long-term GPG signing key

Steven M. Bellovin smb at cs.columbia.edu
Fri Jan 13 11:29:05 EST 2006

In message <43C7C824.9000502 at systemics.com>, Ian G writes:
>Alexander Klimov wrote:
>> On Wed, 11 Jan 2006, Ian G wrote:
>>>Even though triple-DES is still considered to have avoided that
>>>trap, its relatively small block size means you can now put the
>>>entire decrypt table on a dvd (or somesuch, I forget the maths).
>> This would need 8 x 2^{64} bytes of storage which is approximately
>> 2,000,000,000 DVD's (~ 4 x 2^{32} bytes on each).
>> Probably, you are referring to the fact that during encryption of a
>> whole DVD, say, in CBC mode two blocks are likely to be the same
>> since there are an order of 2^{32} x 2^{32} pairs.
>Thanks for the correction, yes, so obviously I
>muffed that one.  I saw it mentioned on this list
>about a year ago, but didn't pay enough attention
>to recall the precise difficulty that the small
>block size of 8 bytes now has.

The difficulty with 3DES's small blocksize is the 2^32 block limit when 
using CBC -- you start getting collisions, allowing the attacker to 
start building up a code book.  The amount of data is quite within 
reach at gigabit speeds, and gigabit Ethernet is all but standard 
equipment on new computers.  Mandatory arithmetic: 2^32 bytes is 2^38 
bits, or ~275 * 10^9.  At 10^9 bits/sec, that's less than 5 minutes.  
Even at 100M bps -- and that speed *is* standard today -- it's less 
than an hour's worth of transmission.  The conclusion is that if you're 
encrypting a LAN, you need AES or you need to rekey fairly often.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list