FIPS 202/SHAKE: insecure 3DES key derivation example

I'm trying to understand the following passage from FIPS 202 (the SHA-3 standard), discussing the SHAKE functions' correlated outputs for different output lengths and the risks they induce in some protocols. The example they give is this (appendix A.2, "Additional Consideration for Extendable-Output Functions," p. 25):

[A] nave (and non-approved) way for two parties to agree to derive a 112-bit Triple DES key from a message designated as $keymaterial$ would be to compute $SHAKE128(keymaterial, keylength)$, where $keylength$ is 112. However, if an attacker is able to induce one of the parties to use a different value for $keylength$, say 168 bits, but the same value for $keymaterial$, then the two parties will end up with the following keys:

• $SHAKE128(keymaterial, 112) = \mathbf{fg}$
• $SHAKE128(keymaterial, 168) = \mathbf{fgh}$,

where the bolded letters of the digest represent 56-bit strings, e.g., the parts of a Triple DES key.

Because of the structure of Triple DES, these keys are vulnerable to attack.

I'm trying to understand this example more concretely. So far what I can make out is this scenario:

• Alice and Bob have established a shared secret $keymaterial$, and are now supposed to both compute $SHAKE128(keymaterial, 112) = fg$, and instantiate 3DES with keys $f, g, f$.
• Eve however tricks Alice into computing $SHAKE128(keymaterial, 168)$. So now:
  • Alice's encryption function is $E^{3DES}_{f, g, h} = E^{DES}_f \circ D^{DES}_g \circ E^{DES}_h$;
  • Bob's decryption function is $D^{3DES}_{f, g, f} = D^{DES}_f \circ E^{DES}_g \circ D^{DES}_f$.
• The composition of Alice's encryption and Bob's decryption functions is $D^{3DES}_{f, g, f} \circ E^{3DES}_{f, g, h} = (D^{DES}_f \circ E^{DES}_g \circ D^{DES}_f) \circ (E^{DES}_f \circ D^{DES}_g \circ E^{DES}_h)$.
• Simplifying adjacent inverses in that equation, we get $D^{3DES}_{f, g, f} \circ E^{3DES}_{f, g, h} = D^{DES}_f \circ E^{DES}_h$.
• This function is vulnerable to a meet-in-the-middle attack.

If I'm on the right track here at all, where I'm getting stuck is: what larger scenario allows Eve to take advantage of this? I can picture this scenario:

• Eve has these powers:
  • Trick Alice and Bob into misderiving their 3DES keys as described;
  • Choose messages for Alice to encrypt and observe Bob's decryptions of them.
• Eve uses these to mount a meet-in-the-middle attack that recovers $f$ and $h$ in $2^{57}$ time.

So now Eve knows that $SHAKE128(keymaterial, 168) = fgh$ for some unknown $g \in \{0, 1\}^{56}$. This certainly allows Eve to bruteforce $g$ within an additional $2^{56}$ tries, but if $SHAKE128$ is preimage-resistant it should still be difficult for Eve to recover $keymaterial$. So are the dangerous scenarios those where $keymaterial$ is a long-term key, so that Alice and Bob will communicate many times with the same derived $f$ and $g$?

(I worry this might be a bit of a yes/no question, but I figure I must have something wrong above...)

Asked by user33557 (13,973 )
Jan 04, 2017 at 02:13