[Cryptography] Guaranteeing that no distinct keys produce indistinguishable results

Ben Laurie benl at google.com
Thu May 28 08:36:42 EDT 2015


On 28 May 2015 at 03:41, Jonathan Thornburg <jthorn at astro.indiana.edu>
wrote:

> On Wed, May 27, 2015 at 05:38:45PM -0700, Ray Dillinger wrote:
> > In fact there's a
> > related issue with DES, where the effect of composing
> > any two encryptions with different keys is the same as
> > a single encryption with a third key (hence 3DES with
> > a DEcryption in the middle rather than another ENcryption
> > that wouldn't actually add anything to security).
>
> There is good evidence that DES is *not* a group (references below).
> This means that composing multiple DES encryptions yields an operation
> which is distinct from any single-DES.
>

In fact, symmetric ciphers MUST NOT be groups (under composition of keys)
or there's a meet-in-the-middle attack available on them (this was a
self-inflicted interview question when I joined Google :-).


>
> The reason to use EDE rather than EEE when doing 3DES is to allow
> backward-compatability with single-DES when all three keys are the same.
>

The other reason is efficiency: if you do EDE then the input and output
transforms can be dropped in the middle, since they cancel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150528/6ca46c08/attachment.html>


More information about the cryptography mailing list