you don't get it, you know it's not the correct key. Try it. See which of these three potential values are correct or which are incorrect. If there's only one left over, that's the correct value. That is, encrypt P2 with K1 and K2, 0, 1, 0, 0, 1, 0, 0 and the potential value. Try it. It's your tool to look up. Start with 1, 1, 0, 0, 1, P2, and we'll try this first potential values of the keys. If we use K1 as 0, 0, 1, what does the value of X become? Encrypt this value of the plain-text with this key, what's X? If you look up in the table, all zeros, 5 zeros, good. Now take that X value and encrypt it with the value of K2. 1, 1, what's K2 is the other value in the pair. We're using this pair first. We'll try that. And when we do that, we get ciphertexts and 1, 1, 0, 1, 1. Does that match the expected value of ciphertext? Yes, it does. So this key pair that we just tried is a potential correct key pair. We don't know for sure. Maybe there's still others that are also potentially correct. One way to find out is to try the others. So do the same with the second key pair, 0, 1, 1. Get a value of X and then the second one, 3, 1s. And to be complete, we'll try with the last one. All we're doing here is encrypting using our lookup table. Using the table of the 5-bit block supper, we know the plain text in, we know the key, find the output, and then take that as the plain text in the next step with the key, find the output, and see what you get. And then check whether the ciphertext values you get out match the known correct value. The known correct value was given in our pair. We know c2 should be this value. Well, we got it here. Here we get 1, 0, 1, 1, 1 out. We try key 1, 1, 1, and you get 1, 0, 1, 0, 0, 0 out. This is the wrong key pair. We know for sure now that this key pair is not the correct one, because it doesn't give us the right ciphertext value. And we try the last one, and we get a ciphertext value that also doesn't match. And that gets us to the end. We now, of those three potential key pairs of k1 and k2, we tried them all using our second known plain text ciphertext pair. And we found that two of them don't work. Only one of them works, and that tells us that the correct values of k1 and k2 are the first pair. k1 is 0, 0, 1, and k2 is 1, 0, 0. That's the answer. We found the key for the double version of our cipherbob. We count the number of operations we did with a single version of Bob. How many encrypts or decrypts did we do? Count them. In the first phase, we did a brute force attack on the key. We did eight operations, 2 to the power of 3. The next phase, we actually did another eight operations, this time decrypt. But generally with ciphers, encrypt and decrypt take about the same time with block ciphers. So we count them as an eight operations. So we've got 16 operations. And then in the last set of checks, we did 1, 2, 3, 4, 5, 6, another 6 operations, another 6 encrypts or decrypts, just to check those three pairs. So a total of 22 operations in this case. We have to do these eight. We have to do a brute force here, 2 to the power of 3. We did it again, but going backwards, another 2 to the power of 3. And in this case, we have three potential pairs. So we need to do another 6 to check. We won't always get three potential pairs. Sometimes we'll get just one. And therefore, we don't need to check. We've already found the correct key. Sometimes we'll get more than one. So we will need to check. So the main contribution to the number of operations is doing the first two steps. We have to do the brute force here, 2 to the power of 3 always. What we can do when we look at the real desk is that we don't even need to do all 2 to the power of 3 here sometimes. What we may do is if we find, let's say in this case, if we found the first matching pair after five operations, then check that with another pair. And the probabilities work when you have a large number of keys, like desk, when there's many possible values. The probability that the key pair that we find works for two or even three plain-text-cyphotax pairs is very, very low if it's incorrect. That is, if we find a match, very high chance we've got the correct one. Here, because there's only eight to choose from, it's possible to get different possible values. But with desk, the chance of getting multiple and then doing it again and getting multiple is very, very low. So we can actually cut down the number of operations by stopping once we find a correct pair. Even if you do them all, 2 to the power of 3 plus 2 to the power of 3 plus another 6 here. So we've got 2 to the power of 3 two times at least, this meet in the middle attack. Let's write down some of the numbers to compare with brute force. On our version of double bob, in that case, it took us 2 to the power of 3 plus another 2 to the power of 3 plus, in our case, another 6, 22 in that case. Our brute force on double bob would have took 32. So we've done better than doing a brute force attack. Brute force tried all 32 keys. 2 to the power of 6. 64, well done. 2 to the power of 5 is 32, even better. Brute force requires 2 to the power of 6 operations. 