Cryptography Reference
In-Depth Information
remove this drawback and concurrently utilize the careful design of DES. You
will find two results of these attempts later in this section and a large number
of additional ones in Schneier [SchnCr, Chapter 13].
5.2.1 Triple-DES
The most obvious means against short keys is multiple encryption with different
keys. For example, using Double-DES encryption, we would choose a 112-bit
key, and split it into two subkeys,
K
and
K
, and then encrypt each plaintext
block,
P
, with
K
and then once more with
K
:
C = DES
K
'(DES
K
(P))
No brute force is possible against a 112-bit key. This method can be easily
implemented in software, and it is slower than DES only by a factor of 2
(with a security 72 quadrillion times larger). To build a ciphering device, all
we actually need to do is switch two DES chips in series and then feed them
with subkeys separately — no problem at all.
These considerations are pretty obvious, and as usual in cryptology, obvious
views are wrong — here too. Considering this generality, we cannot say that
double encryption is more secure than simple encryption. First of all, it could
well be that there is a (56-bit) key,
K
, so that the following holds for arbitrary
plaintext blocks,
P
:
DES
K
= DES
K
(DES
K
(P))
In that case, multiple encryption would not be more secure than simple encryp-
tion to fend off brute force; only dictionary attacks would get harder. Algo-
rithms that
always
have such
K
keys are said to have
group property
or
to form a
group
. (Actually not a well-chosen name, because, in mathematics,
there is always a single element that belongs to a group. In our case, this would
be the identity. A key where the plaintext transforms onto itself doesn't have
to exist in arbitrary algorithms with group property.)
DES does not form a group. Though an algebraic operation is defined on
the set of mappings defined by multiple encryption as a result of consecutive
