Score:2

Crypto

Is multiple encryption using a block cipher mode of operation that use only encryption processes vulnerable to Meet-in-the-middle attacks?

phantomcraft

5/30/23, 5:09 AM

Some block cipher modes of operation use only encryption processes, such as CFB, OFB and CTR.

If doing multiple encryptions using them, will these encipherment schemes be vulnerable to Meet-in-the-middle attacks?

I'm asking this because there is no decryption process in these modes, so I can't imagine a Meet-in-the-middle happening because an inverse process (decryption) is needed

0 + 0

encryption

block-cipher

multiple-encryption

meet-in-the-middle-attack

decryption

kelalaka

6/5/23, 10:56 PM

Also, you can upvote comments, too. Unfortunately, there is no downvote for the comments.

Score:3

Crypto

kelalaka

5/30/23, 10:30 AM

Consider double encryption with the CTR mode;

The first layer outputs a stream $o$ of the encryption of the counter block per NIST definition of the CTR document.

$$o_i = \operatorname{AES-CTR}(k_1,counter_i)$$

The second layer outputs as stream $\bar o$

$$\bar o_i = \operatorname{AES-CTR}(k_2,counter_i)$$

This means $c_i = m_i \oplus o_i \oplus \bar o_i$ and assuming that we have known-plaintext than we have

$$v_i \oplus o_i = \bar o_i$$ where $v_i = c_i \oplus m_i$

Now, the meet-in-the-middle-attack executes as;

First, make a table of encryption of the first counter with the first key candidates
X-or each of the results with the message block $v_1$
Now, male a table of encryption of the first counter with the first key candidates. You can copy the first table before x-oring with $v_1$
Sort and match and test key candidates with additional known-plaintext-ciphertext pairs.

The above is the base of the attack, however, there will be dense possible keys. Instead one can form the tables containing 2 for AES-128 and 4 for AES-256 or more blocks so that the possible candidates will be much lower. This will increase the table size by 4 or 8 times.

0 + 0

kelalaka

6/4/23, 2:47 PM

@IlmariKaronen that will require the double of the table size and double the ecnryption size. Isn't storing one and comparing the false positives with additional pairs better than this?

Ilmari Karonen

6/4/23, 3:44 PM

Yes it is, if you can get the false positive rate reasonably low. But with your parameters *most* candidate keys will be false positives (and some will be *multiple* false positives). Although, come to think of it, even if you do end up testing on average one extra block for each candidate to rule out false positives, it still takes no more time that making the table entries one block longer in the first place, and saves memory. So I guess you *do* want to keep the length of the table entries (approximately) equal to the key length.

phantomcraft

6/5/23, 10:46 PM

@kelalaka Does keeping the IVs of the two layers of CTR encryption secret prevents the attack you mentioned above?

kelalaka

6/5/23, 10:49 PM

If you keep the IV secret one cannot set up the tables. And the cost is multiplied with $2 \cdot len(IV)$, this is what I see at this moment. This should be larger than brute force. However, if you are setting your on the secrecy of the IV, you are on the wrong path

kelalaka

6/5/23, 11:11 PM

Well, in your case, you can derive them from the user's password with some good passwords. In this case, the security is bounded by the strength of the password.

phantomcraft

6/6/23, 5:40 AM

@kelalaka I deleted one of my comments by accident, sorry.

phantomcraft

6/6/23, 6:21 AM

@kelalaka Do you mean 2^([key size]*2) * (2*(2^[IV size]))???

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is multiple encryption using a block cipher mode of operation that use only encryption processes vulnerable to Meet-in-the-middle attacks?

TH: การเข้ารหัสหลายรายการโดยใช้โหมดการเข้ารหัสแบบบล็อกที่ใช้เฉพาะกระบวนการเข้ารหัสมีความเสี่ยงต่อการโจมตีแบบ Meet-in-the-middle ไหม

RO: Este criptarea multiplă care utilizează un mod de operare cu criptare bloc care utilizează numai procese de criptare vulnerabilă la atacurile Meet-in-the-middle?

RU: Является ли многократное шифрование с использованием режима работы блочного шифра, использующего только процессы шифрования, уязвимым для атак типа Meet-in-the-middle?

VI: Đa mã hóa có sử dụng chế độ hoạt động mật mã khối chỉ sử dụng các quy trình mã hóa dễ bị tấn công ở giữa không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.