From: Matt Blaze <mab@crypto.com>
Date: Thu, 26 May 94 08:11:22 PDT
To: dct@python.cs.byu.edu
Subject: Re: dispersed DES
In-Reply-To: <1994May26.144642.22363@crypto.com>
Message-ID: <9405261503.AA23050@crypto.com>
MIME-Version: 1.0
Content-Type: text/plain


In local.cypherpunks you write:

>I have come up with (and implemented) a version of triple DES for true
>paranoids, which I call dispersed DES.  All I do is append four bytes to
>the beginning of the output files for each cycle of triple DES.  It seems
>like this should provide even more security than triple DES, but I am no
>expert. Any comments?  Please include "dct@newt.cs.byu.edu" in your replies,
>as I am unable to maintain access to the mailing list because of volume.
>Thanks.

>David C. Taylor
>dct@newt.cs.byu.edu

You have to be really careful when you invent new cipher modes, almost
as much as when you invent an entire new cipher.

It sounds like you have weakend 3-DES.  Where do you get these 4 bytes?
If they are fixed or deterministically generated, you will have made it
possible for an attacker who can brute-force 1-DES (e.g., with a Weiner
machine) to "peel off" each single DES key.  Instead of a 112 (or 168) bit
work factor (as with 3-DES), you'd end up with a 57 or 58 bit work factor.

If you randomly generate the 4 bytes, you have to carefully evaluate your
random number method.  In any case it sounds like your mode is the weaker
of 3-des and 1-des*(the complexity of your random bit generator).

Perhaps I don't understand how your scheme works.  Also, what intuition
makes you think that it's stronger than plain old 3-DES?

-matt