 This is from the previous set of lecture notes on the classical ciphers, but generally talked about attacks. And we skipped over one slide and I forgot to come back to it, so now's the time because we mentioned some of the concepts as we move forward. Coming back to an attacker, what they want to do is discover the plain text or the key. Getting the key is better because then you can, if the other users don't know, then you can easily decrypt subsequent ciphertext that you come across. The attacker we assume knows ciphertext, so we can obtain the ciphertext and we know the algorithm being used, so that's an assumption. Hiding the algorithm is usually not possible, adds very little extra security. We'll see today in some attack where the attacker often makes use of known pairs of plain text ciphertext, and that's what we'll see in some extra attacks, in different attacks. We've mentioned brute force again before, so you know about brute force, try all keys. So you need to know how many keys and how many keys we can try per second to work out how long a brute force attack takes. Cryptanalysis, we've seen some attacks, for example in the quiz, the mono-alphabetic cipher, we can use frequency analysis. That is to take advantage of the fact that the plain text and the ciphertext exhibit similar characteristics in the frequency of letters, diagrams and so on. And there are other types of attacks that can be performed on real ciphers. Often, so now moving away from brute force, often the other types of attacks, there are some common techniques which are applied across against different ciphers. So they may be attacks specific to one cipher like DES, but it won't work on AS, but then there may be some general techniques that may work across a set of ciphers. And we're not going to go into any details of those techniques. Today we'll see one example, we may see a few later, but just to mention some of the methods, the general methods, linear cryptanalysis is really trying to find some, think of some linear equation that relates the ciphertext back to the key and back to the plain text and solve effectively that equation. It can be very complex. And differential cryptanalysis is looking at differences in across different ciphertext values to try and work out how that maps back to a key. We'll see meat in the middle attack today, that'll become clear. Side channel attacks and there are others. Side channel is using some outside information to try and use, determine the key or the plain text. An example, and it's used in a number of systems, is when I encrypt something on my computer, say I've implemented DES and I'm encrypting some data, there are many different operations of DES. We saw simplified DES yesterday, the rounds, the XOR, the permutations and so on. It turns out in some cases if you can measure how long it takes your hardware to do each operation, you can get some extra information and try and then use that to try and determine the key or plain text. So one example of a side channel attack is actually measuring how long the hardware takes for each operation in the encryption. And because depending on different keys and different plain text, the operations may take different amounts of time, so by analyzing that you can start to work backwards from the ciphertext to a key or plain text. So using extra information, some other information from some other channel, often attacks are compared against the worst case brute force. So if we can do brute force, then fine, we can defeat the cipher, but often the success of other attacks is compared against, well how long does it take compared to brute force? We'd like to be faster than brute force. So brute force is the worst case approach. If we can come up with an attack which is better, faster than brute force, then that's a good thing from an attacker's perspective, defeating the security. So with brute force we normally measure the number of operations. So how many decrypts do we need to do to defeat the cipher to find the key, for example, which depends entirely on the number of keys and the time depends upon how long each operation takes. So a cipher with a 64-bit key takes worst case with brute force, 2 to the power of 64 operations to find the key. So we use a similar metric to measure other attacks. How many operations does it take to find the key? It should be better than brute force if that attack is ever any use. So if a brute force attack takes 2 to the 64 operations and we've got some other attack that takes 2 to the power of 60 operations, then we'd say that's better than brute force and is the weakness in the cipher. But the other thing we'll see the other attacks use is not just that they take many operations, but to work often they require some memory to store information while they're performing the attack. The less memory required, the better it is from the attacker's perspective. And often they require knowledge, the attacker requires knowledge of past pairs of plain-text ciphertext. So the attacker has some ciphertext trying to find the key. Often attacks assume that the attacker also knows some other ciphertext values, which were produced with the same key from some plain-text, and the attacker knows both the pair of plain-text and ciphertext, but they don't know the key. So how many pairs of plain-text ciphertext can we choose particular values as an impact on how we measure how successful an attack is? Some classification of that information known by the attacker, not this slide, is here. What is known? From the attacker's perspective. Let's imagine we're the attacker trying to defeat a cipher. The worst case for us, well, first, in general, the more information I know, the better it is for me to be able to attack a cipher. So the worst case for the attacker is knowing very little. The worst case is knowing just the ciphertext and the algorithm. We assume in all these cases we know the algorithm, and if we just know the ciphertext, then we need to take that ciphertext and the algorithm and