Re: replay field size
Bart Preneel <Bart.Preneel@esat.kuleuven.ac.be> Sun, 16 February 1997 18:09 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA28472 for ipsec-outgoing; Sun, 16 Feb 1997 13:09:25 -0500 (EST)
Date: Sun, 16 Feb 1997 19:13:22 +0100
From: Bart Preneel <Bart.Preneel@esat.kuleuven.ac.be>
To: Steven Bellovin <smb@research.att.com>
Cc: Ran Atkinson <rja@inet.org>, Robert Glenn <glenn@snad.ncsl.nist.gov>, Stephen Kent <kent@bbn.com>, ipsec@tis.com
Subject: Re: replay field size
In-Reply-To: <199702131637.LAA02391@raptor.research.att.com>
Message-Id: <Pine.HPP.3.95.970216191232.19163r-100000@domein.esat.kuleuven.ac.be>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Charset: ISO_8859-1
X-Char-Esc: 29
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Linear cryptanalysis of DES: > Date: Thu, 13 Feb 1997 11:37:39 -0500 > From: Steven Bellovin <smb@research.att.com> > To: Ran Atkinson <rja@inet.org> > Cc: Robert Glenn <glenn@snad.ncsl.nist.gov>, Stephen Kent <kent@bbn.com>, > ipsec@tis.com > Subject: Re: replay field size > > [...] > > But it's worse than that. At 250 bytes/packet, there are about 2^5 DES > blocks/packet, which means there are 2^37 blocks per ``full'' 32-bit > security association. That's getting unpleasantly close to the point > where linear cryptanalysis is feasible. (Matsui's CRYPTO '94 paper > says that with 2^38 known plaintexts, the success rate is 10% with > complexity 2^50. The new ``Handbook of Applied Cryptography'' notes > that ``linear cryptanalysis is possible in a ciphertext-only > environment if some underlying plaintext redundancy is known (e.g., > parity bits or high-order 0-bits in ASCII characters.)) I submit that > we really don't want to encrypt that much plaintext with any single key > -- ever. And of course, we don't know that linear cryptanalysis is the > ultimate attack. As far as I know, the extension of Matsui's attack to ciphertext only (given ASCII plaintext) requires at least 2^{10} times more ciphertext (see Matsui's Eurocrypt'93 paper). So 2^{38} known plaintexts will become something like 2^{48} ciphertext only. This can probably be still improved, but it is not very serious as threat. Given the complexity of 2^{50}, it is probably much easier to build the DES key search machine -- success probability of 1.6%), which needs only 1 plaintext/ciphertext pair, rather than to collect all the data on 2^{48} ciphertexts. A complexity of 2^{40} seems more realistic to me, which implies that about 10 times more ciphertexts are required. I would be much more concerned about the `matching ciphertext' problem of the CBC-mode: information on the plaintext starts to leak after 2^{33} blocks (for 2^{38} there will be already 2000 matches). A very good reason to never encrypt more than 2^{33} plaintexts with a single key. Bart Preneel ------------------------------------------------------------------------------- Katholieke Universiteit Leuven tel. +32 16 32 11 48 Dept. Electrical Engineering-ESAT / COSIC fax. +32 16 32 19 86 K. Mercierlaan 94, B-3001 Heverlee, BELGIUM bart.preneel@esat.kuleuven.ac.be -------------------------------------------------------------------------------
- RE: replay field size Roy Shamir
- RE: replay field size Michael J. Oehler
- Re: replay field size Niels Ferguson
- replay field size Derrell Piper
- Re: replay field size Matt Thomas
- RE: replay field size Roy Pereira
- RE: replay field size Ran Atkinson
- RE: replay field size Roy Pereira
- Re: replay field size Tim Bass (IETF)
- RE: replay field size Rob Adams
- Re: replay field size Dan McDonald
- RE: replay field size Ran Atkinson
- Re: replay field size Robert Glenn
- RE: replay field size Roy Pereira
- RE: replay field size Dan McDonald
- Re: replay field size Germano Caronni
- Re: replay field size John Keating
- Re: replay field size Derrell Piper
- Re: replay field size Ran Atkinson
- Re: replay field size wei
- RE: replay field size Stephen Kent
- Re: replay field size Matt Thomas
- RE: replay field size Phil Karn
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Perry E. Metzger
- Re: replay field size Niels Ferguson
- Re: replay field size Bill Sommerfeld
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Uri Blumenthal
- RE: replay field size Bob Monsour
- RE: replay field size Stephen Kent
- RE: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Ran Atkinson
- Re: replay field size Steven Bellovin
- Re: replay field size Ran Atkinson
- Re: replay field size Jim Thompson
- Re: replay field size Bart Preneel