[Cryptography] 3DES security?
Anton Titov
anton at titov.net
Wed Aug 26 22:05:19 EDT 2015
On 27.08.2015 03:07, Henry Baker wrote:
> What's the current best estimate for the (in)security of 3DES, in bits ?
>
The answer probably depends on how many know plaintexts you have and
could range from (could!) 168 bits for 0 known plaintexts to 0 bits for
2^64 known (different) plaintexts, as for any 64 bit cipher.
It is widely believed that the security is 112 bits because of meet in
the middle attack. This attack however needs a solid known plaintext,
not a knowledge that the plaintext is "English text" or any other vague
idea about it. Due to the fact that 64bit block cipher with 168 bit key
has many (2^104?) keys that yield the same ciphertext for the same
plaintext you obviously need more that one plaintext or the ability to
tell if blocks other that the known one decrypt to a sensible data and
that may not always be the case. Also this attack needs 2^56 * block
size (64 bits) of storage which is 512 peta bytes. That is $5b if RAM is
used (without the cost of other components), $400m if SSDs are used or
$35m if HDDs are used. You also need to perform 2^112 lookups in these
2^56 blocks. One can argue that the lookup can be considered constant
(as opposed to log N) if many computers do that task in parallel, but
this is also expensive.
Frankly if I'm given one (or 10) modern computers my feeling is that it
will brute-force one 128bit AES key faster than 3DES key (1 known
plaintext+constant time check for correct key for 3DES). However both
are unrealistic as of today.
Best,
Anton
More information about the cryptography
mailing list