 okay thank you a lot for the presentation so yeah okay so we all know the the setting of single encryption where we have a block cipher which encrypts n-bit plain text to n-bit cipher text with the key k and we assume for simplicity that the k is also n-bit n-bits long and the associated cryptanalytic problem is as follows so we are given a list of plain text cipher text pairs p1 c1 p2 c2 etc and our goal is to find all the keys k such that the encryption of p1 under k equals c1 the encryption of p2 under k equals c2 and so forth now the trivial algorithm to do this is exhaustive search so basically you iterate over all keys all possible values of k and for each one you test whether they satisfy this condition and this requires time of 2 to the n and a negligible amount of memory okay now you may not be satisfied with an n-bit key and you may want to consider double encryption and here what we have is we have a two independent keys k1 and k2 and you encrypt p the plain text p by encrypting it using k1 and you obtain an intermediate encryption value of x you encrypt it using k2 and you obtain the cipher text and this was a suggested the following concerns about the small key sizes of this uh about 30 or more years ago and but following shortly after afterwards miracle and helman in 1981 proposed a meet in the middle attack would show that the security of double encryption is not quite what people thought so the attack is quite simple it goes as follow so for each basically we iterate over all the possible values of k1 for each one of them we partially encrypt p1 and store the suggestion for the intermediate intermediate encryption value x in the list uh which we sort according to x and then we basically do the same for the bottom part of the cipher so we partially so for each value of k2 we partially decrypt c1 using k2 we match uh with the uh sorted list and then we test uh the the full key uh using the remain we're remaining plain things uh plain text cipher text pairs and this has time of two to the end which is uh right which is the same as for single encryption but requires memory of two also a memory of two to the end so basically uh you have the two to the two of exhaustive search and you shift some of the of the time into memory and you obtain this this trade off okay so shortly after this attack then people naturally started looking at triple encryption and here you have three independent keys k1 k2 and k3 and you encrypt p using k1 then with k2 then with k3 and in fact the triple DES was used as the encryption standard for a few years and it is even even used today in the banking industry um so what about security so a trivial extension of the attack the two round attack that we just saw uh can break it and time two to the two n and memory two to the n this is simply by guessing a one round key and applying the two round attack and this is still the best known attack on uh triple uh encryption uh that is known today okay so what we'll do in this talk is consider a straightforward generalization of double and triple encryption we'll consider the general problem of r for encryption uh where you encrypt p using uh k independent keys k1 to kr sorry using r independent keys k1 up to kr okay so what about security so uh it is very easy to adapt the meat in the middle attack to attack uh the r-fold encryption and time t and memory n such that their product is equal to two to the rn which is the number of possible keys that we have in our scheme and we'll denote it by capital n okay and uh I don't know if you would have asked me a year ago and I think you have gotten the same answer for most crypto for most recover for most cryptographers then uh I think uh yeah I would have told you that this is probably the best that you can do with these types of algorithms uh well it turns out that it is not because some some interesting things start happening already with r equals four so with our equals four we have an improved attack uh which requires a memory of two to the n so the attack is quite simple and it is based on the uh on uh I mean it's first uh a major step is is to guess uh the intermediate value of x2 which is defined by the encryption of p1 using k1 and k2 so basically we have an outer loop that iterates over all these values and for each one of these values we do the following so let's concentrate on the top part here so given p1 and x2 we can obtain two to the n suggestions for k1 and k2 using the two round attack uh the standard two round meet in the middle attack okay and for each such suggestion okay we partially encrypt p2 and obtain a suggestion for y2 which we sort which we sort in a store in in the list according the the list is sorted according to y2 okay so this was the top part of the cipher and for the bottom we basically do the same so um given x2 and c1 we obtain two to the n suggestions for k3 and k4 using our two round meet in the middle attack and then the next step is to obtain a suggestion for y2 by partially decrypting c2 and matching with the list and then we obtain a suggestion for the full key and we tested using p using the remaining plain text uh cipher text pairs and this requires time two to the two n and why is that well each one of these steps requires two to the n time and it is repeated two to the i mean we repeat these steps two to the n time so the time is roughly two to the two n and the memory is about uh uh two to the n okay and actually we obtain the same parameters with same say optimal parameters as we obtained for triple encryption which is seems quite surprising because i mean we added another round key but actually in some way we did not even increase the security so this is uh in some sense a bit surprising okay so we saw that interesting things start happening already with r equals four okay so we obtained a product of t of an m which is equal to two to the three n instead of two to the four n which you would expect by the classical algorithms so uh okay we ask ourselves of course what happens when we increase our further um so we want first at least to to uh to simplify our life by fixing m to be two to the n and we try to minimize the running time