[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3DES keys

RSA Labs,  http://www.rsa.com/rsalabs/cryptobytes/spring95/news.htm:

 Modes involving single-DES instead of triple-DES as a primitive, such
 as encrypting three times with single-DES in cipher block chaining
 mode, have been shown by Eli Biham in the past year to be potentially
 no stronger than single-DES against certain attacks. Encrypting with
 triple-DES in cipher block chaining mode is not vulnerable to those
 attacks.

A handout at the Crypto 95 rump session by Thomas Jones
(peace@acm.org) refers to Kaliski's 1994 tech report on combined DES
modes, which might only be available to subscribers of RSA Labs tech
reports.

The handout also refers to Bihams's attack, giving an Asiacrypt '94
reference and the proceedings, to be published by Springer.

The "triple-DES in cipher block chaining mode" method, if I understand it
correctly, is subject to a dictionary attack of somewhat less than 2^64
space complexity, depending on your attack scenario.  This mode was
described earlier this year in this mailing list by Ashar Aziz and
John Ioannides.

The two attacks motivated Jones to suggest several alternative combined
DES modes that carry more internal state and are resistant to known forms
of attack.

It is arguable that neither attack is practical.  However, one might take
it to mean that the strength of the systems is far less than the number
of key bits would indicate.  In that case, why bother generating lots of
keying material?  About 76 bits would be the maximum needed.
Follow-Ups: References: