home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!mcsun!uknet!acorn!eoe!ahaley
- From: ahaley@eoe.co.uk (Andrew Haley)
- Newsgroups: sci.crypt
- Subject: Re: Is DES broken ?
- Message-ID: <1393@eouk9.eoe.co.uk>
- Date: 7 Sep 92 09:50:55 GMT
- References: <1992Sep6.031418.12298@kum.kaist.ac.kr>
- Organization: EO Europe Limited, Cambridge, UK
- Lines: 37
- X-Newsreader: Tin 1.1 PL3
-
- sghahn@sol.kaist.ac.kr (Hahn Sang Geun) writes:
- :
- : I heard from a colleague in electronics department that
- : 16 round DES was broken at the 1992 CRYPTO meeting.
- :
- : He told me a progress in differential cryptalanalysis
- : made it possible.
- :
- : Is that correct ?
- : If so, how practical is that ?
- :
- : S. HAHN
- : Mathematics Department
- : KAIST
- : South Korea
-
- There was a recent exchange in this group on this subject. This
- attack reduces the number of encryptions to break DES to about 2**47.
- Note that this is a chosen plaintext attack, which means that the
- attacker has to provide some 10**15 bytes of data to be encrypted.
- Note that the attacker can't do any of this himself; his enemy, who is
- being attacked, must do the encryption and return the data to his
- attacker.
-
- This means that for all practical purposes DES is still secure against
- differential attack.
-
- However, a massively parallel machine could be used in a known
- plaintext attack, which would require some 2**55 encryptions to find
- the key. As the attacker could use millions of DES processors in
- parallel, this would be much more practical than the differential
- attack.
-
- Andrew.
-
- Ref: "Differential Cryptanalysis of the full DES," Biham and Shamir,
- Weizmann Institute Technical Report, Rehovot, Israel.
-
