Newsgroups: sci.crypt Path: illuminati.io.com!uunet!news.mathworks.com!udel!gatech!howland.reston. + ans.net!news.sprintlink.net!siemens!princeton!tucson.princeton.edu! + dawagner From: dawagner@tucson.princeton.edu (David A. Wagner) Subject: Re: Algorithms Message-ID: <1994Nov15.231930.1060@Princeton.EDU> Originator: news@hedgehog.Princeton.EDU Sender: news@Princeton.EDU (USENET News System) Nntp-Posting-Host: tucson.princeton.edu Organization: Princeton University References: <199411152009.OAA09390@pentagon.io.com> Date: Tue, 15 Nov 1994 23:19:30 GMT Lines: 62 In article <199411152009.OAA09390@pentagon.io.com>, Terry Ritterwrote: [...arguments about whether triple DES is stronger than DES deleted...] > > Now, suppose we confine each of the newspaper ciphers to a subset > of their 26! possible permutations: Does this prevent us from > solving the overall permutation of several sequential ciphers? > Ahh, but we know that both simple substitution and ECB-mode DES are insecure [precisely because of the frequency analysis tricks, etc.] On the other hand, CFB-mode DES looks pretty secure; and CFB-mode triple DES looks very strong. ObCrypt: Now, how about if we run simple substitution in a chaining mode? Maybe use the equation C_i = f(C_{i-1}) + P_i mod 26 where f : Z_26 -> Z_26 is a lookup table determined by the key. Can anyone give some estimates on how hard this would be to break without any known plaintext? Does the only weakness come from the short block length, or are there other problems too? > > The sweeping generalization that Triple <anything> is *necessarily* > stronger than <anything> on its own is false by contrary example, > and the groupiness of <anything> is irrelevant. > I agree; but that's not the point here. It does seem reasonable to believe that triple DES is stronger than DES. Why? Because crypto experts have tried their darndest to break triple DES, without much success. Because single DES seems to be a very well-designed primitive -- except for the short keylength. [For example, read about how DES becomes more resistant to both differential and linear cryptanalysis when more rounds are added. Read about how the best attacks on two-key triple DES require 2^56 memory, 2^56 chosen plaintexts, and 2^56 operations; or else (from memory here) much much more than 2^56 operations, and a whole bunch of known plaintexts -- see Crypto '90. Anyone know of any attacks on three-key triple DES better than brute force?] > > We need to be wary of throwing around fancy math terms like "group" > as though they are a hand-grenade which will explode someone else's > arguments. Often, this just delays coming to grips with the real > underlying problems. > Ok, so what are the real underlying problems, in your opinion? ------------------------------------------------------------------------------- David Wagner dawagner@princeton.edu