determine the key or the plain-text for that ciphertext. That way we look for the key. But it can be a little bit easier for the attacker if they know some pairs. In addition to the algorithm and ciphertext, they know some pairs of past plain-text ciphertext. Somehow they've discovered some past ciphertext values and the corresponding plain-text, but not the key. So that's what we mean by plain-text ciphertext pairs. Plain-text was encrypted with a key to get a ciphertext. The attacker knows the plain-text and ciphertext, but they don't know the key. They're trying to find that. That information can help the attacker to try and find the key. How do we get a past pair of plain-text ciphertext? Maybe the plain-text became not important and is no longer considered secure and is made available so the attacker can learn the plain-text without knowing the key. The simple example I think I may have mentioned before is that some ciphertext is some information about some event happening in the future. The event will happen at this time, at this location. After the event happens, the attacker knows the ciphertext. They also can determine the plain-text because they know that the event happened at this time and at this position so they can determine what the original plain-text was without knowing the key. So there are a number of cases when the attacker, we assume, knows pairs of plain-text ciphertext. If the attacker can choose what pairs it can learn, it can make the attacker even easier. So a known plain-text is the case where the attacker is able to find some plain-text ciphertext pairs. Chosen plain-text is where they've chosen particular plain-text values and found the corresponding ciphertext values. An example, I choose a plain-text value as the attacker and somehow I get the user to encrypt that plain-text with their key and I intercept their ciphertext. So now I know the plain-text and ciphertext. Choosing the plain-text allows the attacker to choose values that may help breaking the cipher by finding weaknesses that depend upon that plain-text. So being able to choose the specific value can help in some attacks. Chosen ciphertext is similar except the attacker gets to choose the ciphertext and can find the corresponding plain-text. Chosen text is when we can have both. The attacker can choose both plain-text and ciphertext and get the other value in the pair. Generally, as we go down, the more information the attacker knows, the greater the chance they can perform a successful attack. With ciphertext only, then it's harder for the attacker. With chosen text, it's generally easier for the attacker. We'd like to design ciphers such that we can defend against any attack, preferably. Even if the attacker knows chosen plain-text, chosen ciphertext, or even chosen text. Sometimes we can defend against all, sometimes just selection. So the more information the attacker knows, generally the easier it is for them to attack. We'll see this come up when we perform an attack in a moment. Well, soon. Hopefully at the end of this lecture. And the last thing that we missed over, how do we measure security? Well, the absolute measure, we can say a cipher is unconditionally secure means it's perfect in terms of security. That is, the ciphertext has no information such that an attacker can find out the correct plain-text or key. So a cipher which is unconditionally secure has that property. The only known cipher that is unconditionally secure is the one-time pad. We've seen the example of the one-time pad. Even if we try a brute force attack, given some ciphertext, we cannot determine the correct plain-text or key. So it's perfect in terms of security. It's unconditionally secure. Under no conditions is it insecure. No other ciphers are known to be unconditionally secure. There are conditions in which they are insecure. So therefore to be practical to compare ciphers, we talk more about computational security. And in general, a cipher is considered to be computationally secure if the cost of breaking it exceeds the cost of the information encrypted. Or the time required to break exceeds the useful lifetime of that encrypted information. Example, I have 100,000 baht in my bank account. And my password to get access to my bank account is encrypted. And someone finds the encrypted password, some malicious user, a student, and they want to get my 100,000 baht. So they go and they buy many computers and do a brute force attack against my password, and they spend a million baht to find the password. They get the password, they get into my bank account, they steal my 100,000 baht. This information would say is computationally secure because the value of the information was 100,000 baht for the attacker, but the cost of breaking it was one million. So it costs them more to break it than they get in return. So a simple example that we need to evaluate, how much is the information worth? That one was easy, but I encrypt a confidential information about trade secrets for my company. I don't want other companies to get that. What's that information worth? It's very hard to put a value on lots of information. So it's hard to put numbers on how much is the information actually worth and how much would it take to break that? How much cost would it take? It's hard to estimate the value of a lot of information. The other one is the exam. I have the exam on my laptop for the midterm. The midterm is in what, four weeks time? And I encrypt the exam. You can have the ciphertext. Again, you have all these computers, the lab computers, and you start your attack and it takes you seven weeks to find the exam answers. But the exam's over. You sat the exam. You needed the exam answers in four weeks. It took you seven weeks to get them. So again, in that case, we'd say it's computationally secure because the time required to break the cipher exceeded the useful lifetime of the encrypted exam in that case. Again, it's hard to put, it's hard to estimate what the lifetime of some information is. So although the