[Cryptography] key lengths in different places

Jerry Leichter leichter at lrw.com
Sat May 27 16:27:57 EDT 2017 

> 
>> A brilliant explanation, thanks.
>> 
>> I’ll have to work out which version the different tools I use use.
> 
> What then the work factor for 2K3DES?  128/112 E1/D2/E1?
Thought to be the same.

There's some "reasonable guesswork" and approximation going on here.  There's no actual proof that the work factor of 3K3DES is 112.  We know it can't be *more* because of meet-in-the-middle, but then things get a bit vague:  We assume that there are no attacks better than brute force on DES, but what exactly does that mean?  It only talks about *complexity*, not what goes into the attack.  Perhaps there's an attack that takes as much work as brute force but gives you some advantage over chains of DES encryptions.  Tough to formalize what's included in "all attacks equivalent to brute force".

The best *analytic* result I know is actually about DES-X, which is the much simpler:

	DESX(K1, K2, P) = K2 XOR DES(K1, P XOR K2)

That is, replace the inner and outer DES encryptions with encryption by XOR'ing with a fixed key.  Looks too simple to work, but http://web.cs.ucdavis.edu/~rogaway/papers/cryptobytes.ps shows that it gives you "about" 112 bits of security against brute-force attack.  (The actual security depends on the number m of oracle queries - I think chosen plaintexts; it's been a while since I read the full paper; the security is 118-lg m bits.)

The result itself, of course, doesn't really tell you what's going on with 3DES, but the proof techniques may (probably do - it may well be discussed in the full paper) carry over.

Anyway ... the interesting thing here is that if you're only concerned about brute-force attacks - which are historically the concern when it comes to DES - there's no solid reason to prefer 3DES over DESX (which saves you two DES encryptions per block).  Still - it doesn't give people "the warm fuzzies", so you'll still see 3DES all over the place, but DES-X seems to be used by ... no one.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170527/614afcc3/attachment.html>

More information about the cryptography mailing list