From: (Terry Ritter)
Newsgroups: sci.crypt

Subject: Re: Algorithms
Date: 15 Nov 1994 14:08:56 -0600
Organization: UTexas Mail-to-News Gateway
Lines: 65
Message-ID: <>

 In <3a396u$>
 (Ken Pizzini) writes:

>In article <>,
>Terry Ritter  wrote:
>> We commonly assume that the keysize of Triple DES is at least twice
>> as long (has 2**56 times as many keys) as ordinary DES, and that may
>> be.  But consider the simple newspaper amusement ciphers, which are
>> also Simple Substitution:  Clearly, even three sequential cipherings
>> through different alphabet permutations will be no harder to solve
>> than one.  (In this case we do not solve for each of the keys
>> independently, but this probably does not matter.)
>Monoalphabetic substition ciphers form a group.  DES does not.

 Since this is irrelevant in context, I am at a loss.

 Block ciphers are relatively simple machines which attempt to
 emulate an immense Simple Substitution table.  Such tables all have
 the same entries (the same substitution elements); the thing that
 distinguishes one table from another is the order of the entries.
 For a 64-bit data block, such a table would have 2**64 entries, and
 (2**64)! possible permutations, or "keys."

 Since DES uses only a 56-bit key, it is clear that only a tiny
 portion of the possible permutations can be selected.  Experiments
 appear to show that two sequential DES operations tend to produce
 resulting permutations which cannot be produced by any single DES
 operation.  This is the meaning of DES groupiness.

 Now, suppose we confine each of the newspaper ciphers to a subset
 of their 26! possible permutations:  Does this prevent us from
 solving the overall permutation of several sequential ciphers?
 No, it does not (unless we insist on solving for each key).  The
 fact that the overall permutation may not be producible from a
 single key is beside the point if we just want to find the hidden

 Now, this attack requires symbol-frequency statistics which are not
 present in a real cipher design, and is not intended as a serious
 attack on either DES or Triple-DES.  Instead, it is designed to
 give a real example of a real attack on data protected by Simple
 Substitution.  This attack is not complicated by multiple passes
 through other substitutions.  This attack is thus an unworkable
 example of a potentially larger class of attacks, some of which
 may be effective even on randomized data.

 The sweeping generalization that Triple <anything> is *necessarily*
 stronger than <anything> on its own is false by contrary example,
 and the groupiness of <anything> is irrelevant.  If someone wishes
 to claim that Triple-DES is stronger than DES, they need to field
 an argument which will survive this counter-example, or at least
 specify that Triple-DES strength *requires* data-randomization.

 We need to be wary of throwing around fancy math terms like "group"
 as though they are a hand-grenade which will explode someone else's
 arguments.  Often, this just delays coming to grips with the real
 underlying problems.

 Terry Ritter