Cryptography Reference
In-Depth Information
Campbell and Weiner saved the day by proving, in [51], that DES is not a group.
In fact, they showed that a lower bound on the size of the group generated by
composing the set of permutations is 10 2499 . Thus, since we are safe on these
issues, then with the proper choice of three keys triple DES has the effective
keylength of 168 bits, making it a reasonable alternative, and triple DES is
resistant to the meet-in-the-middle attack. That being said, triple DES still
inherits the disadvantages of DES, such as weak keys, semiweak keys, and the
complementation property mentioned earlier. (It should be pointed out, in
anticipation of the next section, that part of the ANSI X59.52 Triple DES
Modes of Operation Standard, involving the CBC mode described on the next
page, was cryptanalyzed in 2002 (see [22]). As a result, ANSI removed this
mode from the proposed standard.)
There are other strengthenings of DES possible. Rivest developed a provably
strong improvement to DES, called DESX . It simply does the following. Choose
three keys k 1 ,k 2 ,k 3 , and encipher by executing
k 1
E k 2 ( k 3
m ) .
In other words, we add a 64-bit key k 3 modulo 2 to the input plaintext m before
encryption, then we encipher the result with key k 2 , and lastly add the 64-bit
key k 1 , modulo 2, to the ciphertext. In 1996, both Killian and Rogaway [136]
and Rogaway [231] demonstrated the improved security of DESX over DES.
The security of DESX against the DC attack (see Footnote 3.4 on page 127) is
roughly equivalent to that of DES.
An attack developed more recently than DC is one by Matsui [156] in 1994,
called linear cryptanalysis (LC). This is one of the most prominent known-
plaintext attacks 3.6 against block ciphers. (See [122] for a nice tutorial treatment
of both LC and DC.) LC uses linear approximations to describe the behavior
of the block cipher under attack. Matsui successfully used LC against DES to
obtain a key with 2 43 known plaintexts (see [157]).
In general, block ciphers with larger S-boxes are less susceptible to DC and
LC attacks. The next block cipher that we describe is therefore stronger than
DES since it has larger S-boxes. First, we look at “modes of operation” for
block ciphers, which allows us to apply them to a variety of situations.
3.6 A known-plaintext attack occurs when a cryptanalyst has both ciphertext and plaintext
from intercepted cryptograms as data from which to deduce the plaintext in general, or the
key. In the case of a simple cipher such as the Caesar cipher, for instance, only one plaintext-
ciphertext pair needs to be known to determine the key, which is instantly known to be the
distance the enciphered symbol is shifted from the plaintext symbol, namely 3 units.
Search WWH ::




Custom Search