Editing Meet-in-the-middle attack

{{short description|Generic space–time tradeoff cryptographic attack}}
{{about|the cryptanalysis optimisation process|the form of communication interception|Man-in-the-middle attack}}
{{Multiple issues|{{Synthesis|article|date=May 2013}}
{{refimprove|date=March 2009}}}}
The '''meet-in-the-middle attack''' ('''MITM'''), a known-plaintext attack,<ref>{{Cite web|url=http://www.crypto-it.net/eng/attacks/meet-in-the-middle.html|title=Crypto-IT}}</ref> is a generic [[space–time tradeoff]] cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary reason why [[Double DES]] is not used and why a [[Triple DES]] key (168-bit) can be brute-forced{{clarify|brute-force is not a verb|date=March 2024}} by an attacker with 2<sup>56</sup> space and 2<sup>112</sup> operations.<ref name=":0" />

== Description ==
When trying to improve the security of a block cipher, a tempting idea is to encrypt the data several times using multiple keys. One might think this doubles or even ''n''-tuples the security of the multiple-encryption scheme, depending on the number of times the data is encrypted, because an exhaustive search on all possible combinations of keys (simple brute force) would take 2<sup>''n''·''k''</sup> attempts if the data is encrypted with ''k''-bit keys ''n'' times.

The MITM attack is a generic attack which weakens the security benefits of using multiple encryptions by storing intermediate values from the encryptions or decryptions and using those to improve the time required to brute force{{clarify|date=March 2024}} the decryption keys. This makes a Meet-in-the-Middle attack (MITM) a generic space–time tradeoff [[Cryptography standards|cryptographic]]<ref>{{cite web|last=victoria|first=jaynor|date=|title=victoria15|url=https://www.victoria15.net|url-status=live|archive-url=https://google.ca|archive-date=July 14, 2021|access-date=July 14, 2021|website=victoria14}}</ref> attack.

The MITM attack attempts to find the keys by using both the range (ciphertext) and domain (plaintext) of the composition of several functions (or block ciphers) such that the forward mapping through the first functions is the same as the backward mapping (inverse image) through the last functions, quite literally ''meeting'' in the middle of the composed function. For example, although Double DES encrypts the data with two different 56-bit keys, Double DES can be broken with 2<sup>57</sup> encryption and decryption operations.

The multidimensional MITM (MD-MITM) uses a combination of several simultaneous MITM attacks like described above, where the meeting happens in multiple positions in the composed function.

== History ==
[[Whitfield Diffie|Diffie]] and [[Martin Hellman|Hellman]] first proposed the meet-in-the-middle attack on a hypothetical expansion of a [[block cipher]] in 1977.<ref>{{note|dh-exh}} {{cite journal
| last1=Diffie
| first1=Whitfield
| last2=Hellman
| first2=Martin E.
| date=June 1977
| title=Exhaustive Cryptanalysis of the NBS Data Encryption Standard
| journal=Computer
| volume=10
| issue=6
| pages=74–84
| doi=10.1109/C-M.1977.217750
| s2cid=2412454
| url=https://www-ee.stanford.edu/~hellman/publications/27.pdf
}}</ref>
Their attack used a [[space–time tradeoff]] to break the double-encryption scheme in only twice the time needed to break the single-encryption scheme.

In 2011, Bo Zhu and [[Guang Gong]] investigated the ''multidimensional meet-in-the-middle attack'' and presented new attacks on the block ciphers [[GOST (block cipher)|GOST]], [[KTANTAN]] and [[Hummingbird-2]].<ref name="ZhuGuang2011" />

== Meet-in-the-middle (1D-MITM) ==
Assume someone wants to attack an encryption scheme with the following characteristics for a given plaintext ''P'' and ciphertext ''C'':
:<math>\begin{align}
                         C &= \mathit{ENC}_{k_2}(\mathit{ENC}_{k_1}(P)) \\
                         P &= \mathit{DEC}_{k_1}(\mathit{DEC}_{k_2}(C)) \\
\end{align}</math>

where ''ENC'' is the encryption function, ''DEC'' the decryption function defined as ''ENC''<sup>−1</sup> (inverse mapping) and ''k''<sub>1</sub> and ''k''<sub>2</sub> are two keys.

