Re: A basic cryptanalysis question

From: Rick Wash (rwash_at_citi.umich.edu)
Date: 07/09/03 

Date: Wed, 09 Jul 2003 03:15:55 GMT

In article <h3LOa.3$Uz3.2@news-server.bigpond.net.au>, RR wrote:
> According to my limited understanding of cryptanalysis, Mallory can only
> know that he has recovered a pX based on what it looks like. For example,
> if p1 is "Hello World", then when Mallory sees that string appear out of his
> attack, he assumes he's recovered the plaintext.
>
> Is my understanding correct?

Yes, but only for what is known as a ciphertext-only attack. In the real
world, it usually isn't very difficult to find or guess very accurately a
plaintext block. There are known headers, signatures, etc that make known
plaintext fairly easy to come by. And when this happens, validating
plaintext is much easier.
 
> If so, then it follows that a brute-force attack is impossible if I do this
> instead (where F is another symmetric cipher):
> c1 = E(F(p1))

I wouldn't say impossible, but slightly more difficult. You forgot to
include the keys in your construction. Let's assume you did it right and
used different, independent keys for E and F. (if you used the same or a
derived key for F, then what you said is not true). With independent keys
and a single known plaintext, you can build an encryption table for E and a
decryption table for F and use a meet-in-the-middle strategy to recover the
keys. This means that the work required to brute-force this construction
is only that required to brute-force E and F independently, instead of
together. This is a well-known meet in the middle attack on double
encryption. This is why the world uses triple-DES (3DES) instead of just
2DES.

HTH,
  Rick

Relevant Pages

  • Re: A basic cryptanalysis question
    ... >> appear out of his attack, he assumes he's recovered the plaintext. ... >include the keys in your construction. ... such a function look at my second order bijective compression of english ...
    (sci.crypt)
  • Re: Bijective - an explanation please?
    ... :>: of all bitstrings of length n or less map to images that begin ... :> rejecting keys, though. ... If that's the case then a particular compressor might well be able to ... convert that knowledge into known plaintext. ...
    (sci.crypt)
  • Re: EFS - Please help to unsecure data
    ... be mostly based on your chances of recovering your lost keys. ... I should know before the end of the day today if I'm even able to recover ... the data after a fresh installation and generating some random drive ... to FAT32 to remove the encryption.) ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: EFS - Please help to unsecure data
    ... be mostly based on your chances of recovering your lost keys. ... I should know before the end of the day today if I'm even able to recover ... the data after a fresh installation and generating some random drive ... to FAT32 to remove the encryption.) ...
    (microsoft.public.windowsxp.general)
  • Re: EFS - Please help to unsecure data
    ... be mostly based on your chances of recovering your lost keys. ... I should know before the end of the day today if I'm even able to recover ... the data after a fresh installation and generating some random drive ... to FAT32 to remove the encryption.) ...
    (microsoft.public.windowsxp.security_admin)