I, personally, see nothing wrong with implementing both EDE2 and EDE3
as options.
The coding time is almost nil.
Both sides of the discussion are satisfied.
Anyone using software DES can send and receive all options.
Someone with single DES hardware can send and receive all options.
Anyone with EDE3 hardware can send and receive all options.
Anyone with EDE2 hardware can send all options (using (k1,k2,k1) as his
EDE3 key) and can receive E1 and EDE2 at full speed. If an EDE3 message is
received, the recipient would have to use the EDE2 hardware as straight DES
hardware and run the message through it three times. So, decryption would
take 3x the time. If this were a problem, that recipient could make it
known that EDE2 is the preferred mode when talking with him/her.
However, this reopens my question about number of IVs and the scope of
the CBC feedback path.
If someone were to decrypt an EDE3 message through single-DES hardware or
EDE2 in single-DES mode, it would be maximally convenient to have the chip
run in CBC mode for each pass and therefore to have an individual IV for
each pass.
- Carl