Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms

[Eric Rescorla <ekr@rtfm.com>]

Scott Fluhrer <sfluhrer@cisco.com> writes:
> On Thu, 12 Jun 2003, Eric Rescorla wrote:
> > > For a cryptographical standpoint, there may be 168 distinct key bits that
> > > affect the ciphertext, but it is well known that you can break 3DES with
> > > far less work than O(2**168) effort.  There is a meet-in-the-middle attack
> > > that (with a lot of memory) brings the effort down to around O(2**112),
> > > which is what I assume Paul was refering to.
> > Uh, "lot" means O(2**56), no?
> 
> Well, yes, but the attack scales to lesser amounts of memory.  If you
> had only O(2**40) memory, then the attack works in O(2**128) time --
> still far less than 2**168.
And if you have O(2^336) blocks of memory then you could do in
O(1) steps.

> > Sure, but under practical conditions the effective key size of
> > 3DES-EDE3 168 bits
> Actually, as I pointed out above, even if you restrict the amount of
> memory an attacker has available to a reaonable amount, the strength of
> 3DES is still less than 168 bits.
Only if you behave as if memory is costless.

> On the IPSec mailing list, we're supposed to be (one of the) IETF expert
> groups on security -- I would hope that some greater amount of precision
> is appropriate.
I don't consider ignoring the cost of memory particularly precise.

> > In the same way, it's conventional to refer to DES as having a strength
> > of 56 bits despite the fact that if you somehow laid your hands on 2^47
> > chosen plaintexts the complexity of DES would be a measly O(2^47).
> Actually, if you're refering to linear cryptanalysis, the common result is
> that it takes 2^47 known plaintexts.
No, I'm referring to differential. See the HAC, pag 259.
Not that it really matters.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/