Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems

  • Itai Dinur
  • Orr Dunkelman
  • Nathan Keller
  • Adi Shamir
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


In this paper we show that a large class of diverse problems have a bicomposite structure which makes it possible to solve them with a new type of algorithm called dissection, which has much better time/memory tradeoffs than previously known algorithms. A typical example is the problem of finding the key of multiple encryption schemes with r independent n-bit keys. All the previous error-free attacks required time T and memory M satisfying \(TM = 2^{rn}\), and even if “false negatives” are allowed, no attack could achieve \(TM<2^{3rn/4}\). Our new technique yields the first algorithm which never errs and finds all the possible keys with a smaller product of TM, such as \(T=2^{4n}\) time and \(M=2^{n}\) memory for breaking the sequential execution of \(r=7\) block ciphers. The improvement ratio we obtain increases in an unbounded way as r increases, and if we allow algorithms which can sometimes miss solutions, we can get even better tradeoffs by combining our dissection technique with parallel collision search. To demonstrate the generality of the new dissection technique, we show how to use it in a generic way in order to attack hash functions with a rebound attack, to solve hard knapsack problems, and to find the shortest solution to a generalized version of Rubik’s cube with better time complexities (for small memory complexities) than the best previously known algorithms.


Cryptanalysis TM-tradeoff multi-encryption knapsacks bicomposite dissection rebound 


  1. 1.
    Becker, A., Coron, J.-S., Joux, A.: Improved Generic Algorithms for Hard Knapsacks. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 364–385. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved Attacks on Full GOST. In: Fast Software Encryption 2012. LNCS (to appear, 2012); Available as IACR ePrint report 2011/558Google Scholar
  4. 4.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems. Cryptology ePrint Archive, Report 2012/217 (2012)Google Scholar
  5. 5.
    Hellman, M.E.: A Cryptanalytic Time-Memory Tradeoff. IEEE Transactions on Information Theory 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Fiat, A., Moses, S., Shamir, A., Shimshoni, I., Tardos, G.: Planning and Learning in Permutation Groups. In: Foundations of Computer Science 1989, pp. 274–279. IEEE Computer Society (1989)Google Scholar
  7. 7.
    Howgrave-Graham, N., Joux, A.: New Generic Algorithms for Hard Knapsacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 235–256. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Quisquater, J.-J., Delescaille, J.-P.: How Easy Is Collision Search. New Results and Applications to DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 408–413. Springer, Heidelberg (1990)Google Scholar
  9. 9.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Knuth, D.: The Art of Computer Programming, 2nd edn., vol. 2, p. 7. Addison- Wesley (1981)Google Scholar
  11. 11.
    Korf, R.E.: Finding Optimal Solutions to Rubik’s Cube Using Pattern Databases. In: Proceedings of the Fourteenth National Conference on Artificial Intelligence and Ninth Innovative Applications of Artificial Intelligence Conference, AAAI 1997, IAAI 1997, pp. 700–705. The MIT Press (1997)Google Scholar
  12. 12.
    Lucks, S.: Attacking Triple Encryption. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 239–253. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  13. 13.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Merkle, R.C., Hellman, M.E.: On the Security of Multiple Encryption. Commun. ACM 24(7), 465–467 (1981)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Naya-Plasencia, M.: How to Improve Rebound Attacks. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 188–205. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Nivasch, G.: Cycle Detection Using a Stack. Inf. Process. Lett. 90(3), 135–140 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Schroeppel, R., Shamir, A.: A \({\text{ T }}=O(2^{n/2}), {\text{ S }}=O(2^{n/4})\) Algorithm for Certain NPComplete Problems. SIAM J. Comput. 10(3), 456–464 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    van Oorschot, P.C., Wiener, M.J.: Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 229–236. Springer, Heidelberg (1996)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  • Itai Dinur
    • 1
  • Orr Dunkelman
    • 1
    • 2
  • Nathan Keller
    • 1
    • 3
  • Adi Shamir
    • 1
  1. 1.Computer Science departmentThe Weizmann InstituteRehovotIsrael
  2. 2.Computer Science DepartmentUniversity of HaifaHaifaIsrael
  3. 3.Department of MathematicsBar-Ilan UniversityRamat GanIsrael

Personalised recommendations