[16819] in cryptography@c2.net mail archive
Re: Is 3DES Broken?
daemon@ATHENA.MIT.EDU (Greg Rose)
Sat Feb 5 13:26:31 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 04 Feb 2005 10:51:14 -0800
To: John Kelsey <kelsey.j@ix.netcom.com>
From: Greg Rose <ggr@qualcomm.com>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
bear <bear@sonic.net>, Aram Perez <aramperez@mac.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <8471319.1107442515394.JavaMail.root@bert.psp.pas.earthlink
.net>
At 09:55 2005-02-03 -0500, John Kelsey wrote:
> >From: "Steven M. Bellovin" <smb@cs.columbia.edu>
> >Sent: Feb 2, 2005 1:39 PM
> >To: bear <bear@sonic.net>
> >Cc: Aram Perez <aramperez@mac.com>, Cryptography <cryptography@metzdowd.com>
> >Subject: Re: Is 3DES Broken?
>
>...
> >>I think you meant ECB mode?
>
> >No, I meant CBC -- there's a birthday paradox attack to watch out for.
>
>Yep. In fact, there's a birthday paradox problem for all the standard
>chaining modes at around 2^{n/2}.
>
>For CBC and CFB, this ends up leaking information about the XOR of a
>couple plaintext blocks at a time; for OFB and counter mode, it ends up
>making the keystream distinguishable from random. Also, most of the
>security proofs for block cipher constructions (like the secure CBC-MAC
>schemes) limit the number of blocks to some constant factor times 2^{n/2}.
I'm surprised that no-one has said that ECB mode is "unsafe at any speed".
Greg.
Greg Rose INTERNET: ggr@qualcomm.com
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775 Morehouse Drive http://people.qualcomm.com/ggr/
San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
