paulo.barretoterra.com.br

• Next message: Eric Murray: "Re: OpenSSL 3DES inner chaining?"
• Previous message: Alan Olsen: "Info on Cobra128?"
• In reply to: Andi Kleen: "Re: q&d comparison (was Re: [Cryptix-Users] Rijndael - the real work now begins)"
• Next in thread: Bill Stewart: "Re: q&d comparison (was Re: [Cryptix-Users] Rijndael - the real work now begins)"
• Reply: Paulo S. L. M. Barreto: "Re: q&d comparison (was Re: [Cryptix-Users] Rijndael - the real work now begins)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 09 Oct 2000, Andi Kleen wrote:

> My understanding was that the linear attack on DES requires 2^43 chosen
> plaintexts, which makes it irrelevant in practice. I am wrong ?

Nowadays it's practical to attack DES by exhaustive search (2^56), so an attack
with complexity 2^43 can hardly be considered irrelevant (for being "too
complex", that is -- you could however say it's irrelevant because even brute
force is feasible, hence an attacker wouldn't bother to collect the necessary
known plaintexts to launch a linear attack). But keep in mind that the first
experimental cryptanalysis of DES was precisely an implementation of a linear
attack.

OTOH, by "today's standards" I mean the criteria used to assess AES candidates
-- namely, that any attack faster than exhaustive search is enough to label the
cipher "broken". Because of this, DES wouldn't survive even the first round
AES, had it suitable block and key sizes.

Cheers,

Paulo.

• Next message: Eric Murray: "Re: OpenSSL 3DES inner chaining?"
• Previous message: Alan Olsen: "Info on Cobra128?"
• In reply to: Andi Kleen: "Re: q&d comparison (was Re: [Cryptix-Users] Rijndael - the real work now begins)"
• Next in thread: Bill Stewart: "Re: q&d comparison (was Re: [Cryptix-Users] Rijndael - the real work now begins)"
• Reply: Paulo S. L. M. Barreto: "Re: q&d comparison (was Re: [Cryptix-Users] Rijndael - the real work now begins)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]