Partial-matching meet-in-the-middle attack
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
Partial-matching is a technique that can be used with a MITM attack. Partial-matching is where the intermediate values of the MITM attack, and , computed from the plaintext and ciphertext, are matched on only a few select bits, instead of on the complete state.
Uses
editA limitation with MITM attacks is the amount of intermediate values that needs to be stored. In order to compare the intermediate values and , all 's need to be computed and stored first, before each computed can be compared against them. If the two subciphers identified by the MITM attack both has a sufficiently large subkey, then an unfeasible amount of intermediate values need to be stored. While there are techniques such as cycle detection algorithms[1] that allows one to perform a MITM attack without storing either all values of or , these techniques requires that the subciphers of the MITM attack are symmetric. Thus it is a solution that allows one to perform a MITM attack in a situation, where the subkeys are of a cardinality just large enough to make the amount of temporary values that need to be stored infeasible. While this allows one to store more temporary values, its use is still limited, as it only allows one to perform a MITM attack on a subcipher with a few more bits. As an example: If only 1/8 of the intermediate value is stored, then the subkey needs only be 3 bits larger, before the same amount of memory is required anyway, since
A in most cases far more useful feature provided by partial-matching in MITM attacks, is the ability to compare intermediate values computed at different rounds in the attacked cipher. If the diffusion in each round of the cipher is low enough, it might be possible over a span of rounds to find bits in the intermediate states that has not changed with a probability of 1. These bits in the intermediate states can still be compared.
The disadvantage for both of these uses, is that there will be more false positives for key candidates, which needs to be tested. As a rule, the chance for a false positive is given by the probability , where is the amount of matched bits.
Example
editFor a step-by-step example of the complete attack on KTANTAN,[2] see the example on the 3-subset MITM page. This example only deals with the part that needs partial-matching. What is useful to know is that KTANTAN is a 254-round blockcipher, where each round uses 2 bits from the 80-bit key.
In the 3-subset attack on the KTANTAN family of ciphers, it was necessary to utilize partial-matching in order to stage the attack. Partial-matching was needed, because the intermediate values of the plain- and ciphertext in the MITM attack, were computed at the end of round 111 and at the start of round 131, respectively. Since they had a span of 20 rounds between them, they could not be compared directly.
The authors of the attack, however, identified some useful characteristics of KTANTAN that held with a probability of 1. Due to the low diffusion per round in KTANTAN (the security is in the number of rounds), they found out by computing forwards from round 111 and backwards from round 131 that at round 127, 8 bits from both intermediate states would remain unchanged. (It was 8 bits at round 127 for KTANTAN32. It was 10 bits at round 123 and 47 bits at round 131 for KTANTAN48 and KTANTAN64, respectively). by only comparing the 8 bits of each intermediate value, the authors was able to orchestrate a MITM attack on the cipher, despite there being 20 rounds between the two subciphers.
Using partial-matching increased the amount of false positives, but nothing that noticeably increased the complexity of the attack.
Notes
edit- ^ Cycle detection
- ^ Andrey Bogdanov and Christian Rechberger. "A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN"