Phase I: Table Computation For a given plaintext x 1 , compute a lookup table for

all pairs ( k L , i , z L , i ), where e k L , i ( x 1 )= z L , i and i = 1 , 2 ,..., 2 κ . These computations

are symbolized by the left arrow in the figure. The z L , i are the intermediate values

that occur in between the two encryptions. This list should be ordered by the values

of the z L , i . The number of entries in the table is 2 κ , with each entry being n +

bits

wide. Note that one of the keys we used for encryption must be the correct target

key, but we still do not know which one it is.

κ

Phase II: Key Matching In order to find the key, we now decrypt y 1 , i.e., we

perform the computations symbolized by the right arrow in the figure. We select the

first possible key k R , 1 , e.g., the all-zero key, and compute:

e − 1

k R , 1 ( x 1 )= z R , 1 .

We now check whether z R , 1 is equal to any of the z L , i values in the table which we

computed in the first phase. If it is not in the table, we increment the key to k R , 1 ,

decrypt y 1 again, and check whether this value is in the table. We continue until we

have a match.

We now have what is called a collision of two values, i.e., z L , i = z R , j . This gives

us two keys: The value z L , i is associated with the key k L , i from the left encryption,

and k R , j is the key we just tested from the right encryption. This means there exists

a key pair ( k L , i , k R , j ) which performs the double encryption:

e k R , j ( e k L , i ( x 1 )) = y 1

(5.2)

As discussed in Sect. 5.2, there is a chance that this is not the target key pair we

are looking for since there are most likely several possible key pairs that perform

the mapping x 1 →

y 1 . Hence, we have to verify additional key candidates by en-

crypting several plaintext-ciphertext pairs according to Eq. (5.2). If the verification

fails for any of the pairs ( x 1 , y 1 ) , ( x 2 , y 2 ) ,... , we go back to beginning of Phase II

and increment the key k R again and continue with the search.

Let's briefly discuss how many plaintext-ciphertext pairs we will need to rule

out faulty keys with a high likelihood. With respect to multiple mappings between a

plaintext and a ciphertext as depicted in Fig. 5.9, double encryption can be modeled

as a cipher with 2

> n ,

in which case we need several plaintext-ciphertext pairs. The theorem in Sect. 5.2

can easily be adopted to the case of multiple encryption, which gives us a useful

guideline about how many ( x , y ) pairs should be available:

κ

key bits and n block bits. In practice, one often has 2

κ

Theorem 5.3.1 Given are l subsequent encryptions with a block

cipher with a key length of

bits and block size of n bits, as well as

t plaintext-ciphertext pairs ( x 1 , y 1 ) ,..., ( x t , y t ) . The expected num-

ber of false keys which encrypt all plaintexts to the corresponding

ciphertexts is given by:

κ

2 l κ − tn