[16830] in cryptography@c2.net mail archive
Re: Is 3DES Broken?
daemon@ATHENA.MIT.EDU (Jerrold Leichter)
Mon Feb 7 17:39:03 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 7 Feb 2005 10:43:49 -0500 (EST)
From: Jerrold Leichter <jerrold.leichter@smarts.com>
To: Ian G <iang@systemics.com>
Cc: John Kelsey <kelsey.j@ix.netcom.com>,
"Steven M. Bellovin" <smb@cs.columbia.edu>, bear <bear@sonic.net>,
Aram Perez <aramperez@mac.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <4203D11F.70202@systemics.com>
| > > No, I meant CBC -- there's a birthday paradox attack to watch out for.
| > >
| >
| > Yep. In fact, there's a birthday paradox problem for all the standard
| > chaining modes at around 2^{n/2}.
| > For CBC and CFB, this ends up leaking information about the XOR of a couple
| > plaintext blocks at a time; for OFB and counter mode, it ends up making the
| > keystream distinguishable from random. Also, most of the security proofs
| > for block cipher constructions (like the secure CBC-MAC schemes) limit the
| > number of blocks to some constant factor times 2^{n/2}.
| >
|
| It seems that the block size of an algorithm then
| is a severe limiting factor. Is there anyway to
| expand the effective block size of an (old 8byte)
| algorithm, in a manner akin to the TDES trick,
| and get an updated 16byte composite that neuters
| the birthday trick?
Many people have tried to do this. I know of no successes that are really
practical. (I've played around with many "obviously good" ideas myself, and
have always managed to break them with a little more thought. Everything
that gives you the desired security ends up costing much more than twice
the cost of the underlying block algorithm for a double-size block.)
The block size appears to be a fairly basic and robust property of block
ciphers. There's probably a theorem in there somewhere - probably one of
those that isn't hard to prove once you figure out exactly what it ought to
say!
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
