Header Data

From: Jim Gillogly <jim@rand.org>
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Message Hash: 66df86a6865f2e21feefe0b7df1c541e55319dccc8c975b11c066fb3d93915ce
Message ID: <199502140147.RAA17640@mycroft.rand.org>
Reply To: <199502140131.RAA17561@mycroft.rand.org>
UTC Datetime: 1995-02-14 01:48:00 UTC
Raw Date: Mon, 13 Feb 95 17:48:00 PST

Raw message

From: Jim Gillogly <jim@rand.org>
Date: Mon, 13 Feb 95 17:48:00 PST
To: cypherpunks@toad.com (Cypherpunks Mailing List)
In-Reply-To: <199502140131.RAA17561@mycroft.rand.org>
Message-ID: <199502140147.RAA17640@mycroft.rand.org>
MIME-Version: 1.0
Content-Type: text/plain

> Jim Gillogly <jim@rand.org> writes:
>...I don't have the message from voorhees that he responded to.

Woops, just found it.  This is the predecessor to my previous forward
from x9a3, relating to Triple DES (3DES), complete with votes.

	Jim Gillogly
	Mersday, 24 Solmath S.R. 1995, 01:46


From: voorhees@interport.net
Newsgroups: talk.politics.crypto
Subject: Triple-DES
Date: 12 Dec 1994 00:24:24 GMT
Organization: Interport Communications
Lines: 87
Message-ID: <3cg57o$hvq@interport.net>
Reply-To: voorhees@interport.net
NNTP-Posting-Host: voorhees.port.net
X-Newsreader: IBM NewsReader/2 v1.03

The following post is from Rich Ankeny, a member of
X9F1 and possibly F3, too.

He does not have easy access to newsgroups, so I am
posting it on his behalf.


I have a few comments on triple DES:

1.  X9F1 to Develop the Standard?

I read with interest your recent Usenet post about triple DES. I was not
aware that Marty Ferris (X9F chair) had already (offically) decided to
give the work to Blake. We (various X9F1/3 members) had figured the way
to delay it the longest is to form a new working group (X9F5:-).

2.  Blake's Opinions

Blake's claim is that triple DES (with two keys) is not 112 bits strong;
in fact it is somewhere between 70 and 80 bits strong. He gives no
details to back this up, though.  His other objection is that, since there
are only 32 bits input to the DES S-boxes in each round, at some point in
the future (say 10 years or so) this can be "cryptanalyzed" using table
lookups rather than test encryptions or other means, even on a desktop
sized machine (with lots of memory).  This is actually a reasonable
prediction, but it applies to single DES.  As to two-key triple DES, the
only published attack I'm aware of is a paper by Paul van Oorschot and
Michael Wiener of BNR (cited in Applied Cryptography, among other places);
their attack uses *lots* of memory and running time of less than 2^100
steps. I guess it all depends on who you think is the better
cryptanalyst:-)  Anyway, the X9 proposal was to use three-key triple DES;
one would hope that's at least 112 bits strong.

3.  The X9 Vote

I got the voting record from X9 on the triple DES NWI:

YES:  Applied Communications, AT&T, Bank of America, Bank of Boston,
Chemical Bank, Deluxe Check Printers(!), Federal Reserve, Fidelity
Investments, Mastercard, Mellon Bank, VISA, Wells Fargo.

NO:  NSA, NationsBank (their rep is X9 chair).

ABSTAIN:  ABA, American Express, Canadian Bankers Assoc., Moore Business
Forms, NIST, Unisys, Xerox.

10 members didn't return their ballots, including Citibank, Chase
Manhattan, and IBM.  This is not unusual for larger organizations
where the ballots sit on someone's desk for three or four months.  I
imagine many will be voting on the reconsideration ballot.

NO votes must have reasons, and abstentions typically do as well:

NSA:  We've seen their reasons already in earlier postings.
NationsBank:  Too much controversy and too many open issues (based, I
   would think, on the NSA comments)
ABA:  Concerned about the NSA comments (esp. exportability) and that
   adopting triple DES now would affect the number of options available
   in the long term.  ABA is opposed to Clipper/Capstone as currently
   proposed.  In particular:  (a) it must have congressional support,
   (b) at least one escrow agent must be a private sector entity, (c) it
   must be exportable, (d) there must be a *demonstrable* mechanism
   whereby escrow keys used in wiretap equipment cannot be compromised
   and are destroyed at the end of the wiretap period, (e) the
   algorithm must be unclassified or made available for an acceptable
   evaluation procedure by the banking industry, and (f) analysis of other
   issues is needed, including possiblity of software implementation, and
   compatibility with installed DES infrastructure.
Federal Reserve:  Supports triple DES, as an immediate alternative to DES.
   Also offers some much less negative wording for the reconsideration
   ballot.  (The original ballot did everything but recommend a NO vote.)

I don't have Usenet access (without "borrowing" a friend's account), so
please feel free to repost any of this you feel might interest the
EFF and other newsgroups.

Rich Ankney
(Fischer Int'l)