The naive approach at brute-forcing this encryption scheme is to decrypt the ciphertext with every possible ''k''<sub>2</sub>, and decrypt each of the intermediate outputs with every possible ''k''<sub>1</sub>, for a total of 2<sup>|''k''<sub>1</sub>|</sup> × 2<sup>|''k''<sub>2</sub>|</sup> (or 2<sup>|''k''<sub>1</sub>|+|''k''<sub>2</sub>|</sup>) operations.

The meet-in-the-middle attack uses a more efficient approach. By decrypting ''C'' with ''k<sub>2</sub>'', one obtains the following equivalence:
:<math>\begin{align}
                         C &= \mathit{ENC}_{k_2}(\mathit{ENC}_{k_1}(P)) \\
                         \mathit{DEC}_{k_2}(C) &= \mathit{DEC}_{k_2}(\mathit{ENC}_{k_2}[\mathit{ENC}_{k_1}(P)]) \\
                         \mathit{DEC}_{k_2}(C) &= \mathit{ENC}_{k_1}(P) \\
\end{align}</math>

The attacker can compute ''ENC''<sub>''k''<sub>1</sub></sub>(''P'') for all values of ''k''<sub>1</sub> and  ''DEC''<sub>''k''<sub>2</sub></sub>(''C'') for all possible values of ''k''<sub>2</sub>, for a total of 2<sup>|''k''<sub>1</sub>|</sup> + 2<sup>|''k''<sub>2</sub>|</sup>  (or 2<sup>|''k''<sub>1</sub>|+1</sup>, if ''k''<sub>1</sub> and ''k''<sub>2</sub> have the same size) operations. If the result from any of the ''ENC''<sub>''k''<sub>1</sub></sub>(''P'') operations matches a result from the ''DEC''<sub>''k''<sub>2</sub></sub>(''C'') operations, the pair of ''k''<sub>1</sub> and ''k''<sub>2</sub> is possibly the correct key. This potentially-correct key is called a ''candidate key''. The attacker can determine which candidate key is correct by testing it with a second test-set of plaintext and ciphertext.

The MITM attack is one of the reasons why [[Data Encryption Standard]] (DES) was replaced with [[Triple DES]] and not Double DES. An attacker can use a MITM attack to bruteforce Double DES with 2<sup>57</sup> operations and 2<sup>56</sup> space, making it only a small improvement over DES.<ref name="ZhuGuang2011" /> Triple DES uses a "triple length" (168-bit) key and is also vulnerable to a meet-in-the-middle attack in 2<sup>56</sup> space and 2<sup>112</sup> operations, but is considered secure due to the size of its keyspace.<ref name=":0">{{cite journal|last=Moore|first=Stephane|title=Meet-in-the-Middle Attacks|date=November 16, 2010|pages=2|url=http://stephanemoore.com/pdf/meetinthemiddle.pdf}}</ref><ref name=":1">{{Cite book |last=Blondeau |first=Céline |title=CS-E4320 Cryptography and Data Security |chapter=Lecture 3: Block Ciphers |access-date=2018-02-22 |chapter-url=https://mycourses.aalto.fi/pluginfile.php/548524/mod_resource/content/1/lecture03.pdf |archive-url=https://web.archive.org/web/20180223050616/https://mycourses.aalto.fi/pluginfile.php/548524/mod_resource/content/1/lecture03.pdf |archive-date=2018-02-23 |url-status=dead}}</ref>

[[File:1D MITMNEW.png|thumb|upright=1.5|An illustration of 1D-MITM attack]]

