Re: The Cost of Snakeoil

David Wagner (daw@CS.Berkeley.EDU)
Fri, 24 Jul 1998 11:56:22 -0700 (PDT)

• Next message: EKR: "Re: DES & IBM's patents"
• Previous message: John Kelsey: "Re: DES & IBM's patents"
• Maybe in reply to: Bob Baldwin: "DES & IBM's patents"
• Next in thread: Ben Laurie: "Re: The Cost of Snakeoil"
• Reply: Ben Laurie: "Re: The Cost of Snakeoil"

In article <3r9zeeex9.fsf@kmac.terisa.com> you write:
> Wasn't one of the original advantages of EDE mode that it was
> potentially safer if DES was a group?

No; it would be far weaker. Then for any 3-DES key (K_1,K_2,K_3),
there would be some equivalent single-DES key K, and so 3-DES would
be no stronger than single-DES.

Furthermore, if DES were a group, then single-DES (and 3-DES) would
be breakable with about 2^{28} offline work and one known plaintext
via a meet-in-the-middle attack.

The attack works as follows. Suppose we have a known text pair (P,C).
First, we store (E_i(P), i) in a lookup table keyed on E_i(P) for
2^{28} values of i. Next, we compute D_j(C) for 2^{28} values of j
and look for a match in the table of the form E_i(P) = D_j(C). When
we find such a match, we can deduce that the 2-DES key (i,j) is
equivalent to the unknown single-DES key. This will let us decrypt
the rest of the ciphertext.

• Next message: EKR: "Re: DES & IBM's patents"
• Previous message: John Kelsey: "Re: DES & IBM's patents"
• Maybe in reply to: Bob Baldwin: "DES & IBM's patents"
• Next in thread: Ben Laurie: "Re: The Cost of Snakeoil"
• Reply: Ben Laurie: "Re: The Cost of Snakeoil"