Lecture 4 Dr.

Alshaimaa Abo-alian
Multiple Encryption [email protected]

(2DES & 3DES)

Lecture Outline

➢Multiple Encryption
– Double Encryption (e.g. Double DES or 2DES)
– Triple Encryption (e.g. Triple DES or 3DES)
➢ Meet-in-the-middle (MiTM) attack

2
Multiple Encryption

▪ Because of the DES vulnerability to brute-force attacks, it is

replaced by stronger encryption schemes.
▪ One approach is to design a completely new algorithm such
as AES
▪ Another alternative is to use multiple encryption with DES
and multiple keys.

3
 Double Encryption
▪ Encrypt with two different keys
(K1 & K2)
▪ Given a plaintext P ciphertext C
is generated as

𝐂 = 𝐄(𝐊𝟐 , 𝐄(𝐊𝟏 , 𝐏 ))

▪ Decryption requires that the keys

be applied in reverse order:

𝐏 = 𝐃(𝐊𝟏 , 𝐃(𝐊𝟐 , 𝐂 ))
X = E(K1, P) = D(K2, C)

4
Double DES (2DES)

For 2DES, this scheme involves a key length of 56 * 2 =

112 bits
➔Requires (on average) 2111 operations for brute force
attack.
The meet-in-the-middle attack algorithm make it easier.
It does not depend on any particular property of DES but
will work against any block encryption cipher

5
Known-Plaintext Attack on
Double DES
▪ Double DES Encryption: C = E (K2, E(K1, P))
▪ Say X = E(K1, P) = D(K2, C)
▪ Attacker knows two plaintext, ciphertext pairs (Pa, Ca) and (Pb, Cb)
1. Encrypt Pa using all 256 values of K1 to get multiple values of X
2. Store results in table and sort by X
3. Decrypt Ca using all 256 values of K2
4. As each decryption result produced, check against table
5. If match, check current K1, K2 on Cb. If Pb obtained, then accept
the keys
➔ Encrypt/decrypt operations required on average: 256 (twice as
many as single DES)
6
Known-Plaintext Attack on
Double DES

For a block cipher with a k-bit key, a known-

plaintext attack defeats double encryption using
on the order of 2k operations and 2k storage.

7
Example
Consider a 4-bit block cipher, called ABC, that uses 2-bit keys.

Key Key
Plaintext 00 01 10 11 Plaintext 00 01 10 11

0000 0001 0101 1101 0111 1000 1000 1011 0101 1001
0001 1101 0111 1000 0101 1001 1100 0000 0010 0110
0011 0000 0110 0111 1010 1010 1010 0010 0000 0100
0010 0101 1101 1111 0011 1011 1011 0100 1001 1000
0100 0111 1000 1100 1101 1100 0110 0011 1010 1100
0101 1001 1111 1011 0001 1101 1111 1110 0100 0000
0110 0011 1001 0001 1110 1110 0100 1100 0011 0010
0111 1110 0001 0110 1111 1111 0010 1010 1110 1011

Consider Double-ABC, which involves applying the block cipher ABC two times using two
different 2-bit keys. Show how the meet-in-the-middle attack can be applied to find the
keys used if the attacker already knows the pairs: (0000, 1110) & (0011, 0001)
8
Triple DES (3DES)

▪ This approach is commonly referred to as 3DES, or Triple

Data Encryption Algorithm (TDEA).
▪ There are two versions of 3DES:
– 3DES with two keys
– 3DES with three keys.

9
 Triple DES with Two keys

▪Two-key triple encryption was

first proposed by Tuchman.
▪The function follows an encrypt-
decrypt-encrypt (EDE) sequence :
C = E(K1, D(K2, E(K1, P)))
P = D(K1, E(K2, D(K1, C)))

A = E(K1, P) = E(K2, B)
B = D (K2, A) = D (K1, C)
10
 Triple DES with Three keys

▪ The function follows an

encrypt-decrypt-encrypt
(EDE) sequence :
C = E(K3, D(K2, E(K1, P)))
P = D(K1, E(K2, D(K3, C)))

A = E(K1, P) = E(K2, B)
B = D (K2, A) = D (K3, C)
11
Known-Plaintext Attack on 3DES
with 2 keys

12
Known-Plaintext Attack on
3DES with 2 keys
Given a known pair (P, C) , the attack proceeds as follows:
1. Obtain n (P , C ) pairs. This is the known plaintext. Place
these in a table (Table 1) sorted on the values of P.
2. Pick an arbitrary value a for A, and create a second table
with entries defined as follows:
▪ For each of the 256 possible keys K1 = i, calculate the
plaintext value P, such that Pi = D(i, a)
▪ For each Pi that matches an entry in Table 1, create an
entry in Table 2 consisting of the K1 value and the value of
B that is produced for the (P, C) pair from Table 1 ➔ Bj =
D(i, Ci)
▪ Sort Table 2 on the values of B.
13
Known-Plaintext Attack on
3DES with 2 keys
We now have a number of candidate values of K1 in Table 2
and want to search for a value of K2.
3. For each of the 256 possible keys K2 = j, calculate the
second intermediate value for our chosen value of a:
Bj = D(j, a)
4. At each step, look up Bj in Table 2. If there is a match, then
the corresponding key i from Table 2 plus this value of j
are candidate values for the unknown keys (K1, K2).
5. Test each candidate pair of keys (i, j) on a few other
plaintext–ciphertext pairs.
▪ If a pair of keys produces the desired ciphertext, the task is complete.
▪ If no pair succeeds, repeat from step 1 with a new value of a.
14
Thank you

15