concept is easy, in practice knowing how valuable information is, how long do we need to keep it secure is not easy to predict. And how long does it take to break is again not easy to predict. So one time pad is the only unconditionally secure cipher. All others are conditionally secure. So therefore we look at the computational security. How much effort, how much cost or time does it require to break it? And we'll come to some of that when we look at desks. So let's go back to our desks slides, our block cipher. And there's two concepts we skipped there on desks as well. Desks and the Fiskell structure, and many block ciphers in general, use the concepts of diffusion and confusion. And one of your favorite scientists come up with these concepts, Claude Shannon. Some of you took ITS 323. We saw Shannon capacity equation about how much information we can send across a channel. Shannon came up with that. Shannon also did a lot of work on security, or the concepts of security. Security and data communications are closely aligned. It's about representing information and getting information in an efficient way from A to B. So there's similar concepts. We'll define the concepts of... With ciphers, we'd like to have a cipher that has diffusion and confusion. What do they mean in simple terms? And just go back. The Fiskell structure and including desks use or apply these concepts. So they do have this. Diffusion is spreading out the plaintext when we get the ciphertext. Our plaintext always has some structure. Think of an English phrase or document. There's some structure in the frequency of letters. When we apply our cipher, we'd like that structure to be diffused to be spread out across the entire ciphertext. So the structure is no longer present in the ciphertext. That's the idea there. So that the structure in the plaintext or the statistical nature of the plaintext is reduced in the ciphertext. So preferably it looks random in the end. How to achieve that? Apply permutations or transpositions repeatedly. And then on the input plaintext and apply some function to... like a substitution function in the same way that desks has some basic permutations. We saw those p-boxes. We saw in simplified desks p-10, p-8, p-4 permutations. But also some s-boxes for substitutions and repeat each round. So that increases the amount of diffusion of the plaintext. The other part is confusion. Make the relationship between the ciphertext and the key complex with the intention that even if there is some structure in the ciphertext so the attacker can find some structure in the ciphertext that is some letters occur more frequent than others it still should be hard to take that ciphertext and find the key. So if that's achieved we've got confusion. So making it hard given the ciphertext to find the key. So make the relationship between them very complex. We saw in some of our classical ciphers once we find the ciphertext the key is easy to find. Once we found the ciphertext on our mono-alphabetic cipher we've automatically got the key. Whereas with desks and other ciphers we'll see even if you find the ciphertext for a given plaintext it's still hard to find the key. And that's the concept of confusion. And it uses some substitution some complex substitution algorithm. Non-linear means it's hard to go in the inverse. And in desks the S-boxes implement this. They increase confusion in the cipher. Let's hope it decreases confusion of your knowledge of desks. Let's go through and look at the design characteristics and summarize what we know about desks. We went through an example of simplified desks and then a comparison with real desks. And it's really scaling up. Simplified desks we make it simple so we can do an example. Real desks just is more S-boxes, more rounds, larger blocks and so on. But the same concepts and operations. You can look through the details of desks. Again, of course no need to remember these and no need to remember simplified desks operations. So I don't ask you in the exam to remember these S-boxes or this picture or these permutations. You don't need to remember them. The reason we went through this example was for you to see that we're using very simple operations. Permutations, substitutions but combining them together to get a good cipher. So let's go and look at some design characteristics of desks. Is it good? And one of the measures of seeing how good a cipher is and it's not just for desks but for others as well is the avalanche effect. In avalanche what happens? At the top of the mountain a small thing starts falling, a small rock falls and it knocks more rocks and at the end the whole mountain is falling down. The concept is that with ciphers we'd like to have the avalanche effect with good ciphers and the effect is that small changes in the input produce large changes in the output. A small change at the start means a large change at the end. And we can look at it from two perspectives from the input being the plain text or the input being the key. To show that we'll look at two examples here. First, in summary, desk has the avalanche effect that is that's good for security. It's considered designed to be a good design because it exhibits the avalanche effect. And the next two slides give examples of that. The idea is that we have two different plain text values. They differ by just one bit. If you look, these are in hexadecimal but in fact it's just the first hexadecimal digit differs 0 to 1. In binary just one bit differs in these two input values. So a small change in inputs what we'd like is to produce a large change in the output ciphertext. And this shows those changes. So we see after a set of rounds. So we start with plain text, this 0, 2, 4, 6, 8, so on. That's plain text 1. And the one below it, 1, 2, 4, 6, 8 is plain text 2. And of course they differ by just one bit, a single bit difference. And the delta columnist shows the number of bits that differ. So at the start just one bit differs. And then we encrypt different stages of desks. Real desks, not simplified desks. And what this table shows is the output after each round. Desk has 16 rounds. So we take the input plain text we apply round 1 and the output if we encrypt plain text 1 is this 3CF and the output if we encrypt plain text 2 after round 1 is this 3CF03 and so on. There's only one bit that differs between those two outputs. So a small change in the input so far has only produced a small change in the output. That's not the avalanche effect. But with desks we go through multiple rounds. If we do the second round we get this output or these two outputs. They differ by five bits. After three rounds we get a difference of 18 bits. Four rounds 34 and we keep going after our 16 rounds and our inverse initial permutation in this specific example 32 bits differ. And that's what we aim for. What we'd like is for two input plain text values which differ by just one bit when we encrypt both of them using the same key we'd like the ciphertext values to be completely different. Now remember with desks we use 64 bit blocks so the output ciphertext 1 and ciphertext 2 are 64 bits in length. What we would like is that the differences are random or appear random. And on average if you have a 64 bit block we'd like at least half of the bits to be different. 32 would be optimal. It turns out to be 32 in this case but not in all cases. Because as an example let's say an 8 bit block let's say a ciphertext is what's a ciphertext value which is different from c2 a c1 significantly different. We have an 8 bit ciphertext value to keep it small. It's significantly different from c1 in this case. So an example ciphertext c1 give me an example ciphertext right. Let's keep it simple. What's the difference? How many bits? Just one bit differs in this case. So I would say that these are similar. They're not much different. So 8 bits differ. That's significantly different. But now if we have a random ciphertext value then we'd like on average if we consider all possible ciphertext values on average we'd expect half of the bits to change. Because what if we have all the bits change? And it's just the inverse all the time. Another random value maybe 8 bits. How many bits differ? 1, 2, 3, 4 just 2 random values 4 bits differ. On average if we take 2 random ciphertexts we'd like half of the bits to differ. So with DES which has 64 bits in the block an Avalanche effect ideally we'd produce half of the bits different after encryption. In this specific instance we do 32 bits. In other instances it may vary. It's not always the same. So that demonstrates that the Avalanche effect is in effect in this example and it is in general with DES. And it in fact turns out after about round 4 we have this difference of around 32 goes up and down a bit. So maybe we can just encrypt after 4 or 5 rounds and stop with DES. So the number of rounds generally the more rounds you add the more secure the output is but the more time it takes to implement. So it takes time to do this processing. So 16 was chosen as a trade-off of ok we see that 4 may be ok in this case but maybe in other cases we need 5 or 6 rounds or 16 is gives us some more freedom some in case there's some cases which don't have the Avalanche effect until 6, 7, 8 rounds but it's not too many such that it's too slow to implement. So choosing the number of rounds was an important design decision. I've asked in exams or in assignments to measure the Avalanche effect of different ciphers and they see some examples later to understand what it means. The second one is the same concept but take 2 plaintext values which are the same these 2 values encrypt 1 with key 1 encrypt the same plaintext with a different key differing just by 1 bit. So going back the second example is plaintext are the same but the 2 keys that we use to encrypt differ by 1 bit. In the first example the plaintext values differed by 1 bit the key was the same and we see in this case where we change the key again after 6, 7, 8 rounds we're getting close to this about half bits are differing in the output after the entire encryption 30 in this specific case. On average if we try different values we'd like 32 to be the average difference. So des has the Avalanche effect which is good and in fact it is achieved after just several rounds which means it's likely that the number of rounds of 16 is sufficient it was a good design choice. What else about des? The key size is not good. The 64 bit initial key in des is actually split into two parts. 8 bits used for a parity check but not used in the encryption. So only 56 bits are used in the encryption so an attacker really only needs to guess those 56 bits which means there are 2 to the power 56 possible keys 7 by 10 to the 16 in 1977 someone designed a machine they didn't build it they designed or estimated a machine that would break des in about 10 hours if it cost 20 million US dollars so that's what 40 years ago in 1998 the Electronic Frontiers Foundation built a machine that cost a quarter of a million US dollars and they broke it in 3 days so a brute force created hardware to try des keys they did it in about 3 days today it's considered too short to withstand brute force attacks 56 bits is not long enough in general with des the algorithm is considered secure the limitation is the key size so the design people have done a lot of analysis and they find in most cases it's secure they can't find weaknesses in the algorithm but it has the weakness of the key length is too short so one approach then because many people had software and hardware that implemented des been used a lot they trust the algorithm how do we make it more secure use it multiple times with a different key each time take your plain text encrypt with des with a 56 bit key and that cipher text using des again with a different 56 bit key and you get your cipher text and now effectively you have 2 by 56 bit keys or 112 bits and a brute force against 112 bits is considered reasonably secure now so the concept was reused des by applying it multiple times