OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: AW: q&d comparison (was Re: [Cryptix-Users] Rijndael - the real w ork now begins)
From: Kuehn, Ulrich (Ulrich.Kuehndresdner-bank.com)
Date: Tue Oct 10 2000 - 01:44:34 CDT

Von: Paulo S. L. M. Barreto [mailto:paulo.barretoterra.com.br]

> On Mon, 09 Oct 2000, Andi Kleen wrote:
>
> > My understanding was that the linear attack on DES requires 2^43 chosen
> > plaintexts, which makes it irrelevant in practice. I am wrong ?
>
> Nowadays it's practical to attack DES by exhaustive search (2^56), so an
attack
> with complexity 2^43 can hardly be considered irrelevant (for being "too
> complex", that is -- you could however say it's irrelevant because even
brute
> force is feasible, hence an attacker wouldn't bother to collect the
necessary
> known plaintexts to launch a linear attack). But keep in mind that the
first
> experimental cryptanalysis of DES was precisely an implementation of a
linear
> attack.

Wait, the number you cite is the amount of known plaintext, not the work
required! Actually the Matsui paper speaks of 2^47 known plaintexts, maybe
that is due to a higher probability of success.
But nevertheless, you are right in saying that the amount of work involved
is not the problem. But the amount of known plaintext definitely is! DES as
a 64 bit block cipher cannot be recommended for encrypting more that about
2^32 plaintexts, at least in ECB and CBC mode.

Ciao,
Ulrich