[Cryptography] 3DES security?

[Anton Titov]

On 27.08.2015 03:07, Henry Baker wrote:
> What's the current best estimate for the (in)security of 3DES, in bits ?
>
The answer probably depends on how many know plaintexts you have and 
could range from (could!) 168 bits for 0 known plaintexts to 0 bits for 
2^64 known (different) plaintexts, as for any 64 bit cipher.

It is widely believed that the security is 112 bits because of meet in 
the middle attack. This attack however needs a solid known plaintext, 
not a knowledge that the plaintext is "English text" or any other vague 
idea about it. Due to the fact that 64bit block cipher with 168 bit key 
has many (2^104?) keys that yield the same ciphertext for the same 
plaintext you obviously need more that one plaintext or the ability to 
tell if blocks other that the known one decrypt to a sensible data and 
that may not always be the case. Also this attack needs 2^56 * block 
size (64 bits) of storage which is 512 peta bytes. That is $5b if RAM is 
used (without the cost of other components), $400m if SSDs are used or 
$35m if HDDs are used. You also need to perform 2^112 lookups in these 
2^56 blocks. One can argue that the lookup can be considered constant 
(as opposed to log N) if many computers do that task in parallel, but 
this is also expensive.

Frankly if I'm given one (or 10) modern computers my feeling is that it 
will brute-force one 128bit AES key faster than 3DES key (1 known 
plaintext+constant time check for correct key for 3DES). However both 
are unrealistic as of today.

Best,
Anton