Cryptography Reference
In-Depth Information
If so, we accept this key pair as the legitimate keys.
To see why this works, and to set up our discussion of the so-called birthday
attack later, consider the following. Suppose that we have an
N
-element set of
values and we want to find a match of two of them. We split the values into two
sets of
n
1
and
n
2
values, say. There are
n
1
n
2
pairs of elements and each pair
has a chance of 1
/N
in matching up. Hence, the match will likely occur when
(
n
1
n
2
)
/N
is close to 1. Thus, if we choose
√
N,
n
1
≈
n
2
≈
we achieve maximum e0ciency in this search.
N
ow, go back to the specific situ-
ation with double DES. Since
N
=2
112
and
√
N
=2
56
, we see why the effective
keylength security of double DES is 2
56
. This level of multiple encryption is
therefore insu0cient. We need more.
At the end of the twentieth century when DES had reached the end of its
reign, and before the AES came into effect, the
National Institute of Standards
and Technology
(NIST)
3.5
proposed an interim standard as follows; see [94].
Triple DES
Let
E
e
and
D
d
denote the DES enciphering and deciphering transformations,
respectively, and let
k
denote a DES key. We employ three keys
k
j
for
j
=1
,
2
,
3.
Then enciphering of plaintext is achieved via
E
k
3
(
D
k
2
(
E
k
1
(
m
))) =
c,
and deciphering occurs via
D
k
1
(
E
k
2
(
D
k
3
(
c
))) =
m.
Multiple encryptions strengthen the cipher so long as we do not have
k
1
=
k
2
or
k
2
=
k
3
, since then,
either
D
k
2
◦
E
k
1
or
E
k
2
◦
D
k
3
is the identity function
so we are back at square one with single DES. It is allowed that
k
1
=
k
3
,or
that all are distinct.
It turns out that multiple encryption of DES would be rendered useless if
it were the case that for any given keys
k
1
and
k
2
, there existed a key
k
3
such
that
E
k
3
(
m
)=
E
k
2
(
E
k
1
(
m
))
for all plaintext inputs
m
. (This property, if it held, would be tantamount to
DES permutations being closed under composition, and this would happen if
DES satisfied the property that the set of permutations is closed as a group
under composition.) Then multiple encryptions would be reduced to single
encryptions and again we would be back to square one. However, in 1992,
3.5
See the NIST homepage:
http://www.nist.gov/
.
Search WWH ::
Custom Search