and a popular cipher today although no longer recommended but still widely used is triple des ignore this 128 bit keys we'll look in details and see there are different options for the key length of triple des yes it uses 128 bits but there are other values we'll see that here what else about des there are some theoretical attacks on des observe how long it takes your hardware to encrypt and decrypt and use that information to try and work out what the original plain text or key was in theory possible in practice very easy to defend against by changing the implementation of des to have some small variations in how long each operation takes and that makes these attacks these timing attacks almost impossible there are other attacks by observing how plain text values change over time looking at the differences there are some attacks so remember brute force in des 2 to the power of 56 operations that's the worst case this differential cryptanalysis attack they could get it down to 2 to the power of 47 operations much better but it required the attacker to have 2 to the power of 47 plain text values known in advance so they need to know a lot of plain text in advance for this attack to work so in practice not very useful and another one linear cryptanalysis got it about the same number of operations and they need 2 to the power of 43 known plain text values the attacker knows a lot of past plain text cipher text pairs a lot in this case 2 to the power of 43 pairs then which is what 100 billion different pairs of cipher text plain text then they can do attacks on des which take about 2 to the 47 operations about 1000 times faster than still slow well today nowadays brute force is easy against des so because it can be broken in brute force these attacks people do not explore them much more because you just use brute force to break it another issue with des was that originally was designed in private the people who designed it were for companies or governments and they didn't tell people how they chose all the values from real des they tell us that we take some bits in we get some bits out why is it chosen this way or the designers chose it to be this way and there was no original motivation of well why did they choose these values why not some other arrangements it turns out that people have done analysis and found that even though they don't know the original motivations if you make small changes in the design it turns out that des is much less secure so small changes in those S-boxes for example means that the avalanche effect is not as good and that there's more weaknesses in des which suggests that they chose the design to be strong they knew about other attacks so generally des is considered a good algorithm but poor key length and definitely not suitable today what about other ciphers triple des, AES and other block ciphers so the next move since des was considered good to apply it multiple times we'll come back to this we'll look at double des and triple des come back to these and look at an attack in some detail but it turned out that even triple des was considered secure it was three times as slow as des because in fact you apply the same algorithm three times the encrypt something was three times slower than des which wasn't fast in the start so the advanced encryption standard was developed designed in the late 90s the idea was to make it secure of course but also to work well on different types of hardware and in software the advanced encryption standard is used and highly recommended for use today so it's still considered secure and it's recommended by the US government for example and many people use it in many different implementations in wireless LAN in internet communications in file level encryption so if you encrypt your hard disk with windows or your operating system it usually uses AES so it's very common it uses 128 bit blocks with 64 bits AES 128 bits it allowed different size keys 128, 192, 256 so the longer the key the more secure against brute force it used rounds depending upon the key length it used different rounds 10 to 14 different rounds and used XOR and some other S-boxes and some other arithmetic that was a little bit more complicated than DES but still considered secure we're not going to cover the details of AES we just used DES to show an example of one cipher the other ciphers we will not go into that detail we just mentioned characteristics but AES is considered a good cipher to use today generally considered secure and others a list of some not all block ciphers some of the designers when they were designed some characteristics the block size the key size the design approach the fastle structure is similar to what DES used those rounds with substitutions permutations they all use similar approaches not the same some are more secure than others DES is considered highly recommended let's go back to DES double DES and triple DES so given DES is considered secure but the key length is too short the idea to improve it was to apply it multiple times then you can reuse the software and hardware that already implements DES and all the experience of using it can be reused so in CRIP multiple times each time you in CRIP use a different key then for a brute force attack the attacker needs to guess all keys you use and effectively increases the key length turns out double DES is not so good and therefore triple DES was designed so let's look at why double DES is no good and also the general concept of double encryption it's not just double DES this is the idea we have some plain text normally we in CRIP using some key and we get output ciphertext so brute force requires guessing that key with double encryption we take our plain text in CRIP with one key get some intermediate value X then in CRIP that intermediate value with the same cipher but using a different key and then our ciphertext is the output so CRIP is actually made up of two parts K1 and K2 and they are they are different so two random keys so now what an attacker needs to do