Cryptanalysis of multiple modes of operation
In recent years, several new attacks on DES were introduced. These attacks have led researchers to suggest stronger replacements for DES, and in particular new modes of operation for DES. The most popular new modes are triple DES variants, which are claimed to be as secure as triple DES. To speed up hardware implementations of these modes, and to increase the avalanche, many suggestions apply several standard modes sequentially. In this paper we study these multiple (cascade) modes of operation. This study shows that many multiple modes are much weaker than multiple DES, and their strength is comparable to a single DES.
We conjecture that operation modes should be designed around an underlying cryptosystem without any attempt to use intermediate data as feedback, or to mix the feedback into an intermediate round. Thus, in particular, triple DES used in CBC mode is more secure than three single DES's used in triple CBC mode. Alternatively, if several encryptions are applied to each block, the best choice is to concatenate them to one long encryption, and build the mode of operation around it.
KeywordsMultiple Mode Data Encryption Standard Linear Cryptanalysis Differential Cryptanalysis Plaintext Attack
Unable to display preview. Download preview PDF.
- Eli Biham, On Matsui's Linear Cryptanalysis, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'94, to appear.Google Scholar
- Eli Biham, Alex Biryukov, An Improvement of Davies' Attack on DES, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'94, to appear.Google Scholar
- Eli Biham, Adi Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
- Eli Biham, Adi Shamir, Differential Cryptanalysis of the full 16-round DES, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'92, pp. 487–496, 1992.Google Scholar
- D. W. Davies, Investigation of a Potential Weakness in the DES Algorithm, 1987, private communication.Google Scholar
- Carl Ellison, private communications, 1993.Google Scholar
- Shimon Even, Oded Goldreich, On the Power of Cascade Ciphers, ACM Transactions on Computer Systems, Vol. 3, NO. 2, pp. 108–116, May 1985.Google Scholar
- Burt Kaliski, Triple-DES: A Brief Report, RSA laboratories, private communication, October 29, 1993.Google Scholar
- Mitsuru Matsui, Linear Cryptanalysis Method for DES Cipher, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'93, pp. 386–397, 1993.Google Scholar
- Ueli M. Maurer, James L. Massey, Cascade Ciphers: The Importance of Being First, Journal of Cryptology, Vol. 6, No. 1, pp. 55–61, 1993.Google Scholar
- Shoji Miyaguchi, Akira Shiraishi, Akihiro Shimizu, Fast Data Encryption Algorithm FEAL-8, Review of electrical communications laboratories, Vol. 36, No. 4, pp. 433–437, 1988.Google Scholar
- National Bureau of Standards, Data Encryption Standard, U.S. Department of Commerce, FIPS pub. 46, January 1977.Google Scholar
- National Bureau of Standards, DES Modes of Operation, U.S. Department of Commerce, FIPS pub. 81, December 1980.Google Scholar
- Paul C. van Oorschot, Michael J. Wiener, A Known Plaintext Attack on Two-Key Triple Encryption, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'90, pp. 318–325, 1990.Google Scholar
- Bart Preneel, Marnix Nuttin, Vincent Rijmen, Johan Buelens, Cryptanalysis of the CFB Mode of the DES with a Reduced Number of Rounds, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'93, pp. 212–223, 1993.Google Scholar
- Akihiro Shimizu, Shoji Miyaguchi, Fast Data Encryption Algorithm FEAL, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'87, pp. 267–278, 1987.Google Scholar
- Michael J. Wiener, Efficient DES Key Search, technical report TR-244, School of Computer Science, Carleton University, Ottawa, Canada, May 1994. Presented at the Rump session of CRYPTO'93, August 1993.Google Scholar