Quantity of plaintext/ciphertext required for DES crypto
Wed, 08 March 1995 09:45 UTC
To: Danny.Nessett@Eng
Subject: Quantity of plaintext/ciphertext required for DES crypto
Message-ID: <150853323196.30702.1394019849856328863.ARCHIVE@ietfa.amsl.com>
Dan -- It is somewhat counterintuitive that the known plaintext attack requires less data than the chosen plaintext attack, and a little surprising, but not contradictory, since every known plaintext attack is a chosen plaintext attack as well. I think 2^32 is a better bound than 2^43, at least for certain modes of DES. For instance, after 2^32 blocks in CBC mode, you expect to see two identical ciphertext blocks, say c[i] and c[j]; the difference between their predecessors will match the difference between the corresponding plaintext blocks, i.e., p[i] xor p[j] = c[i-1] xor c[j-1] Information thus starts to leak after 2^32 blocks (square root of the message space). I would recommend 2^32 blocks as the limit for the lifetime of a key, and that takes care of the 2^43/2^47 attacks as well. Feel free to summarize or repost my comments. -- Burt ======= This suggests that another way to meet the cryptoanalytic threat to host-to-host keying is to change the session key well before 2^32 plaintexts have been encrypted. Consequently, I think that requiring IPv6 security implementations to support user-to-user keying is too limiting. They can adequately meet this threat by judicious session key management. Dan