[1123] in cryptography@c2.net mail archive
Re: cracking n-DES?
daemon@ATHENA.MIT.EDU (Bill Frantz)
Sun Jun 29 18:03:15 1997
In-Reply-To: <199706280821.BAA00727@joseph.cs.berkeley.edu>
Date: Sat, 28 Jun 1997 19:35:44 -0700
To: David Wagner <daw@cs.berkeley.edu>, perry@piermont.com
From: Bill Frantz <frantz@netcom.com>
Cc: cryptography@c2.net
At 1:21 AM -0700 6/28/97, David Wagner wrote:
>In article <199706280618.CAA06654@jekyll.piermont.com> you write:
>>
>> I have to study
>> Dave's attack more, [...]
>>
>
>Here's the cliff notes:
>
>You exploit a lack of diffusion. You put in a one-byte difference
>in the plaintext (say). Each ECB-DES layer can only increase the
>number of bytes that differ by a factor of 8 (and then the trans
>re-shuffles them around). After two des|trans passes, you've only
>got 8^2 = 64 bytes differing, out of a total of 8192 bytes per "trans
>permutation block" -- that's very minimal avalanche.
>
>Now you just guess the last DES key, peel off the last layer, and
>check whether the result has the reduced-avalanche pattern that you
>expect to see after 2 passes.
I'm glad the my proposals aren't the only ones you take apart. :-)
It occurs to me that any kind of chaining in the DES rounds would make this
attack much harder.
-------------------------------------------------------------------------
Bill Frantz | The Internet was designed | Periwinkle -- Consulting
(408)356-8506 | to protect the free world | 16345 Englewood Ave.
frantz@netcom.com | from hostile governments. | Los Gatos, CA 95032, USA
