At 01:22 PM 5/11/97 -0400, Black Unicorn wrote:
As I recall, 3des ( DESk1 -> DESk2^-1 -> DESk3 ) has an effective keylength of 112 bits. Less than IDEA. Schneier discusses this.
Unfortunately, Schneier doesn't do a very good job at discussing the strength of 3DES. This probably is to be expected, since there is no fixed effective keylength of 3DES and a more detailed discussion would likely exceed the format of Applied Cryptography. The work factor of breaking 3DES depends on the number of known plaintexts. At best, the effective keylength is 112 bits. At worst (this is an unlikely, perhaps unrealistic worst) the effective keylength is ~90 bits. Contrast this with DESX, which has been proven to be twice as hard as DES, therefore having an effective keylength of 112 bits.
It costs little today to develop a cipher with larger keyspace. (DES with independent subkeys already exists and has a basic keyspace of 768 bits. A meet in the middle attack reduces keyspace to 2^384. Schneier discusses the cipher briefly). If users are willing to deal with large keys (I certainly am) then software designers are restraining a more secure implementation.
It costs lots to develop a cipher with a larger keyspace that has a known, or reasonably assumed, work factor of higher than 112 bits. Again, it takes years to cryptanalyze a new cipher. It isn't software designers that are restraining more secure implementations. The software designers don't have any better algorithms to work with because the theorists haven't agreed on anything better yet. -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred "I do believe that where there is a choice only between cowardice and violence, I would advise violence." Mahatma Gandhi