effectively our key length has doubled for a brute force attack they need to guess both values they need to try all values and therefore if K1 is 56 bits and K2 is a different 56 bits then the attacker for a brute force attack needs to try 112 bits that is 2 to the power of 112 operations so that was the idea of double encryption but it turns out it has a severe weakness and we'll use an example to go through that weakness to show how that weakness arrives and the example you have one in your handouts is another one which is a little bit more interesting so take one of these and pass along it's a cipher but a block cipher we'll use as an example you don't need to do other courses you can do other courses at other times try and solve this a few more just give this to you I'll show it on the screen and explain what it is first what is this let's say our cipher that we've designed it's a 5 bit block cipher that is the block of plain text is 5 bits we take 5 bits of plain text we'll apply our cipher we'll get 5 bits of cipher text as the output so a 5 bit block in this case to keep it small and we've got a 3 bit key so the way to read this table is that with a 5 bit input block there are 32 possible plain text inputs 2 to the power of 5 and I've listed them here on the left column and then what I've done is said that ok if we're using this particular key in the next columns the key's up the top 0 0 0 for example if we take the cipher text 5 zeros 0 0 0 the output cipher text will be 0 0 0 1 if I used a different key for example 1 1 1 here in the last column encrypt the same plain text the output cipher text will be 1 1 1 0 1 that's the right way to read this this table plain text input different keys along the top and the corresponding cipher text will get out of our cipher when we use that key I've just randomly created this this arrangement in each of these columns I just randomly mixed them up if you check you'll see that this column with a key 0 0 0 the 32 values here is just a random arrangement of the 32 possible plain text values so we have a reversible mapping we don't map one plain text to more than one cipher text value there's 32 unique values here and of just a different random arrangement in the second and the subsequent columns so that's our simple cipher that we can encrypt any plain text 5 bits long and we'll get a cipher text as output given one of the 3 bit keys consider this as our our cipher and and we want to increase the key length so we have our cipher like a desk but we want to apply it two times to increase the key length our double cipher, double encryption so what we do is we encrypt twice but using different keys each time so the concept is let's call our cipher ABC in the normal approach what we do is we take some plain text in our cipher ABC takes a key as in and produces cipher text as output and the the cipher text it produces is given by that table let's say we want to do it differently and use double encryption we take our 5 bit and the plain text is 5 bits the cipher text is 5 bits and the key was 3 bits let's say we take our plain text in apply ABC once with key 1 and then we'll get an intermediate output we'll call it x and then apply the same cipher again on the x value with a different key k2 we'll get our cipher text so that's our double encryption let's see how that works and see how we can attack that just to make sure people are awake with double encryption we'll see how you're awakened when we go through our example so we're going to do an attack on this cipher first brute force attack on the single instance of the cipher how many operations does a brute force attack take in the worst case brute force on the single instance well we need to try all possible keys we have a 3 bit key so there are 8 possible keys so a brute force takes 2 to the power of 3 or 8 operations what about a brute force on our double cipher how many operations calculate the number of operations 2 to the power of 9 how many keys do you get to choose from how many possible keys are think of the key in the double cipher as just being a combination of those two a concatenation of those two that is to encrypt what I do is I choose k1 1 of 8 and then I choose k2 1 of 8 so how many possible values do we have I can choose a 3 bit value here and a 3 bit value here we could say our resulting key is let's say k1 combined with k2 so how many keys do we have how many possible keys 64 where does that come from ok there are 8 values for the first key there are 8 possible values for the second key so let's say we choose the first value for the first key then we can choose 1 of 8 values for the second if we choose a second for here we can choose 1 of 8 we get 8 times 8 or 2 to the power of 6 we have effectively 6 bits 3 bits here 3 bits here the resulting key is the concatenation of those two so effectively we have 6 bits we've doubled the key length with 6 bits our brute force would take 2 to the power of 6 or 64 operations of course easy to break but we will see we are much stronger in theory than our single cipher doubling the key length any problem so far on this concept so we double our key length by applying the cipher twice with respect to a brute force attack so if I give you a cipher text if I give you a cipher text output it's 5 bits you can try all 64 keys and one of them will give you the correct plain text which one is going to be hard to tell but in general when we have a large plain text instruction the plain text will be able to find it now it turns out although a brute force attack takes 64 operations 2 to the power of 6 there's what's called a meet in the middle attack which will take much less effort in fact a meet in the middle attack will show we can break this cipher in about the same number of operations as a single version so let's try it so we're going to apply the double cipher the meet in the middle attack assumes the attacker knows some plain text cipher text pairs so that's the first assumption of this attack we'll give you some and we'll