Composing large block cipher from smaller ones
in [Cryptography]
|
Prev: No more conservation of telecommunication data in Germany
Next: Final: An obvious pattern found in the first 37Million Prime Sums using the log of the golden ratio Lp!
From: Mok-Kong Shen on 6 Mar 2010 17:10 J.D. wrote: > > And do not worry. I shall do as you wish and ignore your posts from > now on... From my experience in discussing with you, I highly appreciate your decision and would definitely remind you of what you wrote today, if I in future again see your name as my discussion partner. M. K. Shen
From: Maaartin on 6 Mar 2010 19:06 On Mar 6, 9:38 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Am 06.03.2010 21:21, schrieb J.D.: > > >> As layman... > > > You know, there's a cure for your condition. And it doesn't involve > > laying in bed, asking us to spoon-feed you for the rest of your > > life... > > Should I behave like a few of others in this group in always attempting > to (undeservedly) present oneself as an 'expert'? No, pls don't. Just try more reading and thinking, this a what J.D. meant and what you was told already. There're many thousands of people worldwide interested in crypto. If only one per cent of them would behave like you, there were daily many thousands of question here and nothing else. On Mar 6, 9:41 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > So where is the foundation of "your" 'only slightly longer'?? We were > talking about the entire composite cipher! You was given a nice explanation by J.D. already, but I restate it here. DES is too weak since you can brute force it in 2**53 DES invocations (on the average). Your cipher is contains n components, so you need only n time more work, which makes with n=16 only 2**57 DES invocations. This is completelly unsatisfactory and may in fact be called "only slightly longer". It takes 16-times longer but compare it to other DES-based ciphers, e.g., http://en.wikipedia.org/wiki/DES-X, which is much stronger nearly for free, s. http://www.eecs.berkeley.edu/~daw/papers/slide-fse99.ps
From: J.D. on 6 Mar 2010 19:38 > Your cipher is contains n components, so > you need only n time more work, which makes with n=16 only 2**57 DES > invocations. This is completelly unsatisfactory and may in fact be > called "only slightly longer". It takes 16-times longer... Indeed. Apparently it is now possible to brute force DES in about a day. So a 16-fold increase wouldn't even give you a month of protection. If you encrypted something and got a good fake tan on the same day, your file could be broken before the 'tan' faded.
From: Maaartin on 6 Mar 2010 21:17 On Mar 7, 1:38 am, "J.D." <degolyer...(a)yahoo.com> wrote: > > Your cipher is contains n components, so > > you need only n time more work, which makes with n=16 only 2**57 DES > > invocations. This is completelly unsatisfactory and may in fact be > > called "only slightly longer". It takes 16-times longer... > > Indeed. Apparently it is now possible to brute force DES in about a > day. So a 16-fold increase wouldn't even give you a month of > protection. If you encrypted something and got a good fake tan on the > same day, your file could be broken before the 'tan' faded. According to http://w2.eff.org/Privacy/Crypto/Crypto_misc/Technical/des_key_search.ps.gz it was possible to build a one million dollar machine capable of bruteforcing DES already in 1993. So we can be quite sure that inteligence agencies can do it now in couple of minutes. In the paper you pointed me to, there's an attack against DES-X requring "only" 2**87.5 time and 2**32.5 chosen plaintexts. The nicest think about it: I can understand the attack. :D I wonder if it combining the whitening idea with 2DES could not lead to stronger cipher than 3DES. The MITM attack makes no sense (because of the large keyspace) for something like ciphertext = DES(k2, (DES(k1, plaintext+k1') + k2') + k3' Of course, I know that using anything based on DES makes no sense these days, I'm just trying to understand things better by "making experiments".
From: J.D. on 6 Mar 2010 21:38
On Mar 6, 9:17 pm, Maaartin <grajc...(a)seznam.cz> wrote: > On Mar 7, 1:38 am, "J.D." <degolyer...(a)yahoo.com> wrote: > > > > Your cipher is contains n components, so > > > you need only n time more work, which makes with n=16 only 2**57 DES > > > invocations. This is completelly unsatisfactory and may in fact be > > > called "only slightly longer". It takes 16-times longer... > > > Indeed. Apparently it is now possible to brute force DES in about a > > day. So a 16-fold increase wouldn't even give you a month of > > protection. If you encrypted something and got a good fake tan on the > > same day, your file could be broken before the 'tan' faded. > > According tohttp://w2.eff.org/Privacy/Crypto/Crypto_misc/Technical/des_key_search... > it was possible to build a one million dollar machine capable of > bruteforcing DES already in 1993. So we can be quite sure that > inteligence agencies can do it now in couple of minutes. > > In the paper you pointed me to, there's an attack against DES-X > requring "only" 2**87.5 time and 2**32.5 chosen plaintexts. The nicest > think about it: I can understand the attack. :D > > I wonder if it combining the whitening idea with 2DES could not lead > to stronger cipher than 3DES. The MITM attack makes no sense (because > of the large keyspace) for something like > > ciphertext = DES(k2, (DES(k1, plaintext+k1') + k2') + k3' > > Of course, I know that using anything based on DES makes no sense > these days, I'm just trying to understand things better by "making > experiments". That certainly seems secure (against a meet in the middle attack), at least at first glance. Perhaps Triple DES was the more conservative choice -- they may not have completely trusted the security of that new-fangled whitening concept when it first came out. Also, there may have been compatibility issues -- Triple DES can be made compatible with single DES just by using the same key for each call to the cipher (because of the decrypt step in the middle). Double DES-X, as you describe it, might be harder to make inter-compatible with single DES. |