On the computational power of the light: A plan for breaking data encryption standard

JID:TCS

AID:11712 /FLA

Doctopic: Theory of natural computing

[m3G; v1.242; Prn:28/08/2018; 8:24] P.1 (1-8)

Theoretical Computer Science ••• (••••) •••–•••

Contents lists available at ScienceDirect

Theoretical Computer Science www.elsevier.com/locate/tcs

On the computational power of the light: A plan for breaking data encryption standard Javad Salimi Sartakhti a,∗ , Saeed Jalili b a b

Department of Electrical and Computer Engineering, University of Kashan, Kashan, Iran Department of Computer Engineering, Tarbiat Modares University, Tehran, Iran

a r t i c l e

i n f o

Article history: Received 1 March 2018 Received in revised form 22 July 2018 Accepted 16 August 2018 Available online xxxx Communicated by G. Dowek Keywords: Light-based computing Unconventional computing Breaking DES Decryption

a b s t r a c t The successful of the light-based solutions for some NP-complete problems, such as Hamiltonian path problem, have demonstrated the power of light-based computing. The capabilities of the light-based computing such as massive parallelism of light, allow it to solve hard computational problems in polynomial time, while the conventional computers require exponential time. In this study we show how the light-based solution can be applied to break the Data Encryption Standard (DES). Under the assumption of having one given (plain-text, cipher-text) pair, our method recovers the DES key in a efficient time. We describe how to implement XOR gates, circular shifts, P-boxes, and S-boxes of DES in a light-based approach. The proposed solution encrypts the given plain-text with all possible keys and afterwards pair (Key; cipher-text) is extracted from them. We demonstrate that under chosen plain-text attack, it is possible to recover the DES key by providing all DES components in a reasonable time. © 2018 Elsevier B.V. All rights reserved.

1. Introduction Various properties of the light, such as massive parallelism, enrich us to solve some real world problems, more efficiently than conventional computational paradigms (i.e., deterministic Turing machine). The first attempt to design optical computers was made in 1929 by G. Tauschek who obtained a patent on Optical Character Recognition (OCR) machines [1]. Afterwards, researchers have used light properties to offer efficient solutions to problems which can’t be solved efficiently by conventional computers. Some examples in this regard are discrete Fourier Transform Computation which can be performed in unit time [2,3], very fast processor for vector–matrix multiplications and the first continuous wave all-silicon laser [4]. Generally, there are two main approaches in optical computing: 1) Replacing current computer components with optical counterparts. This approach results in an optical digital computer system processing binary. In this approach design of an optical computer has been imitated by the electronic computer. In other approach optical computers may be different from their electronic counterparts just as electronic computers are not structured like mechanical computers [5]. They are focused on directions where can dominate electronic counterparts. In this approach application-specific devices that have different structure are designed. This approach is known as a branch of unconventional computing [6,7], and provides new capabilities to solve some problems, using physical properties of light such as high velocity, high parallel nature of it, and the ability to split a light ray into several rays [6]. In this approach there are several methods to solve problems in efficient manner that can be divided into four categories. 1) Delaying the light motion [6,8]: In this method some devices are configured as a

*

Corresponding author. E-mail addresses: [email protected] (J. Salimi Sartakhti), [email protected] (S. Jalili).

https://doi.org/10.1016/j.tcs.2018.08.015 0304-3975/© 2018 Elsevier B.V. All rights reserved.

JID:TCS

AID:11712 /FLA

Doctopic: Theory of natural computing

2

[m3G; v1.242; Prn:28/08/2018; 8:24] P.2 (1-8)

