[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Quantity of plaintext/ciphertext required for DES crypto

Dan --

It is somewhat counterintuitive that the known plaintext attack
requires less data than the chosen plaintext attack, and a little
surprising, but not contradictory, since every known plaintext attack
is a chosen plaintext attack as well.

I think 2^32 is a better bound than 2^43, at least for certain modes
of DES. For instance, after 2^32 blocks in CBC mode, you expect to see
two identical ciphertext blocks, say c[i] and c[j]; the difference
between their predecessors will match the difference between the
corresponding plaintext blocks, i.e.,

p[i] xor p[j] = c[i-1] xor c[j-1]

Information thus starts to leak after 2^32 blocks (square root of the
message space). I would recommend 2^32 blocks as the limit for the
lifetime of a key, and that takes care of the 2^43/2^47 attacks as

Feel free to summarize or repost my comments.

-- Burt


This suggests that another way to meet the cryptoanalytic threat to host-to-host
keying is to change the session key well before 2^32 plaintexts have been
encrypted. Consequently, I think that requiring IPv6 security implementations
to support user-to-user keying is too limiting. They can adequately meet
this threat by judicious session key management.