Re: The War is Underway (fwd)

[Lucky Green <shamrock@netcom.com>]

At 01:22 PM 5/11/97 -0400, Black Unicorn wrote:
>As I recall, 3des ( DESk1 -> DESk2^-1 -> DESk3 ) has an effective
>keylength of 112 bits.  Less than IDEA.  Schneier discusses this.

Unfortunately, Schneier doesn't do a very good job at discussing the
strength of 3DES. This probably is to be expected, since there is no fixed
effective keylength of 3DES and a more detailed discussion would likely
exceed the format of Applied Cryptography. The work factor of breaking 3DES
depends on the number of known plaintexts. At best, the effective keylength
is 112 bits. At worst (this is an unlikely, perhaps unrealistic worst) the
effective keylength is ~90 bits. Contrast this with DESX, which has been
proven to be twice as hard as DES, therefore having an effective keylength
of 112 bits.

>It costs little today to develop a cipher with larger keyspace.  (DES with
>independent subkeys already exists and has a basic keyspace of 768 bits.
>A meet in the middle attack reduces keyspace to 2^384.  Schneier discusses
>the cipher briefly).  If users are willing to deal with large keys (I
>certainly am) then software designers are restraining a more secure
>implementation.

It costs lots to develop a cipher with a larger keyspace that has a known,
or reasonably assumed, work factor of higher than 112 bits. Again, it takes
years to cryptanalyze a new cipher.

It isn't software designers that are restraining more secure
implementations. The software designers don't have any better algorithms to
work with because the theorists haven't agreed on anything better yet.



-- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred

   "I do believe that where there is a choice only between cowardice and
    violence, I would advise violence." Mahatma Gandhi