J. Salimi Sartakhti, S. Jalili / Theoretical Computer Science ••• (••••) •••–•••

graph and the light pass through graph edges. The delays caused by motion of the light through optical fibers is utilized to obtain the answer of problems. 2) Continuous space machine [9]: It is an abstract computational machine planned based on physical properties of the light and a continuous space memory. Operations in this machine are defined as stated in Fourier optics [10]. Continuous space machine can simulate Turing machine and also can solve hard computational problems in efficient time rather than electronic computers [11]. 3) Using wide range of wavelengths exist in a light ray [12–14]: In this method wavelengths in a light ray are given as solution space of problem. Basic optical devices such as mirrors, detector and prisms are used to discriminate proper wavelengths which satisfy the problem constraints. 4) Using optical masks (filters) [15–18]: one of the well-known optical approach to solve NP-complete problems is to construct optical masks in preprocessing phase, and using the masks to solve the problems in efficient time [17,18]. This approach may solve NP-Complete and NP-Hard problems by employing a setup of masks (filters). Due to exponential size of masks, this method has exponential space complexity but the production of those masks is done with a polynomial time preprocessing. These masks are later used to solve the problem in polynomial time. Based on these methods, recently, researchers have presented light-based solutions and devices to the problems which are hard to solve in conventional computers. Most of them are categorized into NP-complete and NP-hard problems. For example, 3-SAT problem [7,19,20], the exact cover problem [21], the Hamiltonian path problem [7,17,21,22], the dominating set problem [18], the subset sum problem [23,24], the vertex cover problem, the maximum clique problem, the traveling salesman problem [25], and the 3D-matching are many instances of NP-complete problems that have been solved using physical properties of light, recently. Furthermore, a class of combinatorial optimization problems, related to minimal Hamiltonian cycle has been solved using electro-optical vector by matrix multiplication architecture [26,27]. In other work Wu et al. discussed about the computing potential of complex optical networks and present experimental results that an optical fiber network can be employed as a processor to calculate matrix inversion [28]. The ability of a computational paradigm to deal with intractable problems demonstrates its computational power. Data Encryption Standard (DES) is one of these problems. DES is a well-known and widely used encryption procedure. It takes a string of plain-text with a length of 64 bits and encrypts it through several elaborated steps and its output is a bit string of cipher-text with the same length [29]. DES uses a 56-bit key to encrypt a plain text, and decryption can only be performed by those who know the encryption key. For breaking DES, several researches have come up with different properties. Their solutions can be divided into two approaches: conventional and unconventional. One of the strongest conventional approaches is differential cryptanalysis techniques [30,31]. They are best-known statistical attacks on block cipher cryptography. These attacks can break DES on a conventional computer in 243 steps. Therefore, the DES key can be recovered in a few days on a conventional computer. Note that the differential cryptanalysis techniques use 243 pairs of (plain text, cipher text), but our light-based solution needs only one pair of (plain text, cipher text). Wiener presented another conventional attack on DES [32]. He proposed a special cracker machine that recovered the DES key by exhaustive search through all key values, in 7 hours. This machine costs $1 million. In the unconventional computing, Boneh et al. broke DES using DNA computation [33]. They use a series of DNA operations to reproduce components of DES and then break DES. These operations are Extract, Amplification via PCR, and Tag that are used to evaluate XOR and S-boxes in DES circuit. In this paper, we demonstrate the power of light-based computation to break DES. Our light-based attack breaks DES in 217 steps. At first, the solution space of the problem (all possible keys) is generated, then by passing it through DES components implemented with the light-based approach (including Shifts, XORs, P-boxes and S-boxes components) the final solution including pairs of (key, plain-text) are produced. At the end, the encryption key is extracted from the solution space. Our light-based attack can recover the encryption key, if there exists at least one pair of plain-text and corresponding cipher-text. 2. Materials and methods 2.1. DES circuit DES encrypts a 64-bit block of plain-text (as input) into a 64-bit block cipher-text (as output) using a 56-bit key. Therefore, DES can be considered as a function which is denoted by Cipher-text = DES (Plain-text, key). We wish to run DES circuit on a fixed 64-bit block plain-text using all possible key values of length 56. Fig. 1 shows DES circuit that computes the function Cipher-text = DES (Plain-text, key). For an additional description of DES circuit see [29,34]. We now give details of the various components of Fig. 1. The circuit uses two basic techniques of cryptography: diffusion and confusion. At the simplest level, diffusions are achieved through several permutations and confusions are achieved through the XOR operations and the S-Boxes. The circuit has been composed of 16 levels (rounds). All of the rounds do the same function, which involves both diffusions and confusions. Fig. 1 shows rounds 1, 2, and 16. The inputs to the circuit are 64-bit block plain-text shown on the right-hand side and the 56-bit key shown on the left. The 32 most significant bits of the plain-text has been indicated by L and the 32 least significant bits has been indicated by R. The left part of Fig. 1 indicates the operating way of the 56-bit key in the circuit. Initially, the 64-bit key is passed through a permutation function and is decreased to the 56-bit key. Hence, we can discard this function and assume that the encryption key with 56 bits length. As shown in Fig. 1 each round (e.g., round 1) of DES does the following tasks:

JID:TCS

AID:11712 /FLA

Doctopic: Theory of natural computing

[m3G; v1.242; Prn:28/08/2018; 8:24] P.3 (1-8)

J. Salimi Sartakhti, S. Jalili / Theoretical Computer Science ••• (••••) •••–•••

3

Fig. 1. DES circuit. DES takes 56-bit key and plain text and outputs cipher-text. There are 16 rounds that involve XORs, left circular shift, P-boxes, and S-box.

