Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude

@inproceedings{Oorschot1996ImprovingIM,
  title={Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude},
  author={Paul C. van Oorschot and Michael J. Wiener},
  booktitle={CRYPTO},
  year={1996}
}
Meet-in-the-middle attacks, where problems and the secrets being sought are decomposed into two pieces, have many applications in cryptanalysis. A well-known such attack on double-DES requires 256 time and memory; a naive key search would take 2112 time. However, when the attacker is limited to a practical amount of memory, the time savings are much less dramatic. For n the cardinality of the space that each half of the secret is chosen from (n=256 for double-DES), and w the number of words of… 
Reduced Memory Meet-in-the-Middle Attack against the NTRU Private Key
TLDR
An algorithm is presented that applies low-memory techniques to find 'golden' collisions to Odlyzko's meet-in-the-middle attack against the NTRU private key.
The Security of Feistel Ciphers with Six Rounds or Less
  • L. Knudsen
  • Computer Science, Mathematics
    Journal of Cryptology
  • 2002
TLDR
This paper considers the security of Feistel networks where the round functions are chosen at random from a family of 2k randomly chosen functions for any k and finds that some constructions, which have been proved super pseudorandom in the model of Luby and Rackoff, do not seem to offer more security in this model than constructions which are not super Pseudorandom.
Parallel Collision Search with Cryptanalytic Applications
TLDR
The new technique greatly extends the reach of practical attacks, providing the most cost-effective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions; and double encryption and three-key triple encryption.
Cryptanalysis of TWOPRIME
TLDR
The non-surjectivity of a linear combination step allows us to recover half the key with minimal effort, and an attack similar to those on two-loop Vigenere ciphers to recover the remainder of the key.
Hybrid Meet-in-the-Middle Attacks for the Isogeny Path-Finding Problem
TLDR
This paper proposes hybrid approaches of MITM for solving the isogeny path-finding problem by building part of trees of isogenies in a conventional way and then searching a pair of isogenous curves of prime power degree by the algebraic approach using modular polynomials, proposed by Takahashi et al.
Tight security bounds for multiple encryption
TLDR
This paper improves both the best known attacks and best known provable security, so that both bounds match, and shows that the security of l-round multiple encryption is precisely exp(κ+min{κ(l − 2)/2), n(l- 2)/l}) where exp(t) = 2.
Parallelizing the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack
TLDR
This work shows how to parallelize the hybrid attack, determines the theoretical speedup of the parallel over the serial attack, and demonstrates how this influences security estimates of lattice-based cryptosystems.
Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials
TLDR
This paper presents the first published collision finding attacks on reduced-round versions of Keccak-384 and KeCCak-512, providing actual collisions for 3-round version, and describing an attack which is \(2^{45}\) times faster than birthday attacks for 4-round Keccack-384.
Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems
TLDR
The generality of the new dissection technique is shown, which is used in a generic way in order to attack hash functions with a rebound attack, to solve hard knapsack problems, and to find the shortest solution to a generalized version of Rubik's cube with better time complexities for small memory complexities.
The Security of Multiple Encryption in the Ideal Cipher Model
TLDR
This paper improves both the best known attacks and best known provable security, so that both bounds match, and shows that the security of l-round multiple encryption is precisely \(\exp(t) = 2^t\) where l′ = 2⌈l/2⌉ is the smallest even integer greater than or equal to l.
...
...

References

SHOWING 1-10 OF 16 REFERENCES
A cryptanalytic time-memory trade-off
  • M. Hellman
  • Computer Science, Mathematics
    IEEE Trans. Inf. Theory
  • 1980
TLDR
A probabilistic method is presented which cryptanalyzes any N key cryptosystem in N 2/3 operational with N2/3 words of memory after a precomputation which requires N operations, and works in a chosen plaintext attack and can also be used in a ciphertext-only attack.
Attacks on Protocols for Server-Aided RSA Computation
TLDR
It is shown that the main attacks show that much smaller search spaces suffice and that the attack may still work if the smart card checks the correctness of the result; this was previously believed to be can easy measure excluding all active attacks.
Time-memory-processor trade-offs
TLDR
It is demonstrated that usual time-memory trade-offs offer no asymptotic advantage over exhaustive search, andTrade-offs between time, memory, and parallel processing are proposed and the implications of cryptanalysis, the knapsack problem, and multiple encryption are discussed.
Parallel collision search with application to hash functions and discrete logarithms
TLDR
A simple new method of parallelizing collision searches that greatly extends the reach of practical attacks and ideas from Pollard's rho and lambda methods for index computation are combined to allow efficient parallel implementation using the new method.
Cryptography and Data Security
TLDR
The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
On the power of cascade ciphers
TLDR
It is shown that, with high probability, the number of permutations realizable by a cascade of random ciphers, each having lkk key bits, is 2, and that two stages are not worse than one.
Monte Carlo methods for index computation ()
TLDR
Some novel methods to compute the index of any integer relative to a given primitive root of a prime p, and how a very simple factorization method results, in which a prime factor p of a number can be found in only 0(pW2) operations.
A Note on Discrete Logorithms with Special Structure
  • R. Heiman
  • Computer Science, Mathematics
    EUROCRYPT
  • 1992
TLDR
By rephrasing Shanks' method, this work provides a close to square-root algorithm for such problems as small Hamming weight and the discrete logarithm problem.
Parameter Selection for Server-Aided RSA Computation Schemes
The security, complexity, and application of two schemes for using an untrusted auxiliary processor to aid smart card RSA signature computations are reviewed, including detailed analysis of possible
Random Mapping Statistics
TLDR
A general framework in which the analysis of about twenty characteristic parameters of random mappings is carried out is introduced, and an open problem of Knuth is solved, namely that of finding the expected diameter of a random mapping.
...
...