of the algorithm okay and this is the situation that uh this is uh the what we obtained from uh the classical meeting the middle algorithms but i just showed you that for r equals four we can do it in time two to the two n instead of two to the three n and this carries over to r equals five because you can basically guess one round key and apply the four round attack and you obtain the time complexity of two to the three n and so forth so for r equals six and for r equals seven you can do in two to the five n and and and so on but uh actually this is also not optimal so actually for r equals seven you can do better than two to the five n now this is really surprising um i think in my opinion this is probably the most surprising result um because we saw that interesting things happen when r equals two because we get the same time complexity as r equals one we saw that you know an interesting thing happened when r equals four so i would have guessed that the next you know magic number is r equals eight but i don't know just you know i'm computer scientist but it actually happens with r equals seven and uh yeah i don't know if it just is really striking okay so let's see the attack the attack is actually very simple okay so what we do is we split the seven round cypher cypher into a top round with sorry into two parts with the the top part has three rounds and the bottom has four four rounds okay and we guess two intermediate encryption values in the middle and then obviously we apply our three round attack to the to the top portion and we obtain two to the n suggestions for the key okay and we have two to the n memory so we store them all we can store them all as we usually do however for the bottom part we would like to apply a four round attack but we have only you can see that we have four n bits of key and we have two n bits of constraints so the four round attack if we try to apply it will return us two to the two n keys and we don't have enough memory to store them however the the main observation here which is quite simple is that we don't really need to store them we can actually apply the four round attack and test the remaining keys the suggested keys on the fly okay matching it with the upper part okay so this is quite simple but i think equally surprising okay so for as the analysis we have an outer loop which requires two which is iterated two to the two n times and for each such iteration the top three round attack requires two to the two n time the bottom four round attack also two to the two n time and so the total complexity as two to the four n instead of two to the six in which you obtained by the classical algorithms okay so we obtain a product of t of t and m which is equal to the five n instead of two to the seven n okay of course now we would like to see what happens next okay so we saw that our seven round attack divide the cypher asymmetrically into a top and bottom part so we saw that this was the situation before i introduced the seven round attack and and now we know that these numbers we can we have an attack with these numbers on seven and eight round and it turns out that the the the techniques that are just presented can be extended recursively by dividing the cypher asymmetrically into sub cypher and what we obtain is some kind of a magic sequence of turning points which we have which we already know four and seven and we continue by eleven sixteen twenty two and and so forth and the algorithm becomes increasingly more efficient compared to the standard meet in the middle techniques so for example for r equals four we have two to the two n compared to two to the three n so the difference here is uh is n between the exponents and for r equals seven the difference is two n for i equals eleven it is three n and so forth okay and if you do the asymptotic analysis you get the asymptotic time complexity of the algorithm is two to the n times r minus a factor of square root of two r which is about what we gain compared to the standard meet in the middle attacks okay and i don't i have time to show this but the algorithm basically generalized generalized to any amount of memory okay so you might ask yourselves where does the asymmetry come from because most uh recursive algorithms try to divide the problem in a symmetric way in order to avoid bottlenecks however here there is built in asymmetry between the top and the bottom uh ciphers because in the top part we store all the suggestions and memory and so at most two to the n suggestions one we must remain however in the bottom part we can check the keys on the fly so in terms of memory there's actually no restriction on the number of course we will pay in terms of time because we still need to enumerate them but there is no restriction in terms of memory so in some sense it is better to have more rounds in the bottom part that is why we obtain such asymmetric uh uh divisions of the decipher okay so we obtained a new class of algorithms which we call uh dissection algorithms and why is that because we have a visual picture in mind where we perform a cuts of different sizes in different places in the encryption structure and apply this is looks kind of like a dissection i don't know about you but yeah okay so okay so we saw that our dissection algorithms um are applicable to uh r-fold encryption and uh but it turns out that they are in in fact applicable to a more uh more general set of problems which we call composite problems and composite problem is defined as follows so we are given an initial value and the final value of of a cascade of r steps and in each step we know that uh we have a limited set of transformation that transformations that can be applied to the value and our goal is to find out which transformation was applied in each step and we want to find all the possible solutions and clearly our our fold encryption is a composite problem but it is not the only composite problem there are many more and one one more composite problem and a quite famous one which has been studied for many many years is the knapsack problem so the knapsack problem is defined as follows so we have an a list of n generators a1 to an each