Table 1 Lookup table of s-box 1 in round 1 [34]. 0 1 2 3

0 14 0 4 15

1 4 15 1 12

2 13 7 14 8

3 1 4 8 2

4 2 14 13 4

5 15 2 6 9

6 11 13 2 1

7 8 1 11 7

8 3 10 15 5

9 10 6 12 11

10 6 12 9 3

11 12 11 7 14

12 5 9 3 10

13 9 5 10 0

14 0 3 5 6

15 7 8 0 13

1) the given 56-bit key is left shifted, and then it is permuted by P-box and decreased to 48 bits. Although, the permutation function is invariant in each round, since the circular left shift is repeated in each round, a different sub-key is generated. 2) R part of the plain-text is permuted by P-box and extended to 48 bits. It is XORed with the 48-bit key; the result is passed through S-box, reduced to 32 bits, permuted by P-box, and finally it is XORed with L part of the plain-text. Each round of DES includes one circular left shift, three P-boxes, 80 XOR, and one S-box, where the circular left shift and P-boxes are constant in all rounds. A P-box is a permutation function which permutes all of the input bits. Also, a P-box may be set to expansion (replicate some bits of the input) or contraction (discard some of the input bits). Generally, DES circuit contains three types of P-boxes. The first one takes 56 bits as input and it outputs 48 bits. The second one takes 32 bits as input and it outputs 48 bits and the third one takes 32 bits as input and produces 32 bits as output. The permutations are defined by tables that in all rounds are constant. This means that the operation performed in each P-box of the circuit is exactly predetermined [34]. An S-box is used to confuse the input in the circuit and it is more complicated. An S-box accepts a 48-bit input and produces a 32-bit output. Essentially, an S-box in DES circuit is composed of 8 s-boxes and each of them takes 6-bit input and produces 4-bit output. For example, Table 1 denotes such conversions for s-box 1 in all rounds of DES. Table 1 should be interpreted as follows: The first and last bits of the input to s-box specify the row number of the table and the middle four bits of the input specify the column number of table. The selected row and column indicate a cell of the table whose value represents the 4-bit output of s-box. The 8 tables for 8 s-boxes in each round of DES can be found in [34]. The s-boxes in each round are constant. In summary, each DES round involves a left circular shift, 3 P-boxes, 8 s-boxes, and 80 XORs.

JID:TCS

AID:11712 /FLA

Doctopic: Theory of natural computing

[m3G; v1.242; Prn:28/08/2018; 8:24] P.4 (1-8)

J. Salimi Sartakhti, S. Jalili / Theoretical Computer Science ••• (••••) •••–•••

4

Fig. 2. A 3-bit key matrix filter. In the right side of figure the corresponding values of keys have been specified.

