At 09:55 2005-02-03 -0500, John Kelsey wrote:
>From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
>Sent: Feb 2, 2005 1:39 PM
>Cc: Aram Perez <[EMAIL PROTECTED]>, Cryptography <>
>Subject: Re: Is 3DES Broken?

>>I think you meant ECB mode?

>No, I meant CBC -- there's a birthday paradox attack to watch out for.

Yep. In fact, there's a birthday paradox problem for all the standard chaining modes at around 2^{n/2}.

For CBC and CFB, this ends up leaking information about the XOR of a couple plaintext blocks at a time; for OFB and counter mode, it ends up making the keystream distinguishable from random. Also, most of the security proofs for block cipher constructions (like the secure CBC-MAC schemes) limit the number of blocks to some constant factor times 2^{n/2}.

I'm surprised that no-one has said that ECB mode is "unsafe at any speed".


Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766 5775 Morehouse Drive San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to