[16821] in cryptography@c2.net mail archive
Re: Is 3DES Broken?
daemon@ATHENA.MIT.EDU (Ian G)
Sat Feb 5 13:30:03 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 04 Feb 2005 19:46:39 +0000
From: Ian G <iang@systemics.com>
To: John Kelsey <kelsey.j@ix.netcom.com>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
bear <bear@sonic.net>, Aram Perez <aramperez@mac.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <8471319.1107442515394.JavaMail.root@bert.psp.pas.earthlink.net>
John Kelsey wrote:
>>From: "Steven M. Bellovin" <smb@cs.columbia.edu>
>>
>>No, I meant CBC -- there's a birthday paradox attack to watch out for.
>>
>>
>
>Yep. In fact, there's a birthday paradox problem for all the standard chaining modes at around 2^{n/2}.
>
>For CBC and CFB, this ends up leaking information about the XOR of a couple plaintext blocks at a time; for OFB and counter mode, it ends up making the keystream distinguishable from random. Also, most of the security proofs for block cipher constructions (like the secure CBC-MAC schemes) limit the number of blocks to some constant factor times 2^{n/2}.
>
>
It seems that the block size of an algorithm then
is a severe limiting factor. Is there anyway to
expand the effective block size of an (old 8byte)
algorithm, in a manner akin to the TDES trick,
and get an updated 16byte composite that neuters
the birthday trick?
Hypothetically, by say having 2 keys and running
2 machines in parallel to generate a 2x blocksize.
(I'm just thinking of this as a sort of mental challenge,
although over on the OpenPGP group we were toying
with the idea of adding GOST, but faced the difficulty
of its apparent age/weakness.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