2.2. Our light-based plan for breaking DES Suppose function f : k × plain-text → cipher-text is given by f : {0, 1}56 × {0, 1}64 → {0, 1}64 . Our goal is to construct a solution space which encode all pairs [k; f (k, plain-text)] for a given plain-text and then extract the key from the solution space. The solution space in our light-based attack is a matrix in which each cell is transparent (one-bit) or opaque (zerobit). We call this matrix filter. This matrix can be made by a light sensitive material such as silicon wafer or negative film ribbon. Each row of matrix shows a possible pair of [k; f (k, plain-text)]. In other word, for each k ∈ {0, 1}56 , there exists at least one row of matrix that represents the binary string “k, f (k, plain-text)”. Note that column i shows ith bit of all possible string “k, f (k, plain-text)”. We call each column of the matrix filter a bit filter. The matrix filter that encodes all possible values of [k; f (k, plain-text)] can be considered as a lookup table. Hence, if we have f (k, plaintext) = cipher-text, we can find the encryption key k. To do this, the row of matrix that encode cipher-text should be located; if row i of the matrix has encoded the cipher-text f (k, plaintext), the key will be i. In this section we give an overview of how to generate matrix that encodes all possible values of [k; f (k, plain-text)] in the light-based attack. We describe our plan and then explain the details. The plan is performed in five steps: 1. Constructing key space, encoding all 56-bit keys to a matrix filter. This matrix is called key matrix filter. The key matrix filter represents all possible 56-bit key. 2. Implementing all components of the DES circuit including left circular shift, P-boxes, S-boxes, and XORs using bit filters. 3. Each component in the circuit is implemented individually. For each component the outputs are computed for all possible key values in the key matrix filter. The output of the components are matrix filters. 4. By passing key matrix filter and plain-text M through all components in 16 rounds, the final output matrix filter encoding all f (k, plain-text) is produced. Therefore, the final step is extracting the given cipher-text from the output matrix filter and specifying its row number to determine the encryption key. 5. The index of the extracted row is the value of encryption key k, where f (k, plain-text) = cipher-text. This row in the key matrix filter determines encryption key, too. 3. Results and discussion In this section we describe how to implement our plan (the five steps) of DES attack in details, along with a few examples and the results. Finally, the complexity analysis of our model is discussed. 3.1. Implementing DES components in light-based approach As mentioned above, at first, we should construct key matrix filter and other DES components in light-based approach and finally extract the encryption key. Key matrix filter To construct 256 binary strings corresponding to all possible 56-bit keys, we use a light-based procedure. To generate all possible k-bit strings, k negative film ribbons (or any light sensitive materials such as silicon wafer) are required. Each ribbon should be divided into 2k sections. Ribbon i denotes the ith bit of all k-bit strings. We call such a ribbon a bit filter. Bit filters are composed of transparent and opaque cells; the opaque ones block light (and it indicates zero-bit) while the transparent ones let light to pass (and it indicates one-bit in binary representation). If we put aside 56 bit filters, all possible values of 56-bit key are produced which we call it key matrix filter. Generally, a matrix filter is composed of several bit filters. Fig. 2 illustrates 3-bit key matrix filter. Each row of the key matrix filter denotes a possible key. Binary string “000. . . 0” is denoted by the first row, binary string “000. . . 01” is denoted by the second row, and so on. In general, row i indicates number i. This means, in row i the value of DES key is i.

JID:TCS

AID:11712 /FLA

Doctopic: Theory of natural computing

[m3G; v1.242; Prn:28/08/2018; 8:24] P.5 (1-8)

J. Salimi Sartakhti, S. Jalili / Theoretical Computer Science ••• (••••) •••–•••

5

Fig. 3. An example of ‘∧’ and ‘∨’ operations. f 1 , f 2 are two example of bit filters, f 3 = f 1 ∧ f 2 , f 4 is negation of f 1 , f 5 is negation of f 2 , f 6 = f 1 ∧ f 2 , and f 7 is negation of f 6 that is equal to f 1 ∨ f 2 .

Let i show the position of a bit of key, Algorithm 1 shows how to produce a bit filter for the ith bit of a k-bit key, at most in k steps. For this purpose, negative and positive films (or any light sensitive materials) can be used. If some sections of a raw negative film are exposed to the light, these sections act as a light blocker. This property is used to make opaque cells. If some cells of a positive film are exposed by the light, they will be transparent. Moreover, we can fix the properties of the cells using a fixer that makes the filters permanent and light-resistant [35]. Algorithm 1 Create a bit filter. Procedure Create_bit_filter(i , k ) { /* k is the length of binary string (key) and i is the position of interested bit in the binary string. Also consider a raw ribbon film divided into 2k sections */ 1. Make opaque the first 2i sections of the raw ribbon film 2. Make transparent the next 2i sections of the raw ribbon film 3. For j = i to k − 1 4. Copy first 2 j +1 sections to the next 2 j +1 sections of the raw ribbon film 5. end For }

