long-term GPG signing key

Trei, Peter ptrei at rsasecurity.com
Fri Jan 13 09:57:25 EST 2006

Alexander Klimov wrote:

>On Wed, 11 Jan 2006, Ian G wrote:

>> Even though triple-DES is still considered to have avoided that trap,

>> its relatively small block size means you can now put the entire 
>> decrypt table on a dvd (or somesuch, I forget the maths).

> This would need 8 x 2^{64} bytes of storage which is approximately 
> 2,000,000,000 DVD's (~ 4 x 2^{32} bytes on each).

> Probably, you are referring to the fact that during encryption of 
> a whole DVD, say, in CBC mode two blocks are likely to be the 
> same since there are an order of 2^{32} x 2^{32} pairs.

I've actually seen something like this happen in real life. 

As you know, RSA has been running a series of 'Secret Key 
Challenges', wherein we ask people to try to brute-force 
messages encrypted with RC5 at various keystrengths. There is
a cash prize for the person turning in the correct response.
The messages are encrypted in CBC mode with 32 bit blocks. 
The start of the message has a known plaintext

Most of the recent challenges have been won by distributed.net.
While they were working on the 64 bit challenge, I received an
email saying that a proposed solution had been found, and was asked
to check it. (We set up the challenges in such a way that the
correct keys are unknown, even to us). 

The supplied key correctly decrypted the first block, but the
rest were gibberish. After scratching our heads, we realized 
that d.net had found a collision.

It was almost a year later they found the correct key, for the
$10,000 prize. They immediately started on the 72 bit challenge.
(I'm not holding my breath).

Peter Trei

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list