Re: 3DES and super-encryption

From: Michael Amling (nospam_at_nospam.com)
Date: 02/27/04 

Date: Fri, 27 Feb 2004 15:43:16 GMT

Foo Bar wrote:
> a__l__a__n@hotmail.com (Alan) writes:
>
>>Roger Fleming <roger_for_nntp@hotmail.com> wrote in message
>>news:<403CE6AB.70603@hotmail.com>...
>
> <SNIP>
>
>>>Thus it is debateable whether 3DES can still be considered the
>>>conservative choice. Today I would only recommend 3DES for a new
>>>application if:
>>>1. You will only ever encrypt less than 100 MB of data with one key,
>>>whether due to slow operation or diligent key management;
>
> Where did the OP get this 100 MB figure from? 100 MB is _very_ far from
> the birthday bound.
>
>>(snip)
>>
>>I'm primarily interested in a scenario where a single 168 bit 3DES key
>>is used to encrypt (CBC mode) only a single very large file, ranging
>>from 5Gb to maybe as large as 15Gb. That is known to be beyond the
>>birthday paradox threshold for 64 bit blocks.
>
>
> It is? For 64 bit blocks you'd expect a collision after about 2^32
> blocks. 2^32 blocks is 32 GB, so you should be ok if you only encrypt 15
> GBs (~2^31 blocks). Did I miss something?

   A collision probability of 0.5 may be too high for the poster. He may
be limiting file size to make the probability of zero collisions at
least 99.999%.

--Mike Amling