=== MITM algorithm ===
Compute the following:
*<math>\mathit{SubCipher}_1=\mathit{ENC}_{f_1}(k_{f_1},P),\; \forall  k_{f_1} \in  K </math>:
*: and save each <math>\mathit{SubCipher}_{1} </math> together with corresponding <math> k_{f_1} </math> in a set A
*<math>\mathit{SubCipher}_1=\mathit{DEC}_{b_1}(k_{b_1},C),\; \forall k_{b_1} \in K </math>:
*: and compare each new <math>\mathit{SubCipher}_1 </math> with the set A

When a match is found, keep <math>k_{f_1},k_{b_1}</math> as candidate key-pair in a table ''T''. Test pairs in ''T'' on a new pair of {{tmath|(P,C)}} to confirm validity. If the key-pair does not work on this new pair, do MITM again on a new pair of {{tmath|(P,C)}}.

=== MITM complexity ===
If the keysize is ''k'', this attack uses only 2<sup>''k''+1</sup> encryptions (and decryptions) and ''O''(2<sup>''k''</sup>) memory to store the results of the forward computations in a [[lookup table]], in contrast to the naive attack, which needs 2<sup>2·''k''</sup> encryptions but ''O''(1) space.

== Multidimensional MITM (MD-MITM) ==
{{Original research|section|date=May 2013}}

While 1D-MITM can be efficient, a more sophisticated attack has been developed: '''multidimensional meet-in-the-middle attack''', also abbreviated '''MD-MITM'''. 
This is preferred when the data has been encrypted using more than 2 encryptions with different keys.
Instead of meeting in the middle (one place in the sequence), the MD-MITM attack attempts to reach several specific intermediate states using the forward and backward computations at several positions in the cipher.<ref name="ZhuGuang2011">{{cite journal |last1=Zhu |first1=Bo |last2=Gong |first2=Guang |author2-link=Guang Gong |year=2014 |title=Multidimensional meet-in-the-middle attack and its applications to KATAN32/48/64 |url=https://doi.org/10.1007/s12095-014-0102-9 |journal=Cryptography and Communications |volume=6 |issue=4 |pages=313–333 |doi=10.1007/s12095-014-0102-9 |via=Springer Link}}</ref>

Assume that the attack has to be mounted on a block cipher, where the encryption and decryption is defined as before:

: <math> C=\mathit{ENC}_{k_n}(\mathit{ENC}_{k_{n-1}}(...(\mathit{ENC}_{k_1}(P))...))</math> <br />
: <math> P=\mathit{DEC}_{k_1}(\mathit{DEC}_{k_2}(...(\mathit{DEC}_{k_n}(C))...))</math>
that is a plaintext P is encrypted multiple times using a repetition of the same block cipher

[[File:MD MITMNEW.png|thumb|center|upright=4|An illustration of MD-MITM attack]]

The MD-MITM has been used for cryptanalysis of, among many, the [[GOST (block cipher)|GOST block cipher]], where it has been shown that a 3D-MITM has significantly reduced the time complexity for an attack on it.<ref name="ZhuGuang2011" />

=== MD-MITM algorithm ===
{{Unreferenced section|date=May 2015}}

Compute the following:
:; <math> \mathit{SubCipher}_1=\mathit{ENC}_{f_1}(k_{f_1},P)\qquad\forall k_{f_1}  \in K </math>
:: and save each <math>\mathit{SubCipher}_1</math> together with corresponding <math>k_{f_1}</math> in a set <math>H_1</math>.

:; <math> \mathit{SubCipher}_{n+1}=\mathit{DEC}_{b_{n+1}}(k_{b_{n+1}},C) \qquad\forall k_{b_{n+1}}  \in K </math>
:: and save each <math>\mathit{SubCipher}_{n+1}</math> together with corresponding <math>k_{b_{n+1}}</math> in a set <math>H_{n+1}</math>.
For each possible guess on the intermediate state <math>s_1</math> compute the following:

:; <math> \mathit{SubCipher}_1=\mathit{DEC}_{b_1}(k_{b_1},s_1) \qquad\forall k_{b_1}  \in K</math>
:: and for each match between this <math> \mathit{SubCipher}_1 </math> and the set <math> H_1 </math>, save <math> k_{b_1} </math> and <math> k_{f_1} </math> in a new set <math> T_1 </math>.

