dispersed DES

[Matt Blaze]

In local.cypherpunks you write:

>I have come up with (and implemented) a version of triple DES for true
>paranoids, which I call dispersed DES.  All I do is append four bytes to
>the beginning of the output files for each cycle of triple DES.  It seems
>like this should provide even more security than triple DES, but I am no
>expert. Any comments?  Please include "dct at newt.cs.byu.edu" in your replies,
>as I am unable to maintain access to the mailing list because of volume.
>Thanks.

>David C. Taylor
>dct at newt.cs.byu.edu

You have to be really careful when you invent new cipher modes, almost
as much as when you invent an entire new cipher.

It sounds like you have weakend 3-DES.  Where do you get these 4 bytes?
If they are fixed or deterministically generated, you will have made it
possible for an attacker who can brute-force 1-DES (e.g., with a Weiner
machine) to "peel off" each single DES key.  Instead of a 112 (or 168) bit
work factor (as with 3-DES), you'd end up with a 57 or 58 bit work factor.

If you randomly generate the 4 bytes, you have to carefully evaluate your
random number method.  In any case it sounds like your mode is the weaker
of 3-des and 1-des*(the complexity of your random bit generator).

Perhaps I don't understand how your scheme works.  Also, what intuition
makes you think that it's stronger than plain old 3-DES?

-matt