In our model, the copy operation is done in one step; put a filter over a raw positive film ribbon and expose them by the light; the filter is projected on the raw positive film. XOR gates To XOR two bit filters, we should first implement ‘∨’ (AND) and ‘∧’ (OR) operations for two bit filters. Suppose we wish to do the ‘∧’ operation on A and B filters ( A ∧ B ). To do this, A and B filters are placed over a raw positive film and they are exposed by the light. So, ( A ∧ B ) is projected on the raw positive film. Since A ∨ B = A ∧ B, to make A ∨ B filter, at first, the ‘∧’ operation is done on A and B filters, and then the result of it is negated. To negate a bit filter, we should place the filter on a raw negative film and expose them by the light, then, the negation of the filter is composed on the raw negative film. Fig. 3 represents an example of ‘∨’ and ‘∧’ operations. We are now ready to explain ‘XOR’ operation. XORing two bit filters A and B is performed according to the following formula: A ⊕ B = ( A ∧ B ) ∨ ( A ∧ B ). To XOR all possible keys and a string such as B = bn bn−1 . . . b1 , the key matrix filter (we call it A) and the matrix filter of the string (we call it B) should be produced and then matrix A and B are XORed according to A ⊕ B = ( A ∧ B ) ∨ ( A ∧ B ) for all their columns. Producing key matrix filter is described in Algorithm 1. But, to produce matrix filter for string bn bn−1 . . . b1 , a matrix filter should be created in which column i represents b i (i.e., the ith bit of string B). This means that if b i = 0, all cells of column (i.e., bit filter) i must be made opaque; otherwise (b i = 1) they must be made transparent. The XORs in each round of the DES are implemented according to the process described in this section. In our light-based attack, each XOR component of DES do the XOR operation on two matrix filters with 256 rows, in O (1). P-box In our light-based attack, input of P-boxes is a matrix filter with 256 rows. The P-boxes is applied on all rows of the matrix filter, in a constant time (i.e., O (1)). As shown in Fig. 1, DES circuit have three types of P-box. The first one, P-box 1, takes 56 bits as input and produces 48 bits as output. To provide such P-box, in addition to changing the order of bits, some bits should be removed from inputs according to a given table. In the light-based attack, to remove an input bit, the corresponding column (i.e., bit filter) in the input matrix filter of P-box should be removed. Also, to change the order of input bits, we should change the order of bit filters in the input matrix filter. The second P-box takes 32 bits as input and produces 48 bits as output. To provide such P-box, we have to repeat and change the order of some input bits in the output string. To duplicate bit i of the input to position j of the output, we should copy bit filter i (column i) of the input matrix filter and place it in column j.

JID:TCS

AID:11712 /FLA

Doctopic: Theory of natural computing

6

[m3G; v1.242; Prn:28/08/2018; 8:24] P.6 (1-8)

J. Salimi Sartakhti, S. Jalili / Theoretical Computer Science ••• (••••) •••–•••

Fig. 4. An example of P-box that takes 3-bit strings (i.e., i 2 i 1 i 0 ) and produce 5-bit strings (i.e., i 0 i 2 i 0 i 2 i 1 ). Input matrix filter encodes all input strings of the P-box and output matrix filter shows the inputs after passing through this P-box.

Algorithm 2 Replacing a string with a new one in matrix filter A. Procedure Replacement ( sn sn−1 . . . s1 , bm bm−1 . . . b1 , A ) { 1. Create an L -filter for sn sn−1 . . . s1 in matrix filter A . 2. Create a matrix filter for string bm bm−1 . . . b1 , i.e., B . 3. For i = 1 to m 4. R i = ( L-filter ∧ B i )// B i indicates column i of matrix filter B . 5. End For 6. Create a matrix such as R in which column k is R k (where 1 ≤ k ≤ m). }

