Is 3DES Broken?
John Kelsey
kelsey.j at ix.netcom.com
Thu Feb 3 09:55:15 EST 2005
>From: "Steven M. Bellovin" <smb at cs.columbia.edu>
>Sent: Feb 2, 2005 1:39 PM
>To: bear <bear at sonic.net>
>Cc: Aram Perez <aramperez at mac.com>, Cryptography <cryptography at metzdowd.com>
>Subject: Re: Is 3DES Broken?
...
>>I think you meant ECB mode?
>No, I meant CBC -- there's a birthday paradox attack to watch out for.
Yep. In fact, there's a birthday paradox problem for all the standard chaining modes at around 2^{n/2}.
For CBC and CFB, this ends up leaking information about the XOR of a couple plaintext blocks at a time; for OFB and counter mode, it ends up making the keystream distinguishable from random. Also, most of the security proofs for block cipher constructions (like the secure CBC-MAC schemes) limit the number of blocks to some constant factor times 2^{n/2}.
> --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list