Carl Ellison says:
Some of you may remember that I was promoting triple-DES-CBC using three
feedback loops rather than one, claiming that is was clearly at least as
secure as triple-DES with one feedback loop, while being faster for
pipelined operation. It is clearly faster in a pipeline but Eli Biham has
shown me his attack on inner-loop triple-DES and it's quite good and I was
quite wrong...at least for chosen-ciphertext attacks. The inner loops
weaken the resulting cipher drastically, under those attacks.
Look, in that case you could use single DES with independent subkeys.
Brute-force resistance is good enough, and 2^60 chosen plaintexts
required to find the key should also satisfy all but the most
demanding customers (:-).
[Yes, there is that linear cryptanalysis thing I'm not quite familiar
with, but I don't think it can find 16 independent subkeys faster
than 2^60, if at all :-].
............. Meanwhile, there are probably
better ways to get the longer key for avoiding brute force (eg., XOR with a
single secret value or with a simple (fast) PRNG).
How about 6 pass-phrases SHA'ed of MD5'ed? (:-)
I'm told that Eli has a paper in preparation explaining his attack in full
and I'm looking forward to that paper. I am sure that its location will be
announced to this list when it becomes available.
Good!
--
Regards,
Uri uri(_at_)watson(_dot_)ibm(_dot_)com scifi!angmar!uri N2RIU
-----------
<Disclamer>