[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The War is Underway (fwd)

To: cypherpunks <[email protected]>, Black Unicorn <[email protected]>
Subject: Re: The War is Underway (fwd)
From: "Mark M." <[email protected]>
Date: Mon, 12 May 1997 19:13:54 -0400 (EDT)
In-Reply-To: <[email protected]>
Reply-To: "Mark M." <[email protected]>
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 11 May 1997, Black Unicorn wrote:

> As I recall, 3des ( DESk1 -> DESk2^-1 -> DESk3 ) has an effective
> keylength of 112 bits.  Less than IDEA.  Schneier discusses this.

That's only the best case (for the cryptanalyst).  Breaking 3DES with
only 2^112 encryptions requires 2^56 plaintext-ciphertext pairs.
Schneier says this is about 10^17 bytes.

> I dislike this line of argument for several reasons.  It reduces security
> to the lowest common denominator.  Because, the argument goes, few people
> will use more than a 21 character passphrase, then we need not design
> anything with more security.
>
> In reality, I think that the percentage of people who use more than an 8
> character passphrase, especially outside these circles, is small.
> Following your logic, our high end of security should be about 48 bits.

Very true.  I was not arguing that security should be reduces to the
lowest common denominator but that using excessively long key sizes does
little good.  Anything over 256 bits is, IMHO, overkill and 160 bits is
enough to make brute-force attacks infeasible.

> It costs little today to develop a cipher with larger keyspace.  (DES with
> independent subkeys already exists and has a basic keyspace of 768 bits.
> A meet in the middle attack reduces keyspace to 2^384.  Schneier discusses
> the cipher briefly).  If users are willing to deal with large keys (I
> certainly am) then software designers are restraining a more secure
> implementation.

I'm very suspicious of any cipher with independant subkeys.  Apparently,
this makes chosen-key attacks *very* easy.  Chosen-key attacks aren't
very practical, but it doesn't give me a good feeling about the relative
security of the cipher.  Some combination, like triple-DES using variable
S-boxes would probably be a little more secure.

Mark
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQEVAwUBM3ekFyzIPc7jvyFpAQE21Qf/bepXHyyXBPY33tytKtWQh3isjzqrSqH2
nOtg8qbuDI31W9Jo3RK2KN4nvHLHyPjlrkTT4M07oOhBqNm/Y+xD7ABOvnxkzVal
L7jQbqF3iaJZRhHUyMP0tI+RlyIdtHTN0l7Qt+P/Jfb81uBm5sGPMh9vM3s9/Wav
oP/XHvkX24OnDlnIfpMj+WnLyXx1a6Rs9oyEfv+/k1/7Lo9UwZMSdjV36UDNj8kG
gYBA7eCLMs+3OfcKAlP4wD8TgBfzD3DH93ME5eBtAM/yYzQI5X+tdpIZJ2C3wFZI
oX89+1Kh1AgHJ3Hj7mZKJGvlT3S3rSxL36CQUDAH9NNAPpazOPC3Vg==
=Kwd2
-----END PGP SIGNATURE-----

References:
- Re: The War is Underway (fwd)
  - From: Black Unicorn <[email protected]>

Prev by Date: Re: The Interlinked Cypherpunks Lists?
Next by Date: Re: 64-bit CPU 10x faster in crypto?
Prev by thread: Re: The War is Underway (fwd)
Next by thread: Re: The War is Underway (fwd)
Index(es):
- Date
- Thread