Abstract
Recently, several important block ciphers are considered to be broken by the brute-force-like cryptanalysis, with a time complexity faster than the exhaustive key search by going over the entire key space but performing less than a full encryption for each possible key. Motivated by this observation, we describe a meetin-the-middle attack that can always be successfully mounted against any practical block ciphers with success probability one. The data complexity of this attack is the smallest according to the unicity distance. The time complexity can be written as 2k(1 − ∈), where ∈ > 0 for all practical block ciphers. Previously, the security bound that is commonly accepted is the length k of the given master key. From our result we point out that actually this k-bit security is always overestimated and can never be reached because of the inevitable loss of the key bits. No amount of clever design can prevent it, but increments of the number of rounds can reduce this key loss as much as possible. We give more insight into the problem of the upper bound of effective key bits in block ciphers, and show a more accurate bound. A suggestion about the relationship between the key size and block size is given. That is, when the number of rounds is fixed, it is better to take a key size equal to the block size. Also, effective key bits of many well-known block ciphers are calculated and analyzed, which also confirms their lower security margins than thought before. The results in this article motivate us to reconsider the real complexity that a valid attack should compare to.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Luby M, Rackoff C. How to construct pseudo-random permutations from pseudo-random functions. In: Proceedings of Advances in Cryptology. Berlin/Heidelberg: Springer, 1986. 447–447
Even S, Mansour Y. A construction of a cipher from a single pseudorandom permutation. In: Proceedings of Advances in Cryptology. Berlin/Heidelberg: Springer, 1993. 210–224
Zhang B, Jin C H. Practical security against linear cryptanalysis for SMS4-like ciphers with SP round function. Sci China Inf Sci, 2012, 55: 2161–2170
Lv J Q. Differential attack on five rounds of the SC2000 block cipher}. J Comput Sci Technol, 2011, 26: 722–731
Su B Z, Wu W L, Zhang W T. Security of the SMS4 block cipher against differential cryptanalysis. J Comput Sci Technol, 2011, 26: 130–138
Bogdanov A, Khovratovich D, Rechberger C. Biclique cryptanalysis of the full AES. In: Proceedings of the 17th International Conference on the Theory and Application of Cryptology and Information Security, Berlin/Heidelberg: Springer-Verlag, 2011. 344–371
Jia K, Yu H, Wang X. A meet-in-the-middle attack on the full KASUMI. Cryptology ePrint Archive, Report 2011/466, 2011
Biham E, Dunkelman O, Keller N, et al. New data-efficient attacks on reduced-round IDEA. Cryptology ePrint Archive, Report 2011/417, 2011
Lu J, Wei Y, Kim J, et al. Cryptanalysis of reduced versions of the Camellia block cipher. IET Inf Secur, 2012, 6: 228–238
Khovratovich D, Leurent G, Rechberger C. Narrow-Bicliques: cryptanalysis of full IDEA. Lect Note Comput Sci, 2012, 7237: 392–410
Daemen J, Rijmen V. AES proposal: Rijndael. In: Proceedings of the 1st Advanced Encryption Standard (AES) Conference, Ventura, 1998
Matsui M. New block encryption algorithm MISTY. Lect Note Comput Sci, 1997, 1267: 54–68
Kwon D, Kim J, Park S, et al. New block cipher: ARIA. Lect Note Comput Sci, 2004, 2971: 432–445
Lai X J, Massey J L, Murphy S. Markov ciphers and differential cryptanalysis. Lect Note Comput Sci, 1991, 547: 17–38
3rd Generation Partnership Project. Technical Specification Group Services and System Aspects, 3G Security, Speci- fication of the 3GPP Confidentiality and Integrity Algorithms: KASUMI Specification. V3.1.1. 2001
Poschmann A, Ling S, Wang H. 256 bit standardized crypto for 650 GE: GOST revisited. In: Proceedings of Proceedings of the 12th International Conference on Cryptographic Hardware and Embedded Systems. Berlin/Heidelberg: Springer-Verlag, 2010. 219–233
National Soviet Bureau of Standards. Information Processing System-Cryptographic Protection-Cryptographic Algorithm GOST 28147-89. 1989
Dinur I, Dunkelman O, Shamir A. Improved attacks on full GOST. In: Proceedings of Fast Software Encryption. Berlin/Heidelberg: Springer, 2012. 9–28
Bogdanov A, Knudsen L R, Leander G, et al. PRESENT: an ultra-lightweight block cipher. Lect Note Comput Sci, 2007, 4727: 450–466
Cannière C D, Dunkelman O, Knezevic M. KATAN and KTANTAN-a family of small and efficient hardware-oriented block ciphers. Lect Note Comput Sci, 2009, 5747: 272–288
Bogdanov A, Rechberger C. A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. Lect Note Comput Sci, 2010, 6544: 229–240
Hong D, Sung J, Hong S, et al. HIGHT: a new block cipher suitable for low-resource device. Lect Note Comput Sci, 2006, 4249: 46–59
Needham R M, Wheeler D J. TEA Extensions. Technical Report, Cambridge University, Cambridge, 1997
Shibutani K, Isobe T, Hiwatari H, et al. Piccolo: an ultra-lightweight block cipher. Lect Note Comput Sci, 2011, 6917: 342–357
Author information
Authors and Affiliations
Corresponding author
Electronic supplementary material
Rights and permissions
About this article
Cite this article
Huang, J., Lai, X. What is the effective key length for a block cipher: an attack on every practical block cipher. Sci. China Inf. Sci. 57, 1–11 (2014). https://doi.org/10.1007/s11432-014-5096-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-014-5096-6