[3071] in cryptography@c2.net mail archive
Re: Multiple-DES and block size
daemon@ATHENA.MIT.EDU (David Wagner)
Fri Jul 24 18:45:19 1998
From: David Wagner <daw@cs.berkeley.edu>
To: cryptography@c2.net, sreid@alpha.sea-to-sky.net
Date: Fri, 24 Jul 1998 11:42:23 -0700 (PDT)
In article <Pine.LNX.3.95.iB1.0.980723123711.9004A-100000@alpha.sea-to-sky.net> you write:
> Are there any good multiple-encryption schemes that also increase block
> length?
>
> I seem to recall a multiple-encryption construction to double the block
> length of a cipher. The idea was to create a four-round Feistel cipher
> which used DES or some other block cipher as the f() function.
This is not a very good idea.
It is widely-known in the literature that this construction can be
distinguished from a random permutation with about 2^{32.5} chosen texts.
(See all the work on Luby-Rackoff ciphers.)
More recently, at FSE'97 Biham showed a key-recovery attack which needs
2^{33} -- 2^{36} chosen texts and 2^{88} offline work. (A known-plaintext
variant also exists of similar complexity, but more memory is needed.)
Biham's paper can be found online at
http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1997/CS/CS0890.ps.gz
Lars Knudsen has also done some further work on this construction.
See for instance his paper on DEAL -- DEAL is a 6-round Feistel cipher
using DES as the round function, and has been submitted to the AES
competition. The DEAL paper can be found online at
http://www.ii.uib.no/~larsr/newblock.html
DEAL looks like a much better approach than the 4-round approach. Still,
there are no guarantees.
