Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:54 ADT
Ben Laurie (ben@algroup.co.uk)
Sat, 25 Jul 1998 13:46:08 +0100
David Wagner wrote:
>
> In article <3r9zeeex9.fsf@kmac.terisa.com> you write:
> > Wasn't one of the original advantages of EDE mode that it was
> > potentially safer if DES was a group?
>
> No; it would be far weaker. Then for any 3-DES key (K_1,K_2,K_3),
> there would be some equivalent single-DES key K, and so 3-DES would
> be no stronger than single-DES.
>
> Furthermore, if DES were a group, then single-DES (and 3-DES) would
> be breakable with about 2^{28} offline work and one known plaintext
> via a meet-in-the-middle attack.
>
> The attack works as follows. Suppose we have a known text pair (P,C).
> First, we store (E_i(P), i) in a lookup table keyed on E_i(P) for
> 2^{28} values of i. Next, we compute D_j(C) for 2^{28} values of j
> and look for a match in the table of the form E_i(P) = D_j(C). When
> we find such a match, we can deduce that the 2-DES key (i,j) is
> equivalent to the unknown single-DES key. This will let us decrypt
> the rest of the ciphertext.
It seems to me that this is assuming rather more than just group
properties. In particular, I'm guessing that for this to be true the
group would have to have at most 2^29 generators.
I admit I haven't constructed a proof (yet). I'll do so if there isn't
some obvious reason that I'm wrong.
Cheers,
Ben.
-- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ and Technical Director|Email: ben@algroup.co.uk | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:54 ADT