[16829] in cryptography@c2.net mail archive
Re: Is 3DES Broken?
daemon@ATHENA.MIT.EDU (Jerrold Leichter)
Mon Feb 7 17:38:01 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 7 Feb 2005 10:25:42 -0500 (EST)
From: Jerrold Leichter <jerrold.leichter@smarts.com>
To: Greg Rose <ggr@qualcomm.com>
Cc: John Kelsey <kelsey.j@ix.netcom.com>,
"Steven M. Bellovin" <smb@cs.columbia.edu>, bear <bear@sonic.net>,
Aram Perez <aramperez@mac.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <6.1.2.0.2.20050204105041.04c69880@203.30.171.17>
| > >>I think you meant ECB mode?
| >
| > >No, I meant CBC -- there's a birthday paradox attack to watch out for.
| >
| > Yep. In fact, there's a birthday paradox problem for all the standard
| > chaining modes at around 2^{n/2}.
| >
| > For CBC and CFB, this ends up leaking information about the XOR of a couple
| > plaintext blocks at a time; for OFB and counter mode, it ends up making the
| > keystream distinguishable from random. Also, most of the security proofs
| > for block cipher constructions (like the secure CBC-MAC schemes) limit the
| > number of blocks to some constant factor times 2^{n/2}.
|
| I'm surprised that no-one has said that ECB mode is "unsafe at any speed".
Picking nits, but: ECB mode is "unsafe at any speed" to encrypt an arbitrary
data stream. If the data stream is known to have certain properties - e.g.,
because it has undergone some kind of transform before being fed into ECB -
then ECB is as good as any other mode.
After all, CBC is just ECB applied to a datastream transformed through a
particular unkeyed XOR operation.
There's a paper - by Ron Rivest and others? - that examines this whole issue,
and carefully separates the roles of the unkeyed and keyed transformations.
(I think this may be the paper where all-or-nothing transforms were
introduced.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
