Mark Eichin says:
While longer key indeed offers little protection against attacks like differential cryptanalysis - it's hard to argue that it can blow brute-force attack out of the water... But isn't the idea differential cryptanalysis *can* blow brute-force out of the water if the algorithm is sensitive to it, and the symmetries that could be introduced by 64-bit DES keying might have made it thus sensitive. It isn't just that extra key "offers little protection", it might actually *weaken* the algorithm. (No, I'm not an expert on DES, but I've followed the net, read the FIPS, read Biham-Shamir, and thought about it a bit for myself.)
Well, to the best of my knowledge, "sliding attack" does NOT care about the length of a key - because it deduces the subkeys DIRECTLY. This means - one doesn't WEAKEN an algorithm by increasing the key length, it just doesn't help against "sliding attack"... And in order to pull out this "sliding attack" one HAS to have either enough of PLAINTEXT-CIPHERTEXT pairs, or even better - to be able to run CHOSEN-PLAINTEXT attack. How much are you afraid of such an attack against your e-mail? [Assuming you use one-time RSA-encrypted DES key, of course :-] -- Regards, Uri uri@watson.ibm.com scifi!angmar!uri N2RIU ----------- <Disclamer>
From cypherpunks-request Sun Jul 11 20:17:07 1993