double encryption

Volker Gaibler
Wed Jun 12 01:59:01 2002

Hello Adrian,

On Tue, Jun 11, 2002 at 08:37:11AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> I'm surprised. But then, I'm not an expert. Can you tell me why, or
> point me to a reference?

This is mentioned roughly in the presentation, Ryan referred to (Tue, 11 Jun 
2002 10:34:54 -0500) and many crypto books write about that. 
It's called Meet-in-the-middle-attack. 

What you need for that is one known 8 byte plaintext/ciphertext pair P/C
(what is a really low requirement in cryptography). We use two different
keys K1 and K2 for 2DES.

You encrypt the plaintext P by all possible keys K1 and store it in a
hash table with the output you get when encrypting the known plaintext P
with K1. Then you decrypt the known ciphertext C by all possible keys K2
and always look at once, if the output is in the table (output of
encryption). If you find it you know the key K2 and you know K1 from the
table. This needs 2^57 en/decryptions and storage of 2^56 encrypted
blocks. If you draw a diagram, you'll easily see this.

The computation time is absolutly no problem, only the storage is a
little bit huge. But there are time-memory-tradeoffs to save storage by
computing a little bit longer. Don't understand this wrong: It's still
not very easy, but 2^57 units of computing time is desasterous for a
112bit cipher as 2DES and therefore absolutly insecure.

Hope that this helped you a little bit understanding it.


 Volker Gaibler                                 contact:         
 OpenPGP key: 0x86ECAC0B
 get my public key from website above