The third P-box takes 32 bits as input and produces 32 bits as output. To provide such P-box, we can simply change the order of columns (bit filters) according to the corresponding table of P-box 3. Suppose a P-box that takes a string of 3 bits (such as i 2 i 1 i 0 ) and produces a string of 5 bits (such as i 0 i 2 i 0 i 2 i 1 ). Fig. 4 shows the implementation of such P-box. Left circular shift To provide left circular shift, we can simply change the order of bits according to a predefined order [34]. Therefore, we just change the order of columns (i.e., bit filters) in input matrix filter of this component according to predefined order [34]. s-box An s-box (lookup table), as a part of S-box [34], is a function such as g: {0, 1}6 → {0, 1}4 which maps 6-bit strings to 4-bit strings. So, g function is given as a table of values. The mappings of s-box1 are defined in Table 1. For example, suppose input string of s-box1 is 011001, therefore the corresponding row and column of this string are 01 (1) and 1100 (12), respectively. The value of cell (1, 12) is 9, hence the output string is 1001. Note that the input of each s-box is a matrix filter including 256 strings that has passed through all the required components before this s-box. To implement this s-box, we should be able to locate a given string in the input matrix filter, and then replace it with the corresponding value in the table. Let’s assume that we wish to locate rows of the matrix filter including sn sn−1 . . . s1 string. To do this, ∀1 ≤ i ≤ n, if si = 0, column i (i.e., bit filter i) of the matrix filter should be negated and then ‘∧’ operation be done on all columns of the matrix filter. The result of the ‘∧’ operation is a bit filter (we call it L-filter) in which transparent cells show the locations of the string sn sn−1 . . . s1 in the matrix filter. After locating a given string we should replace it with another specified string. Algorithm 2 shows how to replace string sn sn−1 . . . s1 with string bm bm−1 . . . b1 , in a matrix filter. In the first line of Algorithm 2, the L-filter of string sn sn−1 . . . s1 is created. This L-filter denotes the locations of string sn sn−1 . . . s1 in matrix filter A. In line 2, the matrix filter of string bm bm−1 . . . b1 is created, in which all rows represent string bm bm−1 . . . b1 . We refer to it as matrix filter B. In lines 3–5 of Algorithm 2, for 0 < i < m, operation ‘∧’ is done on L-filter that have been created in line 1 and bit filter i of matrix filter B. Finally, matrix filter R in which bit filter i is bit filter R i = ( L-filter ∧ B i ) is composed. In matrix filter R, string sn sn−1 . . . s1 is replaced by bm bm−1 . . . b1 and other strings are replaced by zero strings. We call matrix filter R replacement–matrix filter. By iterating Algorithm 2, for all lookup table values, it produces 64 replacement–matrix filters, where in each iteration one value of the lookup table has been replaced with the corresponding strings. By doing operation ‘∨’ on 64 replacement–matrix filters, all replacements are placed in a new matrix filter. Fig. 5, shows an example for replacing ‘010’ and ‘001’ with ‘10’ and ‘01’ strings, respectively. 3.2. Extracting encryption key After passing all possible keys through 16 rounds (including Shifts, XORs, P-boxes and S-boxes components) of DES circuit, an output matrix filter is produced in which row i denotes a cipher-text that is encrypted using a key of value i. To

JID:TCS

AID:11712 /FLA

Doctopic: Theory of natural computing

[m3G; v1.242; Prn:28/08/2018; 8:24] P.7 (1-8)

J. Salimi Sartakhti, S. Jalili / Theoretical Computer Science ••• (••••) •••–•••

7

Fig. 5. An example of replacing ‘010’ and ‘001’ by ‘10’ and ‘01’ strings, respectively. 1) A sample of matrix filter. 2) Corresponding L-filter for matrix filter 1 that locates ‘010’. 3) Corresponding L-filter for matrix filter 1 that locates ‘001’. 4) Matrix filter that all rows represent string ‘10’. 5) Matrix filter that all rows indicates string ‘01’. 6) A matrix filter for matrix filter 1, in which ‘010’ string has been replaced with ‘10’ string. 7) A matrix filter for matrix filter 1, in which ‘010’ string has been replaced with ‘01’ string. 8) Matrix filter representing the result of ‘∧’ operation on the matrix filters 6 and 7 (i.e., matrix filter in which ‘010’ and ‘001’ are replaced with ‘10’ and ‘01’, respectively).

Fig. 6. An example of extracting encryption key. L-filter locates string ‘110’. Since row 6 of L-filter is transparent, row 6 of key matrix filter represent the encryption key. The encryption key is (“101”).

