Path: cactus.org!cs.utexas.edu!howland.reston.ans.net!agate!news.Brown.EDU!
+     noc.near.net!news.delphi.com!davesparks
From: davesparks@delphi.com (Dave Sparks)
Newsgroups: sci.crypt

Subject: Re: 2x Isolated Double-DES: Another Weak
Date: 20 Feb 1994 03:52:05 GMT
Organization: Delphi Internet Services Corporation
Lines: 26
Message-ID: <9402192242594.davesparks.DLITE@delphi.com>
References: <1994Feb17.081955.5629@cactus.org>
NNTP-Posting-Host: bos2a.delphi.com

 >> This works for the normal double-DES construction because it is
 >> possible to check for matches between B and C; the weakness seems
 >> to be the ability to check for a match.

How would this be implemented?  Wouldn't you have to keep all of your Bs and
Cs in active memory, and perform a comparison each time?  This could total as
many as 2^56 of each, correct?  Not only would each have to be kept in
memory, but as the search progressed, the number of comparisons would
increase each time.  I suppose you could keep the list of intermediate B and
C values in a sorted array and do a binary search each time, but it still
seems quite memory-intensive.  By my calculations, 2^60 bytes of
storage would be needed.  Am I missing some optimization that would make this
sort of an attack practical?

Assuming that a $1 million optimized machine can break single DES in 3.5
hours, it wouldn't seem logical that double-DES could be broken in 7 hours
using two such machines, because of the third machine that would need to be
constantly storing and comparing the output of the other two.

 /--------------+------------------------------------\
 |              |  Internet: davesparks@delphi.com   |
 | Dave Sparks  |  Fidonet:  Dave Sparks @ 1:207/212 |
 |              |  Famnet:   Dave Sparks @ 77:500/1  |
 |              |  BBS:      (909) 353-9821 - 14.4K  |
 \--------------+------------------------------------/