Triple DES with Two Keys
An alternative to the meet-in-the-middle attack is to use three stages of encryption with three or two different keys.
The function follows an encrypt-decrypt-encrypt (EDE) sequence.
C = E(K1, D(K2, E(K1, P)))
P = D(K1, E(K2, D(K1, C)))
3 DES with two keys is a relatively popular alternative to DES.
Currently, there are no practical cryptanalytic attacks on 3DES.
Brute-force key search on 3DES is on the order of 2112 and the cost of differential cryptanalysis also has an exponential growth, compared to single DES.
Several proposed attacks (though impractical) on 3DES are:
Chosen-Plaintext Attack: Triple DES
- Find plaintext values that give A = 0.
- Then, use the meet-in-the-middle attack to determine the two keys.
- However, this attack requires 256 chosen plaintext-ciphertext pairs which are impractical.
Known-Plaintext Attack: Triple DES
This method does not require chosen plaintext-ciphertext pairs but requires more effort.
The attack is based on the observation that if an attacker knows A and C, then the problem reduces to that of an attack on double DES.
The attack is as follows: Triple DES
- The attacker obtains n(P, C) pairs places them in Table 1 sorted on the values of P.
- For an arbitrary value a for A, calculate the plaintext value that produces: Pi = D(i, a).
- For each Pi that matches an entry in Table 1, create an entry in Table 2 that contains the value of K1 and b that is obtained by decrypting the corresponding ciphertext from Table 2. B = D(i, C).
- Table 2 contains a number of candidate values of Ki. Now, for each of the 256 possible values of K2, calculate the second intermediate value for our chosen value of a: Bj = D(j, a).
- At each step, look up Bj in Table 2. If there is a match, then the corresponding key i from Table 2 plus this value of j are candidate values for the unknown keys (K1, K2).
- Test each candidate pair of keys on a few another plaintext-ciphertext pairs. If a pair of keys produces the desired ciphertext, the task is complete.
- If no pair succeeds, repeat from step 1 with a new value of a.
Triple DES with Three Keys
- Although the attacks just described appear impractical, anyone using two-key 3DES may feel some concern.
- In that case, three-key 3DES is the preferred alternative.
- Three-key 3DES has an effective key length of 168 bits and is defined as C = E(K3, D(K2, E(K1, P)))
- Backward compatibility with DES is provided by putting K3 = K1 or K1 = K3.
- A number of Internet-based applications have adopted three-key 3DES, including PGP and S/MIME.