:; <math> \mathit{SubCipher}_2=\mathit{ENC}_{f_2}(k_{f_2},s_1) \qquad\forall k_{f_2}  \in K </math>{{Verify source|reason=No way to verify this edit: <nowiki>{{diff|Meet-in-the-middle attack|661031004|659749736}}</nowiki> |date=May 2015}}
:: and save each <math> \mathit{SubCipher}_2 </math> together with corresponding <math> k_{f_2} </math> in a set <math> H_2</math>.
: For each possible guess on an intermediate state <math> s_2 </math> compute the following:
:* <math> \mathit{SubCipher}_2=\mathit{DEC}_{b_2}(k_{b_2},s_2) \qquad\forall k_{b_2}  \in K </math>
:*: and for each match between this <math> \mathit{SubCipher}_2 </math> and the set <math> H_2 </math>, check also whether 
:*: it matches with <math> T_1 </math> and then save the combination of sub-keys together in a new set <math> T_2 </math>.
:* For each possible guess on an intermediate state <math> s_n </math> compute the following:
{{Ordered list|list_style=padding-left: 3em; |list_style_type=lower-alpha
|<math> \mathit{SubCipher}_n=\mathit{DEC}_{b_n}(k_{b_n},s_n) \qquad\forall k_{b_n} \in K </math> and for each match between this <math> \mathit{SubCipher}_n </math> and the set <math>H_n</math>, check also whether it matches with <math> T_{n-1} </math>, save <math> k_{b_n} </math> and <math> k_{f_n} </math> in a new set <math> T_n </math>.
|<math> \mathit{SubCipher}_{n+1}=\mathit{ENC}_{f_n+1}(k_{f_n+1},s_n) \qquad\forall k_{f_{n+1}} \in K</math> and for each match between this <math>\mathit{SubCipher}_{n+1}</math> and the set <math>H_{n+1}</math>, check also 
whether it matches with <math>T_n</math>. If this is the case then:"
}}
Use the found combination of sub-keys <math>(k_{f_1},k_{b_1},k_{f_2},k_{b_2}, ... ,k_{f_{n+1}},k_{b_{n+1}})</math>  on another pair of plaintext/ciphertext to verify the correctness of the key.

Note the nested element in the algorithm. The guess on every possible value on ''s<sub>j</sub>'' is done for each guess on the previous ''s''<sub>''j''-1</sub>. 
This make up an element of exponential complexity to overall time complexity of this MD-MITM attack.

=== MD-MITM complexity ===
Time complexity of this attack without brute force, is <math>2^{|k_{f_1}|}+2^{|k_{b_{n+1}}|}+2^{|s_1|}</math>⋅<math>(2^{|k_{b_1}|}+2^{|k_{f_2}|}+2^{|s_2|}</math>⋅<math>(2^{|k_{b_2}|}+2^{|k_{f_3}|}+\cdots))</math>

Regarding the memory complexity, it is easy to see that  <math>T_2,T_3,... ,T_n</math> are much smaller than the first built table of candidate values: <math>T_1</math> as i increases, the candidate values contained in <math>T_i</math> must satisfy more conditions thereby fewer candidates will pass on to the end destination <math>T_n</math>.

An upper bound of the memory complexity of MD-MITM is then

:<math> 2^{|k_{f_1}|}+2^{|k_{b_{n+1}}|}+2^{|k|-|s_n|}\cdots</math>

where {{mvar|k}} denotes the length of the whole key (combined).