make use of them so the attacker now in the meet in the middle let's try an attack and the attacker for this attack to be successful needs to know some pairs of plain text cipher text and I'll give you some I'll give you two to get started so how to interpret this this is some plain text value this is a cipher text value let's call it p1 and this is another plain text value p2 and c2 let's assume the attacker knows these values somehow they've discovered these values and they don't know the key that map the plain text to the cipher text but they know these pairs their aim is to find the key so they aim for the attacker find the key given our cipher and given these pairs a brute force attack we could take our cipher text and try all 64 keys one of them would give us this plain text and we'd know that key gives us the correct plain text and that's the key to use but we can be faster than a trying all 64 let's see how the first step for the meat in the middle attack is that we take one of the known plain text cipher text pairs and starting with the plain text encrypt it using all possible key values so we'll start with p1 and encrypt p1 so brute force against p1 but for a single version of the cipher so using different key values all possible key values are there for a single version of the cipher that is let's go to our picture what we're going to do as the attacker is we've got a value of p we're going to encrypt that using our table with all possible values of k1 how many values well there are three bits so there are eight possible values of k1 and that's the eight columns here k1 of 0 0 0 through to k1 of 1 1 1 encrypt that plain text and we'll get eight values of this intermediate value x do that see what you get so you take that plain text and encrypt it with our cipher our single version of the cipher and get eight values of this intermediate output I'll call it x say x1 with key 1 x11 so when we take p1 0 1 1 0 1 and use key 0 0 0 what do we get as an output well you look up the table our plain text 0 1 1 0 1 is here what you do is you take the plain text value encrypt it with the first key all zeros the value of the x that comes out our intermediate value and then do it again for the second key and you'll get this value out and the third key through to the eighth key so we get these eight intermediate values that's the first stage of this attack what we're trying to do is to find the key in less than 2 to the power of 6 operations in less than 64 operations the first case is encrypt encrypt the plain text with eight keys so eight operations and you get these eight values as output eight x values so I'll list them you can check I've got the answers in front of me but just from that table that row gives us the eight possible values if we encrypt using the second key x10 the fourth key those eight values are just the row in that table you can check so the row where the plain text is 011101 for the eight different keys so we just encrypt using our single cipher that with all keys how many operations so far or eight operations one for each key is to take so we knew p1 and we know the corresponding cipher text c1 what we just did is take p1 encrypt it with all possible keys the next step is to take the corresponding cipher text and decrypt it with all possible eight keys and we should get matching x values y look at our diagram if we encrypt p with all values of k1 we'll get these eight x values we know the corresponding cipher text with p so if we decrypt c going backwards with all possible values of the key then we'll get eight possible x values at least one of them those x values should match because if we use the correct key if we're using the correct key we take p1 encrypt with the correct key one we'll get an x if we have the cipher text and decrypt with the correct key we must get the same x so from the attacker's point of view try c1 decrypted with all eight keys k2s to get a set of eight x ones encrypt the plain text with all keys cipher text with all keys with the aim of meeting in the middle so we know c1 c1 is our all ones if we use the correct key if we encrypt p1 with the correct k1 and decrypt c1 with the correct k2 we should get the same x value so let's try so given c1 what is the plain text if we decrypt using key what we can see from the table if the cipher text is all ones where are we the cipher text is all ones here if we decrypt using key 0000 the plain text will be 1001 so we're going backwards now decrypting this table shows taking the plain text with the keys we'll get this cipher text so to decrypt we find the cipher text the corresponding key column gives us the plain text so decrypting this with key 0000 gives us 1001 so that's our first x value and then we do it for the next key so same cipher text will give us this plain text 00110 and then for subsequent keys all ones we have it somewhere and so on so we take the cipher text decrypt with all the eight keys and the values that we'll get are those eight values so if you look up the cipher text with each of those eight keys the corresponding plain text values will be these eight and what we said is that if we use the correct key the x values match which x values match none of them yes some of them do don't necessarily look in this way that is if I encrypt p1 with this key I get this value if I decrypt the cipher text with any of these eight keys these are the eight x values I get does this x match one of these eight and we check this match and how many try and find them you'll see that the first x value is not in the list 11101 is not in this list the second one 00111 do we have a currency yes we do there's a match here and then we do it for the rest and this one matches in two instances I thought it was in two instances you'll see there are the three sets of values that match that is here what have I yeah 00111 00111 0100 0100 what does that tell us it tells us the possible keys are either k1 tells us this value so k1 being 001 and k2 being 100 or k1 is 011 produces this x value