TY - GEN

T1 - Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems

AU - Dinur, Itai

AU - Dunkelman, Orr

AU - Keller, Nathan

AU - Shamir, Adi

N1 - Best Paper Award

PY - 2012

Y1 - 2012

N2 - In this paper we show that a large class of diverse problems have a bicomposite structure which makes it possible to solve them with a new type of algorithm called dissection, which has much better time/memory tradeoffs than previously known algorithms. A typical example is the problem of finding the key of multiple encryption schemes with r independent n-bit keys. All the previous error-free attacks required time T and memory M satisfying TM=2 rn , and even if "false negatives" are allowed, no attack could achieve TM < 2 3rn/4. Our new technique yields the first algorithm which never errs and finds all the possible keys with a smaller product of TM, such as T=2 4n time and M=2 n memory for breaking the sequential execution of r=7 block ciphers. The improvement ratio we obtain increases in an unbounded way as r increases, and if we allow algorithms which can sometimes miss solutions, we can get even better tradeoffs by combining our dissection technique with parallel collision search. To demonstrate the generality of the new dissection technique, we show how to use it in a generic way in order to attack hash functions with a rebound attack, to solve hard knapsack problems, and to find the shortest solution to a generalized version of Rubik's cube with better time complexities (for small memory complexities) than the best previously known algorithms.

AB - In this paper we show that a large class of diverse problems have a bicomposite structure which makes it possible to solve them with a new type of algorithm called dissection, which has much better time/memory tradeoffs than previously known algorithms. A typical example is the problem of finding the key of multiple encryption schemes with r independent n-bit keys. All the previous error-free attacks required time T and memory M satisfying TM=2 rn , and even if "false negatives" are allowed, no attack could achieve TM < 2 3rn/4. Our new technique yields the first algorithm which never errs and finds all the possible keys with a smaller product of TM, such as T=2 4n time and M=2 n memory for breaking the sequential execution of r=7 block ciphers. The improvement ratio we obtain increases in an unbounded way as r increases, and if we allow algorithms which can sometimes miss solutions, we can get even better tradeoffs by combining our dissection technique with parallel collision search. To demonstrate the generality of the new dissection technique, we show how to use it in a generic way in order to attack hash functions with a rebound attack, to solve hard knapsack problems, and to find the shortest solution to a generalized version of Rubik's cube with better time complexities (for small memory complexities) than the best previously known algorithms.

KW - Cryptanalysis

KW - TM-tradeoff

KW - bicomposite

KW - dissection

KW - knapsacks

KW - multi-encryption

KW - rebound

UR - http://www.scopus.com/inward/record.url?scp=84865447806&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-32009-5_42

DO - 10.1007/978-3-642-32009-5_42

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:84865447806

SN - 9783642320088

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 719

EP - 740

BT - Advances in Cryptology, CRYPTO 2012 - 32nd Annual Cryptology Conference, Proceedings

T2 - 32nd Annual International Cryptology Conference, CRYPTO 2012

Y2 - 19 August 2012 through 23 August 2012

ER -