extract the encryption key of a given pair (plain-text, cipher-text), the given cipher-text in the output matrix filter should be located. For example, let’s assume that (plain-text, cipher-text) = (“011”, “110”) and the first matrix filter in Fig. 6 represent the output matrix filter. In this case, the second filter in the figure represents the location of the string “110”. Hence, the corresponding row of location of the string “110” in the key matrix filter demonstrates the encryption key (“101”). 3.3. Complexity analysis We briefly calculate the number of steps required to construct the solution of DES using the proposed method. Each round of DES includes one circular shift, three P-boxes, one S-box, and 80 XORs. To provide each XOR, we need 5 bit filters (two bit filters for negation, two bit filters for ‘∧’ operations and one bit filter for ‘∨’ operation). To provide P-box 2, which produces 48 bits output from 32 bits input, we need 16 bit filters while in P-boxes 1 and 3 and also left circular shift operations, no new filters are required (because in these cases, only the order of bit filters are changed or bit filters are removed). On the other hand, there are 16 ∗ 8 = 128 s-boxes (or lookup tables) in DES circuit, and in each of them 64 replacements should be done, and each replacement requires 11 bit filters on average. Also, since replacement values in S-box is constant, so all created matrix filters for replacement value will be constant during each pair of (plain-text, cipher-text). Finally, in the last step, to extract the DES key, in the worst case we need 65 new filters (64 new filters for locating and 1 new filter for ‘∧’). 4. Conclusions In this paper, we proposed a light-based solution for breaking DES. In our solution to obtain DES key: i) Key matrix filter encoding all 56-bit binary strings is constructed, ii) The required operation of DES circuit are provided in light-based approach, iii) The key matrix filter is passed through all DES components, iv) String that contains the given cipher-text are extracted from the output matrix filter, v) the encryption key is extract.

JID:TCS

AID:11712 /FLA

8

Doctopic: Theory of natural computing

[m3G; v1.242; Prn:28/08/2018; 8:24] P.8 (1-8)

