Note: This may be something that most PEM-DEV readers are already aware of -- if
so, I apologize.
However, this is definitely something for
the community to discuss. It seems to me the right criteria are:
(1) cryptographic strength and
With respect to (1), it would be helpful to have input from
knowledgeable cryptographers. It's clearly desirable that whatever
cryptography is chosen not have a flaw or be weaker than expected.
It's also desirable, in my view, not to engage in needless overkill.
A paper was published a few years back (in Cryptologia, I think -- my journals
are presently in boxes in my garage so it is difficult for me to check) on the
subject of whether or not the set of 2^56 permutations DES can perform forms a
subgroup of the enormously larger permutation group of order 2^64.
(For those of you who are not inclined towards group theory a brief explanation
may be appropriate here. One of the key properties of a group or subgroup is
called closure, which means that the composition of any two elements of the
group produces another element of the group. In DES terms this would mean that
multiple applications of DES would be exactly equivalent to a single
application of DES with some different key. This would be a Bad Thing, since it
would mean that multiple applications of DES are meaningless since they would
always be equivalent to some single applications of DES, albeit with a
different key.)
Complete analysis of DES has thus far proved to be an intractable problem (at
least in the open literature ;-), so the authors of this papers used an
approach suggested by some recent results in computational and probabalistic
group theory. Specifically, if you apply a particular permutation operation
enough times it will eventually produce the value you started with. And the
number of applications on average tends to fall within certain ranges of values
if you are taking the permutations from a group.
The authors hooked up some DES chips and set them to cycling; this is a very
fast operation and it does not take too long to find the cycle lengths. And
lo and behold the cycle lengths turned out to be very different from what
you'd expect a subgroup of the permutation to produce. This therefore offers
extremely strong evidence (not a proof, mind you, but the chances of getting
bogus results here are very small) that set of permutations DES can perform
is not a subgroup of the permutation group.
Stacking multiple DES operations appears to be a Good Thing as a result; it
appears to be roughly equivalent to having a system that actually has a 56*N
bit key.
Ned