>From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
>Sent: Feb 2, 2005 1:39 PM
>Cc: Aram Perez <[EMAIL PROTECTED]>, Cryptography <cryptography@metzdowd.com>
>Subject: Re: Is 3DES Broken? 

>>I think you meant ECB mode?

>No, I meant CBC -- there's a birthday paradox attack to watch out for.

Yep.  In fact, there's a birthday paradox problem for all the standard chaining 
modes at around 2^{n/2}.  

For CBC and CFB, this ends up leaking information about the XOR of a couple 
plaintext blocks at a time; for OFB and counter mode, it ends up making the 
keystream distinguishable from random.  Also, most of the security proofs for 
block cipher constructions (like the secure CBC-MAC schemes) limit the number 
of blocks to some constant factor times 2^{n/2}.  

>               --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

--John Kelsey

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to