and k2 being 111 or k1 k2 so it tells us that we've got three potential keys in this case let's list them k1 the first match is this value here and the corresponding k2 that gives us the correct ciphertext would be 100 remember our final key is just the combination of k1 and k2 that's a potential correct key but there are two others as well k1 100 k2 or ones so the attacker has now broken down to being three possible correct values how do we know which one is the real one we use our second pair of plaintext ciphertext that we know so we assumed at the start that the attacker already knew two pairs of plaintext ciphertext sometimes they need just one it turns out sometimes in many cases there'll be just one correct value and that's it you've found the key if not you need a second pair and what we do now is check if we take p2 encrypt with k1 of 001 we'll get some intermediate value then take that intermediate value and encrypt with k2 do we get c2 if so this is the key if not try this one or this one which one is it what you do now is take your p2 and encrypt with k1 find the intermediate value then encrypt again with k2 and the ciphertext you get if this is the correct key pair or set of keys is c2 let's look in the table p2 is 11001 p2 is 11001 and the first possible key was 010 is that right 001 so we try 001 encrypt p2 with 001 the intermediate value is 50 and then take that intermediate value and encrypt it with k2 so all zeros encrypt it with k2 and what was k2 100 we get 110011 is it correct yes it is so what we just do if I could fit it in here we took our plaintext 11001 encrypt it with this key and the output was our intermediate value for all zeros and then we took that value encrypt it with the second key was 110011 and in fact that matches our expected ciphertext c2 we've found our key already we were lucky in this case we didn't have to try the second two but you can try the second two and you'll see that they don't produce the correct ciphertext just to confirm you'll see that if you take p2 with these two keys you will not get c2 the same with the second one so we have the answer the attacker knows the key it's 001 100 how many operations did we take to do that how many encrypts or decrypts we treat encrypts and decrypts the same in terms of the amount of effort so how many well we can count them we took our plaintext and tried all eight keys operations there so in the first instance we took here two to the power three operations and then we did the same with our ciphertext try all keys so another two to the power three operations and then we did one two operations here just to check so two in this case so the total number of operations two to the power three plus two to the power three plus another two compare that to brute force our brute force is two to the power six in this attack we had plus another two 18 operations or two to the power three plus one plus those extra two two to the power three plus two to the power three which is two to the power three plus one plus another two small ones at the end sometimes we don't need to go those two at the end it will vary brute force two to the power six operations meet in the middle attack two to the power four plus a couple of others extend that from not a three bit cipher to a 56 bit cipher of deaths our example we use three bit key same concept applies in deaths if you use a 56 bit key brute force in deaths would take running out of space but in deaths brute force would take two to the power of 112 with a 56 bit key but the meet in the middle attack we see with a three bit key it's two to the power three plus one plus a few others it turns out that this is usually quite small compared to this so it turns out with and two to the power of two times three for brute force with deaths brute force two to the power of 12 with a meet in the middle on deaths is two to the power of 56 plus one plus some others and usually that's quite small compared to two to the power of 56 so approximately two times normal deaths a meet in the middle attack on double deaths takes about twice as much effort as a brute force on single deaths double deaths is about two times stronger than single deaths which is nothing so if single deaths takes two days to break double deaths takes four days which is nothing in terms of security it's not secure or if it costs a thousand dollars to break death it costs two thousand dollars to break double deaths so using double deaths doesn't provide much advantage over single deaths because of the meet in the middle attack hence double deaths is not used and in general double encryption this is a problem with double encryption turns out by using three stages not two we can overcome this meet in the middle attack and that's where we get to triple deaths and that's what's used in practice today so we're out of time so try and get your heads around how to do a meet in the middle attack on double encryption but in summary we need some known plain text cipher text pairs that's an assumption the attacker knows these values at the start just two normally even with real deaths you don't need to know many you take a plain text encrypt with all possible keys two to the power of k if our single cipher is k bit key length and then take that corresponding cipher text then decrypt with all possible keys another two to the power of k and then if you find the matching ones and if you have more than one then try the second pair and usually there's not many that are matching but you need to do further operations to do those second second pair and then you find the key so double encryption doesn't help triple encryption avoids this problem let's stop there next week we'll move on to the next topic of using modes of operation how do we encrypt a large document these are operating on 64 bits 128 bits and then move on to I think public key encryption maybe next week we'll get on to that if you want to collect your hard copies of your quiz you may do so they're in alphabetical order so you may find your landing