Message-Id: <9305211950(_dot_)AA18735(_at_)MIT(_dot_)EDU>
Date: Fri, 21 May 93 15:40:06 EST
From: raylau(_at_)MIT(_dot_)EDU (Raymond Lau)
Subject: Re: Triple DES
Ray,
the only place I really take exception is with:
2. EDE should be treated as a new cipher, in cookbook mode as Steve Kent
mentions, and CBC should be performed on the output of the whole thing.
To perform DES-CBC/encrypt followed by DES-CBC/decrypt followed by
DES-CBC/encrypt, which is what I think Carl is suggesting, does not offer
any proven benefit (and only marginal skeptical benefit) and is certainly
incompatible with any systems which may exist for doing EDE. Doing this
strange variant of CBC will probably raise more doubts than offer
reassurances.
If someone has a DES chip which does CBC mode by itself, it is *far* more
efficient to encrypt a batch with k1, then do the batch with k2 and then
do the batch with k3. In brutal detail:
If you define CBC for EDE as a single feedback path around all three then
you are forced to use the single chip as:
XOR 8 bytes of plaintext with the IV
set key 1
do 8 bytes
set key 2
do 8 bytes
set key 3
do 8 bytes
save the ciphertext as the next IV
If you define CBC mode for EDE3 as CBC around each instance, then you can
set key 1 and IV1
do a batch of bytes in CBC mode
save the final ciphertext 8 bytes as the next IV1
set key 2 and IV2
do a batch of bytes in CBC mode
save the final ciphertext 8 bytes as the next IV2
set key 3 and IV3
do a batch of bytes in CBC mode
save the final ciphertext 8 bytes as the next IV3
The batch size depends on your buffer capacity.
- Carl