64 operations, we did it in 22. So we only checked at the end of the cyber square. We only checked when we have multiple potential values of the key, like in this case, we had three potential values. So we did 2 to the power of 3. We did another 2 to the power of 3 operations. Now we have three possible values. So we checked those three only, another six operations. We'll come back to that in a moment. Let's summarize the numbers. So with a brute force on double bob, it would have took 64 operations. Here, meat in the middle, in our specific case, took 22. We're about three times faster than a brute force attack, a third of the number of operations. So that's good. That's where this attack is better than brute force, because we can find the key in less time. In double desk, we must do a brute force attack on the single version. So there's 2 to the power of 56. And then worst case, we need to do another 2 to the power of 56. Similarly here, we did 2 to the power of 3 in crypts from one direction, 2 to the power of 3 of decrypts from the other direction. So we do two brute force attacks, plus some others. In the same here, we had plus six. How many do we plus here? Depends upon how many matches we get. Here we had six. There were three matches. If we have 1,000 matches here, we have plus 2,000. But compared to 2 to the power of 56, 2 to the power of 56 is billions and billions. So the number that we plus on the end is, in most cases, almost zero, so small, plus something, which is approximately, if this is very small compared to 2 to the power of 56, what do we get? If this is zero, so 2 to the power of 56 plus 2 to the power of 56, 2 to the power of 57. 2 times 2 to the power of 56. Brute force on single desk takes 2 to the power of 56 operations. Brute force on double desk takes 2 to the power of 112 operations. Meat in the middle attack on double desk takes about 2 to the power of 57 operations. It's about 2 times slower than breaking single desk. In other words, if you can break single desk in one day, you can break double desk using meat in the middle attack in two days, which is insignificant from the attacker's perspective. If I can break something in one day, then if I want to break double desk in one day as well, I just spend twice as much money on my computers. So that's why we say that the double desk is not much more secure than single desk. It's about the same. 2 times better. So that's why double desk or double encryption in general, it's not just for desk. Double encryption like this is not a good approach. It doesn't help, but it doesn't help by much. So the meat in the middle attack means that we shouldn't just do double encryption to extend the key length. You can try triple encryption, one then another then another. And it turns out that that does make it harder for the attack and because you can't go back from either end points because there's two X values in the middle. So first, let's summarize on meat in the middle attack. In terms of number of operations, what we do, a brute force on the first key value, K1, and then a brute force on the second key value. So equivalent to two brute force attacks and then possibly a few other operations just to check, but usually a very small number compared to a brute force attack. So it takes about two times as time to break as a brute force attack on desk using a meat in the middle attack. Now there's some ways to improve that. The brute force attack on K2, again with desk, you usually don't have to try all 2 to the power of 56 because as soon as you find a match, you can confirm that match with another pair and you have very high probability that you've got the correct key pair. So in fact, usually it's closer to just 2 to the power of 56. Coming back to our specific example, what's the problem with our meat in the middle attack from the attacker's perspective? What do we need to know or what do we need to do to make this attack work? We know that the user hasn't changed his key, so that's OK. We assume that the normal user is using the same key for every plaintext that they encrypt. We'll come back to that later. A good policy, therefore, is to change your key, but here they're using the same key. What's the problem from the attacker's perspective? For this to work, the attacker needed to know a pair of plaintext ciphertext. They needed to know 2 in our case. So there's one issue. Somehow they must discover this plaintext ciphertext pair in advance. So this attack depends upon the attacker knowing some information in advance. So that's one limitation. Another maybe more practical limitation is that when they do first brute force on K1, they get these eight values of x. What they must do is they store those eight values because when they're doing the next brute force, they compare the generator value of x2 with those eight values of x1. Go through and check, see which one's matched, and if you do get a match, you've got a potential key pair. With des, the number of x values, how many? x1, how many do we need to store? With Bob, we store 2 to the power of 3 values of x1, that first column. With des, we'd have 2 to the power of 56 values of x1. So with des, we'd need to store 2 to the power of 56 values of x1. Then when we go through to find x2, we compare with those 2 to the power of 56 values. Next one, compare and find the possible matches. The limitation here is the storage. 2 to the power of 56 values, how many bytes? Store 2 to the power of 56. In des, how big would x be? In our cipher, x was 5 bits, a 5-bit block. In des, it uses a 64-bit block. 2 to the power of 56, 64-bit blocks. We need to store them on disk or in memory. 