Re: DES question

Stuey Monster (stuey@geocities.com)
Wed, 17 Feb 1999 23:15:18 -0500

• Next message: Alex Alten: "Re: reflecting on RC4"
• Previous message: staym@accessdata.com: "DES question"

staym@accessdata.com wrote:
>
> Given plaintext P and key Kn, calculate Cn=E(Kn,P). Take a subset of
> the bits of Cn and call them K(n+1). Repeat.
>
> If DES is close to a random function, this should have a period of about
> 2^56. Does it?
> --

um. maybe. remember there exist weak, semi-weak, possibly weak, and
complement keys for DES. They're not really an issue, in a general
sense, but if you're looking to re-key based on previous encryptions,
they might have an effect on the cycle...
Page 348 of Schneier: "...DES is very far away from being a group." I
take that to mean two things. one: double encryption is useful. two:
mucking with Cn and dumping it back in as a key for a new round just
might yield a period way higher than 2^56 (then again it might not),
since a new key has it's own mapping from ciphertext to plaintext, and
you're forgetting that the 64 bit block for P that you start with
affects the long term behavior of this cycle as much as the initial
chioce of Kn. there's really not much of a way of knowing how big a
cycle will be. Intuitively: max starting entropy is 120 bits, so it's
probably much smaller than 2^120. I'm figuring take the square root and
get 2^60 due to the fact that complement keys exist (which implies there
are two distinct loops that are exact complements of each other... which
may or may not be the case. two complements just might be two different
starting points in the same big loop...). then whack off a little bit
due to the fact that you're ignoring 8 bits every time you re-key. maybe
about 2^56 for a cycle, but for an entirely different reason than you
proposed (implied?)... :)
by the way you say: "...the bits of Cn and call them K(n+1). Repeat."
repeat what? re-encrypt the same P? encrypt Cn with K(n+1) {gasp. you
really might not want to do that, since K(n+1) and Cn are essentially
the same thing, since they are closely mathematically related.}
All this is a SWAG (Scientific Wild Ass Guess), since I'm not an expert
in this field. what I do know is that this would be a painfully slow
PRNG. There are things with greater periods, and much faster, out there.
-SM2k

• Next message: Alex Alten: "Re: reflecting on RC4"
• Previous message: staym@accessdata.com: "DES question"