This preview shows page 1. Sign up to view the full content.
Unformatted text preview: van Oorschot and Michael Wiener converted this to a known-plaintext attack, requiring p known plaintexts. This example assumes EDE mode. (1) Guess the first intermediate value, a. (2) Tabulate, for each possible K1, the second intermediate value, b, when the first intermediate value is a, using known plaintext: b = DK1(C) where C is the resulting ciphertext from a known plaintext. (3) Look up in the table, for each possible K2, elements with a matching second intermediate value, b: b = EK2(a) (4) The probability of success is p/m, where p is the number of known plaintexts and m is the block size. If there is no match, try another a and start again. The attack requires 2n + m/p time and p memory. For DES, this is 2120/p . For p greater than 256, this attack is faster than exhaustive search. Triple Encryption with Three Keys
If you are going to use triple encryption, I recommend three different keys. The key length is longer, but key storage is usually not a problem. Bits are cheap. C = EK3(DK2(EK1(P))) P = DK1(EK2(DK3(C))) The best time-memory trade-off attack takes 22n steps and requires 2n blocks of memory; it’s a meet-in-the-middle attack . Triple encryption, with three independent keys, is as secure as one might naïvely expect double encryption to be. Triple Encryption with Minimum Key (TEMK)
There is a secure way of using triple encryption with two keys that prevents the previous attack, called Triple Encryption with Minimum Key (TEMK) . The trick is to derive three keys from two: X1 and X2: K1 = EX1(DX2(EX1(T1))) K2 = EX1(DX2(EX1(T2))) K3 = EX1(DX2(EX1(T3))) T1, T2, and T3 are constants, which do not have to be secret. This is a special construction that guarantees that for any particular pair of keys, the best attack is a known-plaintext attack. Triple-Encryption Modes
It’s not enough to just specify triple encryption; there are several ways to do it. The decision of which to use affects both security and efficiency. Here are two possible t...
View Full Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
- Fall '10