Newsgroups: sci.crypt
Path: illuminati.io.com!uunet!news.mathworks.com!udel!gatech!howland.reston.
+     ans.net!news.sprintlink.net!siemens!princeton!tucson.princeton.edu!
+     dawagner
From: dawagner@tucson.princeton.edu (David A. Wagner)

Subject: Re: Algorithms
Message-ID: <1994Nov15.231930.1060@Princeton.EDU>
Originator: news@hedgehog.Princeton.EDU
Sender: news@Princeton.EDU (USENET News System)
Nntp-Posting-Host: tucson.princeton.edu
Organization: Princeton University
References: <199411152009.OAA09390@pentagon.io.com>
Date: Tue, 15 Nov 1994 23:19:30 GMT
Lines: 62

In article <199411152009.OAA09390@pentagon.io.com>,
Terry Ritter  wrote:
[...arguments about whether triple DES is stronger than DES deleted...]
> 
>  Now, suppose we confine each of the newspaper ciphers to a subset
>  of their 26! possible permutations:  Does this prevent us from
>  solving the overall permutation of several sequential ciphers?
> 

Ahh, but we know that both simple substitution and ECB-mode DES
are insecure [precisely because of the frequency analysis tricks,
etc.]

On the other hand, CFB-mode DES looks pretty secure; and CFB-mode
triple DES looks very strong.

ObCrypt:

Now, how about if we run simple substitution in a chaining mode?
Maybe use the equation

C_i = f(C_{i-1}) + P_i mod 26

where f : Z_26 -> Z_26 is a lookup table determined by the key.

Can anyone give some estimates on how hard this would be to break
without any known plaintext?

Does the only weakness come from the short block length, or are
there other problems too?

> 
>  The sweeping generalization that Triple <anything> is *necessarily*
>  stronger than <anything> on its own is false by contrary example,
>  and the groupiness of <anything> is irrelevant.
> 

I agree; but that's not the point here.  It does seem reasonable
to believe that triple DES is stronger than DES.  Why?  Because
crypto experts have tried their darndest to break triple DES,
without much success.  Because single DES seems to be a very
well-designed primitive -- except for the short keylength.

[For example, read about how DES becomes more resistant to both
differential and linear cryptanalysis when more rounds are added.
Read about how the best attacks on two-key triple DES require
2^56 memory, 2^56 chosen plaintexts, and 2^56 operations; or else
(from memory here) much much more than 2^56 operations, and a whole
bunch of known plaintexts -- see Crypto '90.  Anyone know of any
attacks on three-key triple DES better than brute force?]

> 
>  We need to be wary of throwing around fancy math terms like "group"
>  as though they are a hand-grenade which will explode someone else's
>  arguments.  Often, this just delays coming to grips with the real
>  underlying problems.
> 

Ok, so what are the real underlying problems, in your opinion?

-------------------------------------------------------------------------------
David Wagner                                             dawagner@princeton.edu