Advances in Cryptology — CRYPTO ’96
Lecture Notes in Computer Science Volume 1109, 1996, pp 229-236

Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude

Abstract

Meet-in-the-middle attacks, where problems and the secrets being sought are decomposed into two pieces, have many applications in cryptanalysis. A well-known such attack on double-DES requires 256 time and memory; a naive key search would take 2112 time. However, when the attacker is limited to a practical amount of memory, the time savings are much less dramatic. For n the cardinality of the space that each half of the secret is chosen from (n=256 for double-DES), and w the number of words of memory available for an attack, a technique based on parallel collision search is described which requires O \( (\sqrt {n/ w} ) \) times fewer operations and O(n/w) times fewer memory accesses than previous approaches to meet-in-the-middle attacks. For the example of double-DES, an attacker with 16 Gbytes of memory could recover a pair of DES keys in a known-plaintext attack with 570 times fewer encryptions and 3.7×106 times fewer memory accesses compared to previous techniques using the same amount of memory.