pstemari@bismark.cbis.com (Paul J. Ste. Marie) writes: triple DES uses:

Eabc(x) = Ea(Db(Ec(x)))

as opposed to:

Eabc(x) = Ea(Eb(Ec(x)))

in order to preserve some symmetry properties. Can anyone give a better explanation?

OK -- if you want to retain compatibility with old 56-bit DES chips in your same network, you can set a = b = c and get: Eaaa(x) = Ea(Da(Ea(x))) using the first form, which reduces to Ea(x), or a single 56-bit DES encryption instead of the 168 bits your TripleDES chip can handle. The second form doesn't have this property or any other useful property other than standalone security, since DES isn't a group. Jim Gillogly Highday, 7 Winterfilth S.R. 1994, 22:03

Quick question. There's a brief mention in Applied Cryptography that triple DES uses:

Eabc(x) = Ea(Db(Ec(x)))

as opposed to:

Eabc(x) = Ea(Eb(Ec(x)))

in order to preserve some symmetry properties. Can anyone give a better explanation?

This should probably be in a FAQ somewhere. As I understand it, the intent is to build 3DES chips that can be backward compatible with single DES by simply setting all three keys to the same value. Naturally, nobody would be stupid enough to do single DES in this way in a software implementation, but it doesn't really cost anything extra when operating in 3DES mode either. DES decryption is the same as encryption with a reversed key schedule, so the work factor for both ciphering and attacking should be the same. Question to the group: are there any precise standards for how 3DES keys are specified? Also, a 3DES verification suite similar to NIST's suite for single DES would be very nice. Phil