Beruflich Dokumente
Kultur Dokumente
Terry Ritter
February 16, 1994
Introduction
The time has come to replace DES, the US Data Encryption Standard,
but there is no clear alternative. While there are many ciphers
which are demonstrably faster and also arguably stronger than DES,
the fact that cipher strength cannot be _tested_ but must instead
be_argued_ makes many users nervous. The US government offers some
alternative ciphers, but those are secret designs whose strength
_cannot_ be argued, again making users nervous.
Double-DES
A
v
k1 -> DES1
v
B
v
C
v
k2 -> DES2
v
D
Isolated Double-DES
A
v
k1 -> DES1
v
B
v
km -> XOR
v
C
v
k2 -> DES2
v
D
While it is true that we now have three keys for a two-level DES
structure, this is no worse than triple-DES with separate keys.
But is it stronger than double-DES?
Isolated Double-DES Meet-In-The-Middle Attack
Again, encipher A under every possible key k1, and decipher D under
every possible key k2 and check for matches between B and C.
Larger Blocks
For this reason, it seems appropriate that any new standard specify
an expanded block width. Here is a double-width approach, 2x2 DES
described in an earlier article:
A B
v v
k1 -> DES1 k2 -> DES2
v v
C D
Exchange Right 4 Bytes
E F
v v
k3 -> DES3 k4 -> DES4
v v
G H
We can guarantee that the two keys will be found by searching all
possible k1 and k3. This is only twice the normal DES keyspace,
but may well require a huge amount of storage to identify all the
values and associated keys (say, E and k3) which match a particular
result (say, C). We do not want to run through every k3 every
time we change k1.
Eli Biham [1] points out that a differential attack can eliminate
the need to store the result from every possible key. In this case
we need two different large blocks of known-plaintext with plaintext
or ciphertext half the same (say, A:B -> G:H and A:X -> Y:Z). With
A the same in both large blocks, we know that the left-half of E
must also be the same. Then, since we have two different blocks, we
can step through all possible values for k3, deciphering G into E
and Y into E' each time, looking for any results with the left-half
the same. This should occur about every 2^32 trials, producing 2^24
trials which match, which should be resolved in only one or two more
set of known-plaintext blocks. No huge storage is needed.
2x Isolated Double-DES
A B
v v
k1 -> DES1 k2 -> DES2
v v
km -> XOR1 kn -> XOR2
v v
Exchange Right 4 Bytes
v v
k3 -> DES3 k4 -> DES4
v v
C D
The 2x2 differential attack depended not upon identical top and
bottom values, but upon producing an identical value (in particular
known bit positions) from a bottom deciphering (for example). This
situation is not affected by the XOR and so the differential attack
will still work.
Conclusion
References
[1] Biham, E. Mon, 7 Feb 1994 16:59:28 GMT. Comments on Nx2 DES.
<CKv5v5.EnF@chinet.chinet.com>