From: Andrew Loewenstern <andrew_loewenstern@il.us.swissbank.com>
Date: Wed, 23 Aug 95 09:54:33 PDT
To: dan@milliways.org (Dan Bailey)
Subject: Re: DES & RC4-48 Challenges
Message-ID: <9508231653.AA01631@ch1d157nwk>
MIME-Version: 1.0
Content-Type: text/plain


Dan Bailey writes:
>  According to Biham and Shamir's Differential Cryptanalysis of DES,
>  "An interesting feature of the new attack is that it can be applied
>  with the same complexity and success probability even if the key
>  is frequently changed and thus the collected ciphertexts are derived
>  from many different keys.  The attack can be carried out
>  incrementally, and one of the keys can be computed in real time
>  while it is still valid.  this is particularly important in attacks
>  on bank authentication schemes, in which the opponent needs only
>  one opportunity to forge a multi-million dollar wire transfer, but
>  has to act quickly before the next key changeover invalidates his
>  message.  This is the first published attack which is capable of
>  breaking the full DES in less than the complexity of the exhuastive
>  search of 2^55 keys." (7-8)
>  	The problem with this attack, of course, is generation and
>  analysis of all the required chosen plaintexts.

If I read this correctly, then the keys used for generation of the chosen  
plaintext-cyphertext pairs is irrelevant and once the required computation is  
done, one can crack any '...one of the keys can be cputed in real time while  
it is still valid.'..

So what, exactly does this mean?  Can I do most, if not all of the feeding of  
chosen plaintext into my personal DES box in my basement, do the required  
computation (admittedly there is a lot of work to do here), then go out and  
start breaking wire-transfers with a minimal of chosen plaintext?  That is  
what the above quotation would seem to imply.

Seems incredible...  I surely must be reading much more into the passage than  
is really there...

andrew