[3013] in cryptography@c2.net mail archive
Re: 3DES weak because DES falls to brute-force? (was Re: John
daemon@ATHENA.MIT.EDU (Kawika Daguio)
Mon Jul 20 15:56:41 1998
Date: Mon, 20 Jul 1998 15:37:50 -0400
From: "Kawika Daguio" <KDAGUIO@aba.com>
To: rdl@MIT.EDU
Cc: jlowry@bbn.com, cryptography@c2.net, rah@shipwright.com,
cypherpunks@toad.com, e$@vmeng.com
If you listen to those in the exploitation community you might hear that =
3DES provides less comparable security relative to DES than you know or =
have stated. Either way, however, it is more than sufficiently strong =
to secure any kind of traffic one might contemplate sending over a =
network. 3DES should work for a while, but I would prefer something more =
elegant and efficient.
We have pushed 3DES forward as an interim standard, and are moving 3DES =
out into the world and the AES (128 and 256) forward to provide us another =
long-term solution. We told NIST that we hoped the AES could serve as a =
20-30 year solution and are pushing algorithm agnostic standards to avoid =
similar obstacles to a transition in the far off future.
One of the reasons we so aggressively pursued the negotiations over export =
control with the Administration and have pushed the AES, and our PKI is =
the collateral damage from the export control legislative debate. When =
the AES is finalized it will be followed closely by an ANSI X9 standard. =
Once these standards and infrastructure are established, the concerns =
about brute force attacks should be largely behind us.
kawika
daguio
my views only
>>> Ryan Lackey <rdl@MIT.EDU> 07/20/98 02:16PM >>>
Sigh. One should not do math before coffee.
Let's try this again:
If you assume 2^56 requires $50k and 3 days, and are willing to take
2^8 times longer and spend 2^16 times more, and want to break a 2^112 bit
key, and assume technology doubles in performance for this particular
operation per year, then the calculation is easy to do.
112 - 56 - 16 - 8 =3D 32
If you wait 32 years, and have *incredible* performance gains in excess of
what we have now (but which I think could be possible for worst-case =
crypto
breaking chips, since they have relatively little in the way of communicati=
on,
and have small units), and have a budget of 16 times what the DES cracker
had (about $3b, which is totally reasonable), and are willing to wait =
about
2 years, you can brute force 3DES in the year 2030.
There is still very little that is relevant in 32 years, and there is =
still
a far better chance that some analytic attack will be discovered, a =
fundamental
breakthrough in computation will happen, etc. before that time.
112 bits is below the "physical impossibility" point as far as key size =
goes
(I like the calculation based on free energy in the universe in Applied=20
Crypto).
Chapter 7 in Applied Crypto is probably a far better analysis than mine,
especially as it includes the caveat emptor section.
Perhaps it is correct, "It's time to bring on those 128, 192, and =
256-bit=20
keys",
at least for some systems, although I'd definitely prefer multiple ciphers
separately keyed with long keys than n-DES for such long-term use.
Calculating future key lengths really *is* a losing game.
--=20
Ryan Lackey
rdl@mit.edu=20
http://sof.mit.edu/rdl/ =09