J. Salimi Sartakhti, S. Jalili / Theoretical Computer Science ••• (••••) •••–•••

Our plan to the light-based attack on DES is based on the provided logic operations of DES circuit. Hence, the solution is able to generate every the same circuit (e.g., Triple DES) by using the provided basic operations. Specially, the solution can be applied on each cryptosystem which employs the keys of length at most 56 bits only if the encryption circuit works like DES circuit. This leads to an interesting consequence of light-based computing: symmetric encryption systems using keys shorter than 56 bits are untrusted. Our light-based attack needs only one pair of (plain text, cipher text), while in some attacks such as differential cryptanalysis and linear cryptanalysis, respectively, 247 and 243 pairs of (plain text, cipher text). Also, the proposed solution can break DES in 98657 ≈ 217 steps ((2 (shift) + 48 (P-box1) + 32 (P-box2) + 48(P-box3) + 80 × 5 (XOR) + 11 × 8 × 64 (S-box)) × 16 + 65 (extracting key)), while in the best conventional attack (improvement of Davies’ attack), DES can be broken in 252 steps [18] (and in exhaustive search 256 steps are required). To produce the filters with 256 cells, we can use x-ray lithography. At the time, researchers are able to produce features (i.e., cells) in silicon wafers as small as 0.1 nm [35]. So, on a silicon wafer with one meter length and width, more than 266 cells can be produced. Silicon wafers act as negative film and it is reusable. References [1] D. Berchmans, S. Kumar, Optical character recognition: an overview and an insight, in: 2014 International Conference on Control, Instrumentation, Communication and Computational Technologies, ICCICCT, IEEE, 2014, pp. 1361–1365. [2] J. Goodman, Architectural development of optical data processing systems, J. Electr. Electron. Eng. Aust. 2 (3) (1982) 139–149. [3] J.H. Reif, A. Tyagi, Efficient parallel algorithms for optical computing with the discrete Fourier transform (DFT) primitive, Appl. Opt. 36 (29) (1997) 7327–7340. [4] J. Faist, Optoelectronics: silicon shines on, Nature a-z Ind. 433 (7027) (2005) 691–692. [5] A. Hyman, Charles Babbage: Pioneer of the Computer, Princeton University Press, 1982. [6] H.J. Caulfield, S. Dolev, Why future supercomputing requires optics, Nat. Photonics 4 (5) (2010) 261. [7] S. Dolev, H. Fitoussi, Masking traveling beams: optical solutions for NP-complete problems, trading space for time, Theoret. Comput. Sci. 411 (6) (2010) 837–853. [8] M. Oltean, O. Muntean, Solving NP-complete problems with delayed signals: an overview of current research directions, in: International Workshop on Optical Supercomputing, Springer, 2008, pp. 115–127. [9] D. Woods, J.P. Gibson, Lower bounds on the computational power of an optical model of computation, in: International Conference on Unconventional Computation, Springer, 2005, pp. 237–250. [10] D. Woods, T.J. Naughton, An optical model of computation, Theoret. Comput. Sci. 334 (1–3) (2005) 227–258. [11] D. Woods, T.J. Naughton, Parallel and sequential optical computing, in: International Workshop on Optical Supercomputing, Springer, 2008, pp. 70–86. [12] S. Goliaei, M.-H. Foroughmand-Araabi, Computational complexity of wavelength-based machine with slightly interacting sets, Int. J. Unconv. Comput. 13 (2) (2017). [13] S. Goliaei, S. Jalili, An optical wavelength-based solution to the 3-SAT problem, in: International Workshop on Optical Supercomputing, Springer, 2009, pp. 77–85. [14] D. Schultes, Rainbow sort: sorting at the speed of light, Nat. Comput. 5 (1) (2006) 67–82. [15] E. Cohenet, et al., Optical solver of combinatorial problems: nanotechnological approach, J. Opt. Soc. Amer. A 30 (9) (2013) 1845–1853. [16] N.T. Shaked, G. Simon, T. Tabib, S. Mesika, S. Dolev, J. Rosen, Optical processor for solving the traveling salesman problem (TSP), in: Optical Information Systems IV, vol. 6311, International Society for Optics and Photonics, 2006, p. 63110G. [17] J.S. Sartakhti, S. Jalili, A.G. Rudi, A new light-based solution to the Hamiltonian path problem, Future Gener. Comput. Syst. 29 (2) (2013) 520–527. [18] S. Goliaei, S. Jalili, J. Salimi, Light-based solution for the dominating set problem, Appl. Opt. 51 (29) (2012) 6979–6983. [19] S. Goliaei, S. Jalili, An optical wavelength-based solution to the 3-SAT problem, Opt. SuperComput. (2009) 77–85. [20] S. Goliaei, S. Jalili, An optical solution to the 3-SAT problem using wavelength based selectors, J. Supercomput. (2010) 1–10. [21] M. Oltean, O. Muntean, Exact cover with light, New Gener. Comput. 26 (4) (2008) 329–346. [22] K. Wu, J.G. de Abajo, C. Soci, P.P. Shum, N.I. Zheludev, An optical fiber network oracle for NP-complete problems, Light: Sci. Appl. 3 (2) (2014) e147. [23] M. Oltean, O. Muntean, Solving the subset-sum problem with a light-based device, Nat. Comput. 8 (2) (2009) 321–331. [24] M. Hasan, S. Hossain, M.M. Rahman, M.S. Rahman, Solving the generalized Subset Sum problem with a light based device, Nat. Comput. 10 (1) (2011) 541–550. [25] T. Haist, W. Osten, An optical solution for the traveling salesman problem, Opt. Express 15 (16) (2007) 10473–10482. [26] D.E. Tamir, N.T. Shaked, W.J. Geerts, S. Dolev, Parallel decomposition of combinatorial optimization problems using electro-optical vector by matrix multiplication architecture, J. Supercomput. 62 (2) (2012) 633–655. [27] D. Tamir, N. Shaked, W. Geerts, S. Dolev, Combinatorial optimization using electro-optical vector by matrix multiplication architecture, Opt. SuperComput. (2009) 130–143. [28] K. Wu, C. Soci, P.P. Shum, N.I. Zheludev, Computing matrix inversion with optical networks, Opt. Express 22 (1) (2014) 295–304. [29] D.E. Standard, in: Federal Information Processing Standard, FIPS, Publication, 1977. [30] M. Matsui, The First Experimental Cryptanalysis of the Data Encryption Standard, Springer, 1994, pp. 1–11. [31] E. Biham, A. Shamir, Differential Cryptanalysis of the Full 16-Round DES, Springer, 1993, pp. 487–496. [32] M.J. Wiener, Efficient DES Key Search, Citeseer, 1994. [33] B. Dan, D. Christopher, J.L. Richard, Breaking DES Using a Molecular Computer, Princeton University, New Jersey, USA, 1995. [34] W. Stallings, Cryptography and Network Security: Principles and Practice, Prentice Hall, 2010. [35] M. Nakajima, Y. Kanno, S. Takeda, Y. Sakaida, S. Shigaki, Thin Film Forming Composition for Lithography Containing Titanium and Silicon, Google Patents, 2015.