[Cryptography] Dumb question -> 3AES?
Jerry Leichter
leichter at lrw.com
Tue Aug 12 16:27:12 EDT 2014
On Aug 11, 2014, at 4:50 PM, Dan McDonald <danmcd at kebe.com> wrote:
> I'm less worried about the AES algorithm being broken (and yes, I understand
> about 3des's effective key strength) as I am against Moore's law (and yes, I
> also understand that the 9nm node may be the last one using current
> technologies) and long periods of time. I may be (unnecessarily) worried
> about someone brute-forcing the data over decades.
If all you want is protection against exhaustive search attacks, Rogoway showed years ago (http://www.cs.ucdavis.edu/~rogaway/papers/desx.pdf) that DES-X (where encryption is K1 XOR DES(K, P XOR K2)) is essentially as strong as 3-DES *against brute force attacks*.
It turns out that you can safely set K1 = K2 - see Section 4 of the paper - so you end up with a 256-bit key. It's not quite 256 bits of security against brute force - see the paper for the detailed calculation - but it's still plenty strong.
The proof doesn't rely on anything special about DES and would work just as well for AES.
Again, this is a defense *only against exhaustive search attacks*. But if exhaustive search against a 128-bit key keeps you up at night, but you don't want to use AES-256, by all means use AES-128-X, which has a trivial (two XOR's) additional cost.
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140812/aafbb074/attachment.bin>
More information about the cryptography
mailing list