Losing the Code War by Stephen Budiansky

Jim Gillogly jim at acm.org
Mon Feb 4 13:02:58 EST 2002


Joshua Hill wrote:
> 
> marius wrote:
> > Not quite true. Encrypting each message twice would not increase the
> > "effective" key size to 112 bits.
> > There is an attack named "meet in the middle" which will make the
> > effective key size to be just 63 bits.
> 
> Peter Trei wrote:
> > Don't forget that the MITM attack (which Schneier claims
> > takes 2^(2n) = 2^112 time), also requires 2^56 blocks
> > of storage.
> [...]
> > I don't lose sleep over MITM attacks on 3DES.
> 
> Unless I'm mistaken, the 2^63 operation MITM attack referenced in the
> original message referred to Double-DES, not Triple-DES.  The original
> cited value of 2^63 is incorrect; the Double-DES MITM attack (as proposed
> by Merkle and Hellman) is a known plaintext attack that takes 2^57
> operations, with 2^56 blocks of storage.
> 
> Your provided values are correct for attacking Triple-DES, but I don't
> think that's what the original author was referring to.

Since 2^56 blocks of storage is borderline ridiculous, van Oorschot and
Wiener did a nice paper in Journal of Cryptology in 1999 that shows how
to do the time-memory tradeoff.  For 2^40 blocks of storage it takes about
2^72 operations for 2DES.  The equivalent 3DES attack costs closer to 2^175
with reasonable storage requirements.
-- 
	Jim Gillogly
	14 Solmath S.R. 2002, 17:59
	12.19.8.17.5, 7 Chicchan 3 Pax, Third Lord of Night

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list