[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms



Just so we're clear.

> Scott Fluhrer <sfluhrer@cisco.com> writes:
> > On Thu, 12 Jun 2003, Eric Rescorla wrote:
> > > > For a cryptographical standpoint, there may be 168 distinct key bits that
> > > > affect the ciphertext, but it is well known that you can break 3DES with
> > > > far less work than O(2**168) effort.  There is a meet-in-the-middle attack
> > > > that (with a lot of memory) brings the effort down to around O(2**112),
> > > > which is what I assume Paul was refering to.
> > > Uh, "lot" means O(2**56), no?
> > 
> > Well, yes, but the attack scales to lesser amounts of memory.  If you
> > had only O(2**40) memory, then the attack works in O(2**128) time --
> > still far less than 2**168.
> And if you have O(2^336) blocks of memory then you could do in
> O(1) steps.
And of course, if you paid the modest O(2^336) precomputation cost.

> > > In the same way, it's conventional to refer to DES as having a strength
> > > of 56 bits despite the fact that if you somehow laid your hands on 2^47
> > > chosen plaintexts the complexity of DES would be a measly O(2^47).
> > Actually, if you're refering to linear cryptanalysis, the common result is
> > that it takes 2^47 known plaintexts.
> No, I'm referring to differential. See the HAC, pag 259.
> Not that it really matters.
Of course, it matters in some cosmic sense, but for the current purposes,
its merely "impractically large".

-Ekr