Cryptography Reference
In-Depth Information
which is single encryption. Since it is sometimes desirable that one implementation
can perform both triple encryption and single encryption, i.e., in order to interoper-
ate with legacy systems, EDE is a popular choice for triple encryption. Moreover,
for a 112-bit security, it is sufficient to choose two different keys
k
1
and
k
2
and set
k
3
=
k
1
in case of 3DES.
Of course, we can still perform a meet-in-the-middle attack as shown in Fig. 5.11.
Fig. 5.11
Triple encryption and sketch of a meet-in-the-middle attack
bits per key. The problem for an attacker is that she has to
compute a lookup table either after the first or after the second encryption. In both
cases, the attacker has to compute two encryptions or decryptions in a row in order
to reach the lookup table. Here lies the cryptographic strength of triple encryption:
There are 2
2
k
possibilities to run through all possible keys of two encryptions or
decryptions. In the case of 3DES, this forces an attacker to perform 2
112
key tests,
which is entirely infeasible with current technology. In summary, the meet-in-the-
middle attack reduces the
effective key length
of triple encryption from 3
Again, we assume
κ
.
Because of this, it is often said that the
effective key length
of triple DES is 112 bits
as opposed to 3
κ
to 2
κ
·
56 = 168 bits which are actually used as input to the cipher.
5.3.3 Key Whitening
Using an extremely simple technique called
key whitening
, it is possible to make
block ciphers such as DES much more resistant against brute-force attacks. The
basic scheme is shown in Fig. 5.12.
In addition to the regular cipher key
k
, two whitening keys
k
1
and
k
2
are used to
XOR-mask the plaintext and ciphertext. This process can be expressed as:
