[16806] in cryptography@c2.net mail archive
Re: Is 3DES Broken?
daemon@ATHENA.MIT.EDU (John Kelsey)
Fri Feb 4 12:43:10 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 3 Feb 2005 09:55:15 -0500 (GMT-05:00)
From: John Kelsey <kelsey.j@ix.netcom.com>
Reply-To: John Kelsey <kelsey.j@ix.netcom.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>, bear <bear@sonic.net>
Cc: Aram Perez <aramperez@mac.com>,
Cryptography <cryptography@metzdowd.com>
>From: "Steven M. Bellovin" <smb@cs.columbia.edu>
>Sent: Feb 2, 2005 1:39 PM
>To: bear <bear@sonic.net>
>Cc: Aram Perez <aramperez@mac.com>, Cryptography <cryptography@metzdowd.com>
>Subject: Re: Is 3DES Broken?
...
>>I think you meant ECB mode?
>No, I meant CBC -- there's a birthday paradox attack to watch out for.
Yep. In fact, there's a birthday paradox problem for all the standard chaining modes at around 2^{n/2}.
For CBC and CFB, this ends up leaking information about the XOR of a couple plaintext blocks at a time; for OFB and counter mode, it ends up making the keystream distinguishable from random. Also, most of the security proofs for block cipher constructions (like the secure CBC-MAC schemes) limit the number of blocks to some constant factor times 2^{n/2}.
> --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
