More sci.crypt Discussions

Is Triple-DES Stronger than DES?

Is this really proven?

• 1994-11-08 Robert Egendorf: What algorithms besides IDEA and 3xDES are extremely difficult to break?
• 1994-11-11 Terry Ritter: we do not know that either IDEA or Triple-DES are difficult to break
• 1994-11-12 Ken Pizzini: Monoalphabetic substition ciphers form a group. DES does not.
• 1994-11-13 Robert Egendorf: Has anyone else evaluated the Cloak2 cipher? What tests has it been subjected to? What is Mr. Ritter's background in cryptography?
• 1994-11-15 Terry Ritter: (replying to Ken) Since this is irrelevant in context, I am at a loss. (The issue is an attack on the overall permutation. Although this attack is impractical, it demonstrates that at least one attack does exist which is not complicated by additional block cipherings. Thus, any reasoning which implies that three cipherings must be stronger than one, is simply wrong.)
• 1994-11-15 Terry Ritter: (replying to Robert) Reputation is irrelevant to reality. The issue is the argument.
• 1994-11-15 David A. Wagner: It does seem reasonable to believe that triple DES is stronger than DES.
• 1994-11-16 Ken Pizzini: (replying to Terry) the proof that DES is not a group tells us that the keyspace of DES does get enlarged by composition.
• 1994-11-18 Terry Ritter: (replying to David) If I had a workable attack I could defeat your argument, but requiring me to have and disclose such an attack before you will move to a stronger cipher must defeat your own security. It is instead necessary to anticipate attacks, instead of simply responding to attacks as they become disclosed. Attacks may exist and we may not know them, and yet, to provide good crypto, we must defeat them anyway. Thus we must assume that such attacks exist.
• 1994-11-19 Bohdan Tashchuk: (replying to Terry) Spending 3x the compute cycles of single-DES to encrypt information today gives us an algorithm that most experts feel is much more than three times as secure. Spending 10x or even 100x the compute cycles isn't an unreasonable thing to ask.
• 1994-11-21 Greg Rose: (replying to Ken) I'm sorry, but the last statement (the proof that DES is not a group tells us that the keyspace of DES does get enlarged by composition) is not strictly true

It is not clear to me that Ken understood that I had proposed an attack on the overall permutation. Under any particular key, a block cipher is nothing more than Simple Substitution on a block. No matter how many levels there are, the overall transformation is still a block-wide Simple Substitution.

While a codebook attack is generally impractical, it puts lie to the claim that Triple anything is necessarily stronger than Single anything. Groupiness has nothing to do with it.

Although Bohdan may be willing to pay any cost for crypto he thinks secure, in my experience, this is an unusual position. On the contrary, network managers are under extreme pressure to keep up. Even though communication capabilities continue to rise, the demands for increased bandwidth rise much faster. Dreams and desires can always outstrip technical progress.

Network managers often see crypto as a necessary evil, an overhead to the expense of communication. While individuals may have plenty of compute power, network managers currently cannot keep up as it is, and so are strongly motivated to have fast crypto, or none at all.

Modified RC4 Becomes a Dynamic Substitution

Putative RC4 improved.

• 1994-11-11 Farid F. El-Wailly: I'd like to suggest a modification of RC4-like algorithms that would make them a little more resistant to the key re-use problem.
• 1994-11-14 Terry Ritter: Mr. El-Wailly appears to have re-invented the concept of Dynamic Substitution, which is protected by U.S. Patent 4,979,832. That said, I don't see Dynamic Substitution as a solution to the problem of key re-use. A better way is to have a random message key in every message
• 1994-11-15 Peter K. Boucher: I coded this up based on a description under a thread about improving RC4. It runs a little faster than optimized DES.
• 1994-11-15 Stefan Lucks: (responding to Farid) The cryptanalysis of two xored plaintexts is not trivial.
• 1994-11-15 Stewart Strait: (responding to Stefan) I believe you're mistaken.
• 1994-11-16 Padgett 0sirius: (responding to Terry) Near as I can tell that covers any forward substitution scheme in which the final transformation is a function of a cyclical algoritm which include the previous block as a component.
• 1994-11-16 Steve O'Neill: (responding to Stewart) from an operational point of view, changing keys for every transmission is an absolute requirement
• 1994-11-18 Terry Ritter: (responding to Padgett) it is a non-trivial exercise to try and define technical mechanisms precisely. Patentese may fail to do so, but compare it to ordinary writing and one can see certain advantages
• 1994-11-19 J.M. Kelsey: (responding to Farid) I don't think the modification you suggest would make it safe to re-use the key
• 1994-11-19 Stewart Strait: (responding to Steve) XORing one unknown message with another is _not_ equivalent to a one-time pad unless 'unknown' means 'so unknown that all possible messages are roughly equally likely'.

SAFER K-64

What is it?

• 1994-11-01 John Kelsey: The SAFER K-64 algorithm was designed by James Massey for Cylink, and was presented at the Cambridge Security Workshop in December 1993
• 1994-11-01 Serge Vaudenay a kown plaintext attack will be presented in next december against SAFER with N=6 in which the log_45 is replaced by a random permutation. This attack does not work with the log_45, but it shows both the weakness of the general shape of SAFER and the strength of the particular design chosen by James Massey.
• 1994-11-30 Andrew Haley: The idea of using the FFT-like permutations for rapid diffusion is rather nice, but the choice of the S-box is a bit of an enigma
• 1994-12-01 Michael Roe: I have a cut-down version of SAFER that works on 4 bit nibbles rather than 8-bit bytes, and I can prove that its round functions generate the full symmetric group
• 1994-12-01 Serge Vaudenay: In this paper, it is shown that a necessary condition for the strength of the substitution S is that the least significant bit is unbiased
• 1995-03-23 Richard DeMoliner:As I did for IDEA I developed a software package for the encryption algorithm SAFER. This package is now publicly available and the source code belongs to the public domain.

Generalized Feistel Networks

A new idea?

• 1995-04-02 Ralph Brown: Feistel ciphers are based on repeated rounds . . . for the two halves A and B of a block. This idea can be generalized to the N parts of a block. For N subblocks in a block, a minimum of N rounds are required to process each subblock uniformly, at which point every subblock of the output depends on every subblock of the input.
• 1995-04-03 Stewart Strait: If the mixing functions are linear, we get a simple form of the Hill System
• 1994-04-03 Bruce Schneier: The function f does not have to be invertable at all; the Feistel structure takes care of the invertability. Matt Blaze and I also tried to generalize the Feistel construction, but in such a way as to preserve the use of a noninvertable function f.We presented our strawman construction, MacGuffin, at the Leuven Algorithms Workshop last December, and it was immediately broken.
• 1995-04-03 Ralf Brown: Fair enough.
• 1995-04-04 Bruce Schneier: you can look at SHA as a block function turned into a hash function with a Davies-Meyers-like feedforward function.) Haval has a similar construction, as do (more or less) MD4 and MD5. The attack was based on our choice of f, which was ripped out of DES with little thought about how the changes might affect it; the attack didn't hve anything to do with the structure.