I really have a hard time understanding why people keep going with
more and more complex schemes to try to compound DES on itty bitty 64
bit quantities. Part of the weakness of DES is due to its short block
size. DES has been very thoroughly studied so its strength as a
building block is understood. But if I wanted to make a stronger
algorithm out of DES, the first thing I would do is go with 128 bit
data blocks and a 112 bit key as follows:
Data(bits 0-63) Data(bits 64-127)
| |
V V
+-----------+ +-----------+
key(left 56)---> | DES | ----> | DES |
+-----------+ +-----------+
| |
V V
Bits 0-63 Bits 64-127
--Intermediate Cypher Text--
Bits 32-95 Bits 96-127 Bits 0-31
| | |
V V V
+-----------+ +-----------+
key(right 56)--> | DES | ----> | DES |
+-----------+ +-----------+
| |
V V
Bits 0-63 Bits 64-127
--Intermediate Cypher Text--
Bits 32-95 Bits 96-127 Bits 0-31
| | |
V V V
+-----------+ +-----------+
key(left 56)---> | DES | ----> | DES |
+-----------+ +-----------+
| |
V V
Bits 0-63 Bits 64-127
--Intermediate Cypher Text--
Bits 32-95 Bits 96-127 Bits 0-31
| | |
V V V
+-----------+ +-----------+
key(right 56)--> | DES | ----> | DES |
+-----------+ +-----------+
| |
V V
Final 128 bits of Cyper Text
If the above isn't strong enough you could do the obvious extentions
to 256 bit data blocks and/or a 224 bit key or 512 bit data blocks,
etc.
This avoids all these quibbles about how much of a non-group DES is,
whether it is practical to store precomputed values of various sorts
to help in breaking a use of DES, etc., by making the exponents
involved so large as to render many attacks of questionable
practicality clearly impractical.
Donald
From: Philip Zimmermann <prz(_at_)columbine(_dot_)cgd(_dot_)ucar(_dot_)edu>,
Philip Zimmermann <prz(_at_)acm(_dot_)org>
To: Stephen D Crocker <crocker(_at_)tis(_dot_)com>
Cc: PEM Development mailing list <pem-dev(_at_)tis(_dot_)com>
In-Reply-To: <9310261758(_dot_)AA03154(_at_)TIS(_dot_)COM>; from "Stephen D
Crocker" at Oct 26,
93 1:58 pm
Reply-To: Philip Zimmermann <prz(_at_)acm(_dot_)org>
X-Mailer: ELM [version 2.3 PL0]
Steve Crocker said:
Perhaps there can be a discussion of Triple DES. I'm interested in
seeing us choose a specific format so we can experiment with it. It's
probably premature to consider such a choice as a standard, but it's
worth converging on a specific choice if we can.
As I recall, there is moderately broad consensus on EDE with two keys,
the same IV, and single-loop CBC. However, Carl Ellison has argued
vigorously that single-loop CBC is inherently inefficient for hardware
implementation and triple-loop CBC is the right choice.
Wasn't this discussed at the last meeting, and the RSA folks were
going to do a little analysis? If there are results, it would be
worth hearing about them.
I asked Eli Biham at Crypto93 about this. Eli said that single-loop CBC
is stronger for triple-DES, as compared to the three-loop model. He said
he can prove this is true for specific cases, and believes it is probably
true in the general case. He plans on presenting a paper on his findings
in December at a conference.
Phil