Jim Gillogly <jim@rand.org> writes: ...I don't have the message from voorhees that he responded to.
Woops, just found it. This is the predecessor to my previous forward from x9a3, relating to Triple DES (3DES), complete with votes. Jim Gillogly Mersday, 24 Solmath S.R. 1995, 01:46 _________________________________________________________________ From: voorhees@interport.net Newsgroups: talk.politics.crypto Subject: Triple-DES Date: 12 Dec 1994 00:24:24 GMT Organization: Interport Communications Lines: 87 Message-ID: <3cg57o$hvq@interport.net> Reply-To: voorhees@interport.net NNTP-Posting-Host: voorhees.port.net X-Newsreader: IBM NewsReader/2 v1.03 The following post is from Rich Ankeny, a member of X9F1 and possibly F3, too. He does not have easy access to newsgroups, so I am posting it on his behalf. --Mark I have a few comments on triple DES: 1. X9F1 to Develop the Standard? I read with interest your recent Usenet post about triple DES. I was not aware that Marty Ferris (X9F chair) had already (offically) decided to give the work to Blake. We (various X9F1/3 members) had figured the way to delay it the longest is to form a new working group (X9F5:-). 2. Blake's Opinions Blake's claim is that triple DES (with two keys) is not 112 bits strong; in fact it is somewhere between 70 and 80 bits strong. He gives no details to back this up, though. His other objection is that, since there are only 32 bits input to the DES S-boxes in each round, at some point in the future (say 10 years or so) this can be "cryptanalyzed" using table lookups rather than test encryptions or other means, even on a desktop sized machine (with lots of memory). This is actually a reasonable prediction, but it applies to single DES. As to two-key triple DES, the only published attack I'm aware of is a paper by Paul van Oorschot and Michael Wiener of BNR (cited in Applied Cryptography, among other places); their attack uses *lots* of memory and running time of less than 2^100 steps. I guess it all depends on who you think is the better cryptanalyst:-) Anyway, the X9 proposal was to use three-key triple DES; one would hope that's at least 112 bits strong. 3. The X9 Vote I got the voting record from X9 on the triple DES NWI: YES: Applied Communications, AT&T, Bank of America, Bank of Boston, Chemical Bank, Deluxe Check Printers(!), Federal Reserve, Fidelity Investments, Mastercard, Mellon Bank, VISA, Wells Fargo. NO: NSA, NationsBank (their rep is X9 chair). ABSTAIN: ABA, American Express, Canadian Bankers Assoc., Moore Business Forms, NIST, Unisys, Xerox. 10 members didn't return their ballots, including Citibank, Chase Manhattan, and IBM. This is not unusual for larger organizations where the ballots sit on someone's desk for three or four months. I imagine many will be voting on the reconsideration ballot. NO votes must have reasons, and abstentions typically do as well: NSA: We've seen their reasons already in earlier postings. NationsBank: Too much controversy and too many open issues (based, I would think, on the NSA comments) ABA: Concerned about the NSA comments (esp. exportability) and that adopting triple DES now would affect the number of options available in the long term. ABA is opposed to Clipper/Capstone as currently proposed. In particular: (a) it must have congressional support, (b) at least one escrow agent must be a private sector entity, (c) it must be exportable, (d) there must be a *demonstrable* mechanism whereby escrow keys used in wiretap equipment cannot be compromised and are destroyed at the end of the wiretap period, (e) the algorithm must be unclassified or made available for an acceptable evaluation procedure by the banking industry, and (f) analysis of other issues is needed, including possiblity of software implementation, and compatibility with installed DES infrastructure. Federal Reserve: Supports triple DES, as an immediate alternative to DES. Also offers some much less negative wording for the reconsideration ballot. (The original ballot did everything but recommend a NO vote.) I don't have Usenet access (without "borrowing" a friend's account), so please feel free to repost any of this you feel might interest the EFF and other newsgroups. Regards, Rich Ankney (Fischer Int'l) _________________________________________________________________