Re: 3DES and super-encryption
From: Alan (a__l__a__n_at_hotmail.com)
Date: 02/26/04
- Next message: David Hamer: "Re: double encyphering with an enigma"
- Previous message: Peter Fairbrother: "Re: Clocks - was Re: anybody interested in math on Big Numbers"
- In reply to: Roger Fleming: "Re: 3DES and super-encryption"
- Next in thread: Foo Bar: "Re: 3DES and super-encryption"
- Reply: Foo Bar: "Re: 3DES and super-encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Feb 2004 09:25:19 -0800
Roger Fleming <roger_for_nntp@hotmail.com> wrote in message news:<403CE6AB.70603@hotmail.com>...
> The proof that DES is not a group convinced most people that 3DES is
> extremely unlikely to exhibit the kind of degenerate features referred
> to in the above proof. However attacks are known against 3DES which
> weaken it down to a similar order of strength as single DES, provided
> one has access to a (currently infeasible) amount of memeory and can
> obtain large numbers of chosen plaintexts. When this attack was first
> presented, the amount of memory required was so vast it seemed unlikely
> to be available for at least 30 years, but further refinements have
> reduced the memory requirements to the point where it might be feasible
> in this decade.
I'm familiar with the Stefan Lucks attack on 3DES published in (I
think) 1998, which reduced the number of DES operations required to
about 2^90, given enormous amounts of memory (order of 2^113). Has
this been substantially improved, and has it been published? If you
could point me to a paper I'd greatly appreciate it.
> Thus it is debateable whether 3DES can still be considered the
> conservative choice. Today I would only recommend 3DES for a new
> application if:
> 1. You will only ever encrypt less than 100 MB of data with one key,
> whether due to slow operation or diligent key management;
> 2. Your data does not need to remain secure for so long as 10 years;
(snip)
I'm primarily interested in a scenario where a single 168 bit 3DES key
is used to encrypt (CBC mode) only a single very large file, ranging
from 5Gb to maybe as large as 15Gb. That is known to be beyond the
birthday paradox threshold for 64 bit blocks. But in this application
the discovery of a small subset of the plaintext is of no value to the
attacker, unless it enables him to obtain the 168 bit 3DES key. Does
this scenario change your judgement about the 100 Mb file size limit,
or the 10 year timeframe?
I'm interested in hearing what others think about this.
Thanks for your input.
- Next message: David Hamer: "Re: double encyphering with an enigma"
- Previous message: Peter Fairbrother: "Re: Clocks - was Re: anybody interested in math on Big Numbers"
- In reply to: Roger Fleming: "Re: 3DES and super-encryption"
- Next in thread: Foo Bar: "Re: 3DES and super-encryption"
- Reply: Foo Bar: "Re: 3DES and super-encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
