Newsgroups: sci.crypt
From: (Terry Ritter)

Subject: Re: Strong Block Ciphers from Weak Ones: NxM DES
Message-ID: <>
Summary: Can Anyone Clarify?
Keywords: DES replacement, triple-DES
Organization: Capital Area Central Texas UNIX Society, Austin, Tx
References: <> 
Date: Thu, 10 Feb 1994 18:57:28 GMT

 In "Strong Block Ciphers from Weak Ones: NxM DES," which I posted
 to sci.crypt as <>, I proposed a
 2x2 DES construct something like this:

             A             B
             v             v
      k1 -> DES1    k2 -> DES2
             v             v
             C             D
              Exchange Half
             E             F
             v             v
      k3 -> DES3    k4 -> DES4
             v             v
             G             H

 (Yes, I am collecting references to prior proposals :-)

 Then, in (Bruce Schneier) forwards a response:

>Eli Biham has this comment on Ritter's paper:
>I claim that the cryptosystem described in your email is not stronger than
>a single DES, when it uses only two passes -- i.e., Mx2 DES.
>Ritters cryptosystems Mx2 DES have the same security as of a single DES,
>and an exhaustive search for the keys can be done just as in a single DES!
>given the appropriate encryptions.
>1. two pairs of chosen plaintexts. One block of the each pair is fixed,
>and the other varies.
>2. or, 2^34 known plaintexts (in which the birthday paradox predict the
>existance of the data required in item 1).
>The attack:
>Since one block is the same in both members of a pair, the input to the
>second pass of encryption differ only in 32 bits of each block for 2x2, or
>in more bits for Mx2, m>2. Thus, exhaustive search of the second pass
>keys is feasible, looking for the known (in)difference.
>Then, exhaustive search for the first pass keys can be done easily.
>The total complexity of exhaustive search is M*2*2^56+M*2^56=3*M*2^56 for
>finding all the keys.

 Clearly, Biham is not impressed.

 However, the response seems obscure, even self-contradictory in
 some places.  For example, Biham says "an exhaustive search for the
 keys can be done just as in single DES" but then says that one
 requirement would be for 2^34 known plaintexts, which is certainly
 not a requirement for a DES keysearch.

 We would all like to find a cipher which was provably secure in
 every possible application.  But when that is not possible, we
 also realize that the cipher per se is not the entire security
 system.  If sending 2^34 messages under a single set of keys is a
 problem, we can arrange the rest of the system to not allow that,
 and simply use a conditionally-secure cipher in its secure area.
 Similarly, chosen plaintext may not be an issue in some or even
 many applications.

 However, before I open mouth wide and insert foot, I would like
 to be able to understand the attack that Biham describes.  I find
 the description of the attack confusing, and have not yet found
 an interpretation which will produce the asserted results.  For
 example, is this a key search attack?  (Surely yes.)  But if so,
 how can we assume that part of the key set is active but
 unreachable, while one DES key is available for searching?

 If anyone thinks they understand the situation, please contact me
 by email and try and clue me in.  Thanks.

 Terry Ritter