[Cryptography] key lengths in different places

Michael Kjörling michael at kjorling.se
Fri May 26 13:41:12 EDT 2017

On 26 May 2017 15:33 +0000, from robin at digi.ninja (Robin Wood):
> Does this make sense? Are there different bit lengths depending on what you
> are talking about and if so, is there a way to know which is being reported?

DES has a 64 bit key, of which eight bits (one bit per byte) was
traditionally used for parity and has no cryptographic value, being
ignored by the cipher. Thus 56 bits of key material are used for

3DES has several different keying modes, but can be used with three
independent DES keys (Wikipedia refers to this as "keying option 1").
That is nominally 3 x 64 bits = 192 bits of key material, but because
only 56 bits of each key is used, only 3 x 56 bits = 168 bits of key
material is used. This is often referred to as 168-bit 3DES, but
calling it 192-bit 3DES is as valid as saying that DES uses a 64-bit
key; that is, not completely correct, but at least has some basis in

3DES with three independent keys is vulnerable to a meet-in-the-middle
attack, which reduces the _effective_ security to that of two
applications of DES, corresponding to 2 x 56 = 112 bits of security
for 168 bits of actual key material. The security level is thus the
same as a cipher where no such shortcut exists but which uses a 112
bit key. The work factor for a brute force attack is thus 2^112.

All of "192 bits", "168 bits" and to some extent "112 bits" are thus
valid answers to the question "what is the key size of 3DES"; it all
depends on what specific metric you are looking at.

Assuming triple DES with three independent keys, 192 bits is the size
of the physical key; 168 bits is the amount of key material used; and
112 bits is the work factor for breaking the resulting encryption by
brute force.

Most often we are interested either in the amount of key material
actually used, or the work factor; so calling 3DES with three
independent keys as using a 168-bit key, or as having a 112-bit work
factor, is likely the most useful. The combination of this also works,
obviously; 3DES with three independent keys takes 168 bits of key
material to deliver the security of a 112-bit work factor.


Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the cryptography mailing list