64 bits is 8 bytes, times 2 to the power of 56. That's the number of bytes that we need. Megabytes, gigabytes, terabytes. Only 576,000 terabytes. What's above terabytes? Pedabytes, isn't it? P, I think, above T. But a hard disk, we measure in terabytes. So we need about half a million hard disks of 1 terabyte hard disks to store this information in an attack. Here's a practical limitation of the meat in the middle attack. You need a lot of storage space to store that first set of answers and then compare against them, approximately. And we must know multiple, usually multiple, plain text, cipher text pairs. So for the attack to be successful, the number of operations is twice as many as a single-desk brute force attack. But we must store a lot of information to do the attack and we must know multiple plain text, cipher text pairs in advance to be successful. Even though that storage space may be considered not practical today, there may be ways to reduce it or to cut down on how much we store. And the double-desk is not considered a good design because of the meat in the middle attack. And this was known and people, therefore, designed triple desks. Encrypt, encrypt, encrypt, three times. And you can't take the plain text and the cipher text and go back to get the same point. So you can't meet in the middle in that case. So triple desks is considered secure. That's the steps of meat in the middle attack. Triple encryption. There's no one point in the middle. If we start with the plain text or the cipher text, we can't do a single brute force to get back to the same point. If we start with P, we do brute force on K1, we end up with A. If we start with C and go backwards, we end up with B. We can't compare them because they will be different. Whereas with double version, they should be the same. So it doesn't help them. Now triple encryption is used in different ways in practice. Triple desks. This picture is using just two values of the key, K1 and K2. So there's no K3. You use K1 again at the last step. You can use K1, K2, and a third one, K3. So triple desks does three encryption operations. But you can choose whether you use two desk keys or three desk keys, depending on what you want for security. Two keys gives us effectively 112 bits, three keys 168 bits. In practice, triple desks wasn't encrypt encrypt encrypt. It could be. It would be fine. It would encrypt decrypt encrypt, which gives us the same security, but has the advantage of if you set K1 and K2 to be the same, you've revert back to single desks. The point was that you could use triple desks and it would be backwards compatible with single desks by just using the same key value. But that was just a practical implementation issue. So triple desks overcomes the problem of the meat in the middle attack. And it's still used today. Any questions on our attack, on the principles or on the specifics of how the attack was performed? Let's almost have a break, but not yet. There was one slide you missed in the first lecture. Does anyone remember which slide we skipped over and I said I'd come back to? We just come back to double encryption then, so we've come back to this. We talked about AES, mentioned others. Here, note, how do we compare ciphers? How do we compare attacks? We compare with respect to the number of operations to perform the attack. That's one thing. That's the measure of time, the number of operations. We compared brute force on double desks, two to the power of 112 operations, meat in the middle attack on double desks, two to the power of 57 operations. So that's a comparison. If we can take less operations, we say it's a better attack. But we also compare on other factors. How much storage space is needed to do the attack? Speed is the number of operations. If we assume we have the same amount of compute power then to compare two attacks, it's how many operations are needed in crypt or decrypt. But storage is another factor. So some attacks have less operations but may require much more storage. So that's an issue. And when people compare attacks, they look at those factors. And the third thing mainly is how much information is necessary to be known by the attacker. In advance, with double desks, meat in the middle attack, the attacker must know some plain tech, cypher tech spares. So when people compare attacks, they consider those three factors. Operations, which is a measure of time, storage space and what's known in advance to be able to evaluate what are good attacks. There is a slide on the first lecture that we've missed and we'll come back to it after the break. So we'll have a break and then return and look at the next topic. We looked at the meat in the middle attack on using double encryption. So we've seen an example of a specific attack. You may hear of, so sometimes it may be abbreviated, meat in the middle, M-I-T-M. But there's another attack called man in the middle attack, M-I-T-M as well. And in fact, if in press or in news, you'll often hear about, and we'll see in a later topic, what a man in the middle attack is, it's different than meat in the middle attack. So don't confuse them. We will cover man in the middle in a later topic. When this attack, we saw that in theory, it can be done in about the same number of operations as a brute force attack on single deaths. So the number of operations is not many more or just twice as many as a brute force on single deaths. We know brute force on single deaths is possible today. So therefore