More sci.crypt Discussions
Is Triple-DES Stronger than DES?
Is this really proven?
- 1994-11-08 Robert Egendorf: What
algorithms besides IDEA and 3xDES are extremely
difficult to break?
- 1994-11-11 Terry Ritter: we do
not know that either IDEA or Triple-DES
are difficult to break
- 1994-11-12 Ken Pizzini:
Monoalphabetic substition ciphers form a group. DES does
- 1994-11-13 Robert Egendorf: Has
anyone else evaluated the Cloak2 cipher? What tests has
it been subjected to? What is Mr. Ritter's background in
- 1994-11-15 Terry Ritter: (replying
to Ken) Since this is irrelevant in context, I am at a loss.
(The issue is an attack on the overall permutation. Although
this attack is impractical, it demonstrates that at least one
attack does exist which is not complicated by additional
block cipherings. Thus, any reasoning which implies that
three cipherings must be stronger than one, is simply
- 1994-11-15 Terry Ritter: (replying
to Robert) Reputation is irrelevant to reality. The issue
is the argument.
- 1994-11-15 David A. Wagner: It does
seem reasonable to believe that triple DES is stronger than
- 1994-11-16 Ken Pizzini: (replying
to Terry) the proof that DES is not a group tells us that
the keyspace of DES does get enlarged by composition.
- 1994-11-18 Terry Ritter: (replying
to David) If I had a workable attack I could defeat your
argument, but requiring me to have and disclose such an
attack before you will move to a stronger cipher must
defeat your own security. It is instead necessary to
anticipate attacks, instead of simply responding to
attacks as they become disclosed. Attacks may exist and
we may not know them, and yet, to provide good crypto, we
must defeat them anyway. Thus we must assume that such
- 1994-11-19 Bohdan Tashchuk:
(replying to Terry) Spending 3x the compute cycles of
single-DES to encrypt information today gives us an
algorithm that most experts feel is much more than three
times as secure. Spending 10x or even 100x the compute
cycles isn't an unreasonable thing to ask.
- 1994-11-21 Greg Rose: (replying to
Ken) I'm sorry, but the last statement (the proof that DES
is not a group tells us that the keyspace of DES does get
enlarged by composition) is not strictly true
It is not clear to me that Ken understood that I had proposed
an attack on the overall permutation. Under any particular key,
a block cipher is nothing more than Simple Substitution on a
block. No matter how many levels there are, the overall
transformation is still a block-wide Simple Substitution.
While a codebook attack is generally impractical, it puts lie
to the claim that Triple anything is necessarily stronger
than Single anything. Groupiness has nothing to do with it.
Although Bohdan may be willing to pay any cost for crypto he
thinks secure, in my experience, this is an unusual position. On
the contrary, network managers are under extreme pressure
to keep up. Even though communication capabilities continue to
rise, the demands for increased bandwidth rise much faster. Dreams
and desires can always outstrip technical progress.
Network managers often see crypto as a necessary evil, an
overhead to the expense of communication. While individuals may
have plenty of compute power, network managers currently cannot
keep up as it is, and so are strongly motivated to have fast
crypto, or none at all.
Modified RC4 Becomes a Dynamic Substitution
Putative RC4 improved.
- 1994-11-11 Farid F. El-Wailly: I'd
like to suggest a modification of RC4-like algorithms that
would make them a little more resistant to the key re-use
- 1994-11-14 Terry Ritter: Mr.
El-Wailly appears to have re-invented the concept of Dynamic
Substitution, which is protected by U.S. Patent 4,979,832.
That said, I don't see Dynamic Substitution as a solution
to the problem of key re-use. A better way is to have a
random message key in every message
- 1994-11-15 Peter K. Boucher:
I coded this up based on a description under a thread about
improving RC4. It runs a little faster than optimized DES.
- 1994-11-15 Stefan Lucks:
(responding to Farid) The cryptanalysis of two xored
plaintexts is not trivial.
- 1994-11-15 Stewart Strait:
(responding to Stefan) I believe you're mistaken.
- 1994-11-16 Padgett 0sirius:
(responding to Terry) Near as I can tell that covers any
forward substitution scheme in which the final
transformation is a function of a cyclical algoritm which
include the previous block as a component.
- 1994-11-16 Steve O'Neill:
(responding to Stewart) from an operational point of view,
changing keys for every transmission is an absolute
- 1994-11-18 Terry Ritter:
(responding to Padgett) it is a non-trivial exercise to try
and define technical mechanisms precisely. Patentese may
fail to do so, but compare it to ordinary writing and one
can see certain advantages
- 1994-11-19 J.M. Kelsey:
(responding to Farid) I don't think the modification you
suggest would make it safe to re-use the key
- 1994-11-19 Stewart Strait:
(responding to Steve) XORing one unknown message with
another is _not_ equivalent to a one-time pad unless
'unknown' means 'so unknown that all possible messages are
roughly equally likely'.
What is it?
- 1994-11-01 John Kelsey: The SAFER
K-64 algorithm was designed by James Massey for Cylink, and
was presented at the Cambridge Security Workshop in December
- 1994-11-01 Serge Vaudenay a kown
plaintext attack will be presented in next december against
SAFER with N=6 in which the log_45 is replaced by a random
permutation. This attack does not work with the log_45, but
it shows both the weakness of the general shape of SAFER and
the strength of the particular design chosen by James Massey.
- 1994-11-30 Andrew Haley: The idea
of using the FFT-like permutations for rapid diffusion is
rather nice, but the choice of the S-box is a bit of an
- 1994-12-01 Michael Roe: I have a
cut-down version of SAFER that works on 4 bit nibbles rather
than 8-bit bytes, and I can prove that its round functions
generate the full symmetric group
- 1994-12-01 Serge Vaudenay: In this
paper, it is shown that a necessary condition for the
strength of the substitution S is that the least significant
bit is unbiased
- 1995-03-23 Richard DeMoliner:As I
did for IDEA I developed a software package for the
encryption algorithm SAFER. This package is now publicly
available and the source code belongs to the public domain.
Generalized Feistel Networks
A new idea?
- 1995-04-02 Ralph Brown: Feistel
ciphers are based on repeated rounds . . . for the two
halves A and B of a block. This idea can be generalized to
the N parts of a block. For N subblocks in a block, a
minimum of N rounds are required to process each subblock
uniformly, at which point every subblock of the output
depends on every subblock of the input.
- 1995-04-03 Stewart Strait: If the
mixing functions are linear, we get a simple form of the
- 1994-04-03 Bruce Schneier: The
function f does not have to be invertable at all; the
Feistel structure takes care of the invertability. Matt
Blaze and I also tried to generalize the Feistel
construction, but in such a way as to preserve the use of a
noninvertable function f.We presented our strawman
construction, MacGuffin, at the Leuven Algorithms Workshop
last December, and it was immediately broken.
- 1995-04-03 Ralf Brown: Fair enough.
- 1995-04-04 Bruce Schneier: you can
look at SHA as a block function turned into a hash function
with a Davies-Meyers-like feedforward function.) Haval has
a similar construction, as do (more or less) MD4 and MD5.
The attack was based on our choice of f, which was ripped
out of DES with little thought about how the changes might
affect it; the attack didn't hve anything to do with the
Terry Ritter, his
current address, and his
Last updated: 1995-12-27