Annual International Cryptology Conference

CRYPTO 1996: Advances in Cryptology — CRYPTO ’96 pp 229-236

Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude

  • Paul C. van Oorschot
  • Michael J. Wiener
Conference paper

DOI: 10.1007/3-540-68697-5_18

Volume 1109 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
van Oorschot P.C., Wiener M.J. (1996) Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude. In: Koblitz N. (eds) Advances in Cryptology — CRYPTO ’96. CRYPTO 1996. Lecture Notes in Computer Science, vol 1109. Springer, Berlin, Heidelberg


Meet-in-the-middle attacks, where problems and the secrets being sought are decomposed into two pieces, have many applications in cryptanalysis. A well-known such attack on double-DES requires 256 time and memory; a naive key search would take 2112 time. However, when the attacker is limited to a practical amount of memory, the time savings are much less dramatic. For n the cardinality of the space that each half of the secret is chosen from (n=256 for double-DES), and w the number of words of memory available for an attack, a technique based on parallel collision search is described which requires O\( (\sqrt {n/ w} ) \) times fewer operations and O(n/w) times fewer memory accesses than previous approaches to meet-in-the-middle attacks. For the example of double-DES, an attacker with 16 Gbytes of memory could recover a pair of DES keys in a known-plaintext attack with 570 times fewer encryptions and 3.7×106 times fewer memory accesses compared to previous techniques using the same amount of memory.

Key words

Meet-in-the-middle attackparallel collision searchcryptanalysisDESlow Hamming weight exponents
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Paul C. van Oorschot
    • 1
  • Michael J. Wiener
    • 1
  1. 1.Bell-Northern ResearchOttawaCanada