we assume meat in the middle on double deaths is possible today, from the number of operations. But we also measure attacks in terms of the amount of known information. It turns out that if you have several pairs of plain text, cipher text known in advance, even though there are multiple matches of potential values of keys in the first operation, after a few more pairs you can get it down that there'll be almost always just one pair left. So it's quick to find the correct key. So the amount of known information is a measure of the attack and the amount of storage space. And the last slide in this set that we will briefly mention is just comparing against some known ciphers deaths, triple deaths, AES with different key lengths. There are some theoretical attacks on each and at least some of the best known attacks. And the important point is that the performance of attacks is measured in terms of three main resources. The amount of time it takes to do the attack, which we count as the number of operations. And in operations we talk about encrypt or decrypt because in terms of implementation, encrypt and decrypt take the most time. Comparing something to a table, so checking if this value is in a table, it takes your CPU time to do that. But we don't count that as an operation because compared to doing a encrypt or decrypt, table comparison or table lookup is very fast comparing to the encrypt operation. So we count the number of encrypts or decrypts. That's a measure of time. It gives us an indicator of time. But we also care about how much space we use. So the amount of memory, whether it's random access memory or stored on disk, different attacks require different amount of storage. And the last thing is how much known data we have in advance. How many pairs of plain tech cipher decks do we know to do this attack? So the best known attack on desk is brute force. Key space is two to the power of 56. The worst case time is two to the power of 56 operations. It doesn't matter about memory. We don't need any memory for this. We don't need any known data. Brute force attack, you just do all the keys. You don't need to save the old ones. You need memory to implement it, but not to save a large amount of data. Triple desk, the man, sorry, I'm confused. Meet in the middle attack, MITM, meet in the middle attack that we just did. Now the key space here, two to the power of 168 assumes it's a three different keys, K1, K2, K3. Two to the power of 168 possible keys. We said the meet in the middle attack is not possible in that you have to come from both sides and you don't actually meet in the middle. You can do it multiple steps to try and cut down on the number of operations needed. And the best known is the number of operations is about two to the power of 112. Two times two to the power of, no, two to the power of 56. 56 bits doubled and two to the power of 112, but you can cut down by half of that is the best known implementation, which is like what we saw. But that's on triple desk, not double desk. Double desk will be about two to the power of 56 operations. So two to the power of 111 is today considered secure. That is to take the time it takes to do that many operations is years, centuries on current compute capabilities. So considered secure. The amount of memory for such an attack, they need about two to the power of 56 items to be stored, whether it's bytes or bits, it doesn't matter. It's still, as we saw, thousands of terabytes, very large. You don't need much known data in that. There's another attack on triple desk done by Lux and others, which takes a little bit more time than meet in the middle attack. Four times as much time, two to the power of 111 up to two to the power of 113 is a factor of four. Takes four times longer, it needs much more memory. And it needs a lot of known data, about four billion in values of plain text, cipher text. In our meet in the middle attack, we saw we had two pairs of P1, C1, P2, C2, just two pairs. This other attack requires about four billion pairs. So somehow the attacker must discover that. So the more known data, the harder it is for the attacker. AES is considered secure, it allows for 128 bit key or 256 bit key. There are theoretical attacks on AES. A brute force attack on AES takes about two, or takes two to the power of 128 operations. This by click attack takes about two to the power of 126.1 operations. Again, about four times faster than brute force. So if brute force takes a thousand centuries, then this attack takes 25 centuries. Still you don't gain much. So the time is not much different from brute force attack. A factor of four is nothing in terms of security here. It requires a small amount of memory, but it requires a large amount of known plain text, cipher text pairs at the start. So that's practically impossible to get that information. Correct, that is known data is the number, think of the number of pairs of plain text, cipher text that we have up front to do this attack. With our meet in the middle on, on our simple double bob cipher, we needed two pairs, two to the power of one pairs. Here they need two to the power of 88 pairs. Now there's types of known data we'll talk about shortly, but a large number, not possible in practice. Similar on AES 256, it's not much better than a brute force attack, and it requires a lot of known data to do the attack. So there are no known attacks on AES that are considered practical. And it's envisaged that that would be the case for a long time in the future. The last thing, and it's the slide that we skipped in an earlier topic was what known data. We can classify what the attacker needs to know. In our attack, we needed to know a plain text, cipher text pair. The attacker actually needed to know two. So we always know the cipher text, that's easy, but we assume somehow we knew the corresponding plain text as well. There are several variations on that, and if we return back to one of our first topics on classical encryption techniques, there was one slide we skipped over which is worth just mentioning here. I'll just go back to give you the context. When we talk about the attacker, we said the attacker wants to find the plain text or the key, what's known by the attacker, they know the cipher text, they know the algorithm, and sometimes we assume that they know some plain text cipher text pairs, and we've just seen that in the meat or the middle attack. Well, there's different classification of what's known. So what is known to the attacker, there's different names given to the information known. So we can say, and just to let people know, this is on page where, which page number? In the print at handouts. What's the slide? The page 32, right, printed 32 page, page 32. Just this one slide. So attacks can be classified as, by these five criteria based on what's known. So a cipher text only attack is an attack that can be performed if the attacker knows the cipher text only, and of course the encryption algorithm. So that's always assumed. We always assume the attacker knows the algorithm and the cipher text. If an attacker can defeat that algorithm using just that information, then it's not a good algorithm. It's not a good cipher. So a brute force attack is a cipher text only attack. You just decrypt the cipher text with a key, and you see if the plain text is correct and keep going. So if a cipher is subject to a cipher text only attack, and if that cipher is defeated, that is the user, the attacker finds the key, then that's a weak cipher. That's the standard, the lowest level. But sometimes attacks assume that the attacker knows some information. We saw that with me to the middle. We saw that we assumed, as well as the algorithm and the cipher text, the attacker had one or more plain text cipher text pairs. So we'd say that meet in the middle attack was in the class of a known plain text attack. The attacker needed to know some plain text for it to work. If they didn't know it, they couldn't do the meet in the middle attack. Now there's some variations on that. Sometimes the attacker can choose the specific type of plain text that they want to do the attack. That is, in the meet in the middle attack, we just needed to know any pair of plain text cipher text. Maybe I'd intercepted the cipher text and later discovered the plain text, or maybe I'd had cipher text encrypted for me with a key which I didn't know. Whereas a chosen plain text attack involves the attacker choosing a particular plain text message, choosing a value, and getting the user to encrypt that and generate some cipher text. So this is usually a little bit harder for the attacker to do. Somehow they need to choose a specific plain text. They would choose a plain text that makes it easier to break the cipher. So some plain text may lead to making it easier to try and find what the key is. So what they do is choose such a plain text and then somehow get the user to encrypt that using a secret key so they learn the cipher text. Again, they know the pair of plain text cipher text but they specifically chose that plain text to help in their attack. That makes it easier for the attacker in some cases. Chosen cipher text is similar. The attacker got to choose some cipher text. They maybe sent that cipher text to a user, got that user to decrypt to get some plain text and the attacker learned that corresponding plain text. That is, they know again the plain text cipher text pair but they chose the specific cipher text to assist them in the attack. And again, that's difficult in some cases. How does the attacker get you, you as a normal user? Here's some cipher text. Decrypt it with your secret key and then give me the plain text. So it involves some other means to get the attacker to maybe to trick the user into doing that. And that can assist in some attacks. From the attacker's perspective, if we can do that, if we can trick the user to decrypt something I give them and then to give me the plain text, that can help the attacker. The best case from the attacker's perspective if they can do both of the previous two that is choose both plain text and cipher text and get a number of pairs. So this is just to make it clear that different attacks commonly use extra information other than just the cipher text in the algorithm. They use some pairs of plain text and cipher text. And in specific attacks, it can help the attacker if the attacker can choose the plain text or choose the cipher text. So you'll see sometimes classifications of attacks by those five. Good ciphers should protect against all such attacks but in some cases we only require to protect against specific attacks. So that was the one slide we skipped. We've seen an example of known plain text. I don't think we'll see examples of the others later in the course. They are quite complex to go through.