Steve Crocker said:
Perhaps there can be a discussion of Triple DES. I'm interested in
seeing us choose a specific format so we can experiment with it. It's
probably premature to consider such a choice as a standard, but it's
worth converging on a specific choice if we can.
As I recall, there is moderately broad consensus on EDE with two keys,
the same IV, and single-loop CBC. However, Carl Ellison has argued
vigorously that single-loop CBC is inherently inefficient for hardware
implementation and triple-loop CBC is the right choice.
Wasn't this discussed at the last meeting, and the RSA folks were
going to do a little analysis? If there are results, it would be
worth hearing about them.
I asked Eli Biham at Crypto93 about this. Eli said that single-loop CBC
is stronger for triple-DES, as compared to the three-loop model. He said
he can prove this is true for specific cases, and believes it is probably
true in the general case. He plans on presenting a paper on his findings
in December at a conference.
Phil