Path: cactus.org!news.dell.com!swrinde!cs.utexas.edu!not-for-mail From: ritter@io.com (Terry Ritter) Newsgroups: sci.crypt Subject: Re: Algorithms Date: 15 Nov 1994 14:08:56 -0600 Organization: UTexas Mail-to-News Gateway Lines: 65 Sender: nobody@cs.utexas.edu Message-ID: <199411152009.OAA09390@pentagon.io.com> NNTP-Posting-Host: news.cs.utexas.edu In <3a396u$f50@news.halcyon.com> ken@chinook.halcyon.com (Ken Pizzini) writes: >In article <199411120422.WAA04049@pentagon.io.com>, >Terry Ritterwrote: >> We commonly assume that the keysize of Triple DES is at least twice >> as long (has 2**56 times as many keys) as ordinary DES, and that may >> be. But consider the simple newspaper amusement ciphers, which are >> also Simple Substitution: Clearly, even three sequential cipherings >> through different alphabet permutations will be no harder to solve >> than one. (In this case we do not solve for each of the keys >> independently, but this probably does not matter.) > >Monoalphabetic substition ciphers form a group. DES does not. Since this is irrelevant in context, I am at a loss. Block ciphers are relatively simple machines which attempt to emulate an immense Simple Substitution table. Such tables all have the same entries (the same substitution elements); the thing that distinguishes one table from another is the order of the entries. For a 64-bit data block, such a table would have 2**64 entries, and (2**64)! possible permutations, or "keys." Since DES uses only a 56-bit key, it is clear that only a tiny portion of the possible permutations can be selected. Experiments appear to show that two sequential DES operations tend to produce resulting permutations which cannot be produced by any single DES operation. This is the meaning of DES groupiness. Now, suppose we confine each of the newspaper ciphers to a subset of their 26! possible permutations: Does this prevent us from solving the overall permutation of several sequential ciphers? No, it does not (unless we insist on solving for each key). The fact that the overall permutation may not be producible from a single key is beside the point if we just want to find the hidden information. Now, this attack requires symbol-frequency statistics which are not present in a real cipher design, and is not intended as a serious attack on either DES or Triple-DES. Instead, it is designed to give a real example of a real attack on data protected by Simple Substitution. This attack is not complicated by multiple passes through other substitutions. This attack is thus an unworkable example of a potentially larger class of attacks, some of which may be effective even on randomized data. The sweeping generalization that Triple <anything> is *necessarily* stronger than <anything> on its own is false by contrary example, and the groupiness of <anything> is irrelevant. If someone wishes to claim that Triple-DES is stronger than DES, they need to field an argument which will survive this counter-example, or at least specify that Triple-DES strength *requires* data-randomization. We need to be wary of throwing around fancy math terms like "group" as though they are a hand-grenade which will explode someone else's arguments. Often, this just delays coming to grips with the real underlying problems. --- Terry Ritter ritter@io.com