[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Counter Mode Security: Attacks, Storage & a Proposal

To: tytso@mit.edu
Subject: Re: Counter Mode Security: Attacks, Storage & a Proposal
From: Paul Koning <pkoning@equallogic.com>
Date: Fri, 22 Nov 2002 10:04:45 -0500
Cc: ipsec@lists.tislabs.com
References: <277DD60FB639D511AC0400B0D068B71E0564C57C@corpmx14.us.dg.com><15837.34306.911000.501269@gargle.gargle.HOWL><20021122040009.GA549@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Theodore" == Theodore Ts'o <tytso@mit.edu> writes:

 Theodore> On Thu, Nov 21, 2002 at 08:18:58PM -0500, Paul Koning
 Theodore> wrote:
 >> I continue to prefer a design where the transform strength is
 >> equal to the cipher strength unconditionally, because that's (as
 >> far as I know) the normal design rule.

 Theodore> The problem I have with this imputed design rule is that it
 Theodore> appears to completely ignore the storage requirements of
 Theodore> attacks, and that doesn't seem right.  For example, if you
 Theodore> create a lookup table that enumerates the encryption of a
 Theodore> known plaintext for every single possible key, you can
 Theodore> carry out the attack in O(1) time.  This ignores the cost
 Theodore> of the storage, and the time it takes to create the table
 Theodore> in the first place, but if you posit the existence of this
 Theodore> table, the strength of any cipher (by what I believe is a
 Theodore> very flawed definition) is 0 bits.

But I never said to ignore the cost of storage.  What I meant (perhaps
I didn't say this explicitly) is that, given an attack requiring O(x)
storage and O(y) time, I judge the cipher strength to be O(max(x,y)).

 Theodore> This is why I don't believe that claim that the fact that
 Theodore> there exists an attack which takes O(2**85) time but
 Theodore> requires O(2**85) storage means that the cipher is only 85
 Theodore> bits strong.  That just doesn't seem to be an appropriate
 Theodore> way of judging the strength of a cipher.

The alternative is to apply a scale factor to storage cost different
from computation cost.  But the problem with doing this is that the
process for arriving at such a scale factor involves a lot of
guessword, especially when you're trying to secure data for 30 years.
(We are, right?  Clearly we should be.)

 Theodore> (As another example, triple DES is succeptible to attacks
 Theodore> that require O(2**56) in time and O(2**56) in space.  Does
 Theodore> this mean that if both can be attacked in O(2**56) time,
 Theodore> completely ignoring the storage requirements, both ciphers
 Theodore> are identically strong with 56 bits of strength?  I don't
 Theodore> think so.)

No, it's double DES that is subject to that attack ("meet in the
middle") which is precisely why double DES is never used.  

(Note that the incremental cost in SA state of 3DES -- in the form
used in IPsec -- compared to 2DES is essentially the same as the
incremental cost of the 64-bit random seed as proposed by David
McGrew.)

	 paul

References:
- Counter Mode Security: Attacks, Storage & a Proposal
  - From: Black_David@emc.com
- Re: Counter Mode Security: Attacks, Storage & a Proposal
  - From: Paul Koning <pkoning@equallogic.com>
- Re: Counter Mode Security: Attacks, Storage & a Proposal
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SPD policy document/article
Next by Date: Re: Counter Mode Security: Analysis and Recommendations
Prev by thread: Re: Counter Mode Security: Attacks, Storage & a Proposal
Next by thread: Re: Counter Mode Security: Attacks, Storage & a Proposal
Index(es):
- Date
- Thread