1995-10-29 - Re: MD4-derived hash functions

Header Data

From: daw@quito.CS.Berkeley.EDU (David A Wagner)
To: cypherpunks@toad.com
Message Hash: 84f452fe247c9f00f5063247ed6f44e83a3bb6fd131af2d3a3f70f1b9d01978b
Message ID: <199510290028.UAA12628@book.hks.net>
Reply To: <199510270413.VAA29718@ix7.ix.netcom.com>
UTC Datetime: 1995-10-29 00:46:40 UTC
Raw Date: Sun, 29 Oct 1995 08:46:40 +0800

Raw message

From: daw@quito.CS.Berkeley.EDU (David A Wagner)
Date: Sun, 29 Oct 1995 08:46:40 +0800
To: cypherpunks@toad.com
Subject: Re: MD4-derived hash functions
In-Reply-To: <199510270413.VAA29718@ix7.ix.netcom.com>
Message-ID: <199510290028.UAA12628@book.hks.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

In article <199510270413.VAA29718@ix7.ix.netcom.com>,
John Lull <lull@acm.org> wrote:
> 
> Even for 2DES, or for 3-key 3DES, doesn't a meet in the middle attack
> require on the order of 2^56 words of memory?
> 

Actually, as it turns out, van Oorschot & Wiener have a recent paper
which describes how to break 2DES without the huge space requirements
without sacrificing too much time (by using their parallel collision
search method).  They estimated the cost to break 2DES via specialized
hardware, and decided that breaking 2DES was only about 2^14 times as
costly as breaking DES.

The conclusion to take away from this is simple: double encryption
doesn't give you much extra security over single encryption.  Don't
use double encryption.
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBMJLKmSoZzwIn1bdtAQEk5gF/VtAgBNgB6o8SrTWSSMaciikdzoVCIqYF
JdXxs4pWt6ueY8WVsSEj5yU5EKAT0/4M
=6YNF
-----END PGP SIGNATURE-----





Thread