The data complexity depends on the probability that a wrong key may pass (obtain a false positive), which is <math>1/2^{|l|}</math>, where {{mvar|l}} is the intermediate state in the first MITM phase.  The size of the intermediate state and the block size is often the same!
Considering also how many keys that are left for testing after the first MITM-phase, it is <math>2^{|k|}/2^{|l|}</math>.

Therefore, after the first MITM phase, there are <math>2^{|k|-b} \cdot 2^{-b} = 2^{|k|-2b}</math>, where <math>|b|</math> is the block size.

For each time the final candidate value of the keys are tested on a new plaintext/ciphertext-pair, the number of keys that will pass will be multiplied by the probability that a key may pass which is <math>1/2^{|b|}</math>.

The part of brute force testing (testing the candidate key on new {{tmath|(P,C)}}-pairs, have time complexity  <math>2^{|k|-b}+2^{|k|-2b}+2^{|k|-3b}+2^{|k|-4b}\cdots</math>
, clearly for increasing multiples of b in the exponent, number tends to zero.

The conclusion on data complexity is by similar reasoning restricted by that around <math>\lceil|k|/n\rceil</math> {{tmath|(P,C)}}-pairs.

Below is a specific example of how a 2D-MITM is mounted:

== A general example of 2D-MITM ==

This is a general description of how 2D-MITM is mounted on a block cipher encryption.

In two-dimensional MITM (2D-MITM) the method is to reach 2 intermediate states inside the multiple encryption of the plaintext. See below figure:

[[File:2D MITMNEW.png|thumb|upright=2|An illustration of 2D-MITM attack]]

=== 2D-MITM algorithm ===
Compute the following:
:; <math> \mathit{SubCipher}_1=\mathit{ENC}_{f_1}(k_{f_1},P) \qquad \forall k_{f_1}  \in K </math>
:: and save each <math> \mathit{SubCipher}_1 </math> together with corresponding <math> k_{f_1} </math> in a set A
:; <math> \mathit{SubCipher}_2=\mathit{DEC}_{b_2}(k_{b_2},C) \qquad \forall k_{b_2}  \in K </math> 
:: and save each <math> \mathit{SubCipher}_2 </math> together with corresponding <math> k_{b_2} </math> in a set B.

For each possible guess on an intermediate state ''s'' between <math>\mathit{SubCipher}_1</math> and <math>\mathit{SubCipher}_2</math> 
compute the following:

*  <math> \mathit{SubCipher}_1=\mathit{DEC}_{b_1}(k_{b_1},s) \qquad \forall k_{b_1}  \in K </math> 
*: and for each match between this <math>\mathit{SubCipher}_1</math> and the set A, save   <math>k_{b_1}</math> and <math>k_{f_1}</math> in a new set T.
* <math> \mathit{SubCipher}_2=\mathit{ENC}_{f_2}(k_{f_2},s)  \qquad \forall k_{f_2}  \in K </math> 
*: and for each match between this <math>\mathit{SubCipher}_2</math> and the set B, check also whether it matches with T for 
*: if this is the case then:

Use the found combination of sub-keys <math>(k_{f_1},k_{b_1},k_{f_2},k_{b_2})</math> on another pair of plaintext/ciphertext to verify the correctness of the key.

=== 2D-MITM complexity ===
Time complexity of this attack without brute force, is 
: <math>2^{|k_{f_1}|} + 2^{|k_{b_2}|} + 2^{|s|} \cdot \left(2^{|k_{b_1}|} + 2^{|k_{f_2}|}\right)</math>
where |⋅| denotes the length.

Main memory consumption is restricted by the construction of the sets ''A'' and ''B'' where ''T'' is much smaller than the others.

For data complexity see [[#MD-MITM complexity|subsection on complexity for MD-MITM]].

==See also==
*[[Birthday attack]]
*[[Wireless security]]
*[[Cryptography]]
*[[3-subset meet-in-the-middle attack]]
*[[Partial-matching meet-in-the-middle attack]]

==References==
{{reflist}}

{{cryptography navbox|block}}

[[Category:Cryptographic attacks]]