This preview shows page 1. Sign up to view the full content.
Unformatted text preview: means is that a chosen-plaintext attack against DES only has to test half the possible keys: 255 keys instead of 256 . Eli Biham and Adi Shamir showed  that there is a known-plaintext attack of the same complexity, requiring at least 233 known plaintexts. It is questionable whether this is a weakness, since most messages don’t have complement blocks of plaintext (in random plaintext, the odds against it are extremely high) and users can be warned not to use complement keys. Algebraic Structure
All possible 64-bit plaintext blocks can be mapped onto all possible 64-bit ciphertext blocks in 264! different ways. The DES algorithm, with its 56-bit key, gives us 256 (approximately 1017) of these mappings. Using multiple encryption, it seems possible to reach a larger portion of those possible mappings. However, this is only true if the DES operation does not have certain algebraic structures. If DES were closed, then for any K1 and K2 there would always be a K3 such that EK2(EK1(P)) = EK3(P) In other words, the DES encryption operation would form a group, and encrypting a set of plaintext blocks with K1 followed by K2 would be identical to encrypting the blocks with K3. Even worse, DES would be vulnerable to a meet-in-the-middle known-plaintext attack that runs in only 228 steps . If DES were pure, then for any K1 K2 and K3 there would always be a K4 such that EK3(EK2(EK1(P))) = EK4(P) Triple encryption would be useless. (Note that a closed cipher is necessarily pure but a pure cipher is not necessarily closed.) An early theoretical paper by Don Coppersmith gave some hints, but it wasn’t enough . Various cryptographers wrestled with this question [588,427,431,527,723,789]. Cycling experiments gathered “overwhelming evidence” that DES is not a group [807,371,808,1116,809], but it wasn’t until 1992 that cryptographers proved that DES is not a group . Coppersmith said that the IBM team knew it all along. Key Length
IBM’s original submission to NBS had a 112-b...
View Full Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
- Fall '10