one of n bits and a target uh integer of s and we would like to find uh a subset of the generators which sums to s and we uh we uh define the vector epsilon as an indicator for the subset which is a epsilon is of course a n-bit Boolean vector okay so how can we apply our uh techniques to knapsack where the first step would be to represent it as a block cipher and how do we do that it is quite simple so given an arbitrary n-bit plain text p and uh in the subset epsilon which functions as the key how do we encrypt p well we simply add to it the corresponding generators indicated by the subset and we obtain some cipher text c okay and uh by fixing the plain text to be zero and the cipher text to be s then this knapsack problem reduces to recovering the key of the block cipher okay given one plain text cipher text pair okay so let's see how we how we uh represent the knapsack problem as a multiple encryption so let's uh let's focus in our fold encryption of course there is nothing special about four but uh this is just for the sake of uh just for the example so uh we split the knapsack into four independent knapsacks which sum up to s and the situation I mean the the image that we have now is is is this we split the generators accordingly and the intermediate encryption value xi is defined as the sum of the knapsack up to up to that point okay so we've split our knapsack into four however there is a problem since in our fold encryption right we have our small uh plain text and it is easy to guess intermediate encryption values okay efficiently I mean we because the key is is of much larger size but here we have one big plain text and we cannot guess intermediate encryption values because guessing them is as uh cost as much as guessing the key so what we must do is is we must split the block cipher also in a vertical way like this we split into n divide by four bit blocks however this introduces another problem since now there is dependency between the vertical chunks through addition carries okay there are carries propagating throughout the block cipher which causes dependencies between the chunks and in order to process such a vertical chunk over an encryption if you want we we must know the carries but the solution to this is actually quite simple so when we apply our dissection algorithms we simply process the the blocks in their natural order from right to left and so when we come to when we come to process a block sorry uh not a block but a vertical chunk okay we already know the carries that are required in order to do so okay so the conclusion is basically that we can apply our techniques to the knapsack algorithm for any r i mean four is not really a special number okay and we choose r according to the amount of memory that we have in order to optimize the running time of our dissection algorithms and what we obtain is a time memory curve which looks like this okay this is our curve and let's concentrate first on on these two uh previous attacks so this is a classical algorithm of Chopin Shamir from 81 which corresponds to this point here and it was extended a year ago by becker corn and jude to this dashed line here and we uh using our dissection techniques are able to improve this this line and we obtain this line here and we also extend it all the way to zero here so if you if you look carefully you'll see that the the numbers here are exactly the the magic sequence the the numbers of the magic sequence that i saw that we saw in the in the previous slides so let's uh for a second zooming on on m equals uh one seventh what what this basically means that when we have a memory which is equal to capital N to the one seventh okay then we want to divide our our knapsack problem into seven and apply our seven round encryption that i presented and we will obtain a time complexity of uh capital N to the power of four divided by seven and this is exactly the point here okay and uh this basically goes uh i mean this is basically the case for all the points and we in our paper show how to connect the points in a straight line okay so we saw that knapsack is one composite problems to which we can apply our techniques but there are other uh problems and one problem one classical problem is rubik's cube again this is very general and classical problems but there are other problems another problem is the matching phase for example in rebound attacks and the more perhaps relevant uh uh uh yeah the most relevant problem is card shuffling and and of course there are many more okay um just one last comment before i conclude so um until now we should we we consider only uh algorithms i did not explicitly mention this but we considered only algorithms that are guaranteed to return all solutions um however in the second half of the paper we show how to combine our techniques with a probabilistic algorithm of parallel collision search and using this uh combination which is very involved and of course i don't have time to present that uh we obtained significantly improved attacks where the amount of memory is very small okay so uh few conclusions so we improved our best known the best known algorithms for multiple encryption and our techniques allow us to to improve the best known uh algorithm for uh the the famous knapsack problems with a relatively small amount of memory and there are also uh the techniques are also applicable to other composite problems which have nothing to do with the cryptography okay but many open issues remain just name a few so uh our our results optimal in particular can you improve our seven round attack maybe you can uh another open problem is to prove lower bounds for composite problems and particularly we don't know how to uh prove the uh what seems to be trivial that the time is equal to the square root of capital n we don't even know how to prove that uh another interesting open problem is well our algorithm uses the smallest number of plain text cypher text pairs that are required in order to to recover the key but can you improve the attacks using maybe a bit more data and of course we want to find additional applications for our the section algorithms okay and that will be all thank you