1

I know that DES has 56 independent key bits, and that 3DES has 168 independent key bits by using 3 separate 56-bit DES keys. 3DES also has a block size of 64 bits.

If I use 3DES as the underlying block cipher to construct a Davies-Meyer compression function, what would be the input/output size of this compression function?

enter image description here

Wikipedia states the following about Davies-Meyer compression functions:

If the block cipher uses for instance 256-bit keys then each message block Mi is a 256-bit chunk of the message. If the same block cipher uses a block size of 128 bits then the input and output hash values in each round is 128 bits.

Does this mean that if 3DES is used as the block cipher, the compression functions has message blocks of 168 bits? And input/output hash values of 64 bits?

Also, what would be the total input size-->output size mapping for the compression function?

tripleee
  • 109
  • 4
mjg4
  • 11
  • 1
  • If this is homework, you did it fine IMHO. The answer to the question in the last paragraph immediately follows from that of the questions in the butlast paragraph (which I find reasonable), and settling if "total input" includes $H_{i-1}$ (if we consider that it does and the academic context permits, we should tell we did; in an MCQ, I would probably opt for that, and mentally lament at ambiguity in MCQ). Suggestion: next time, resize down the image. – fgrieu Dec 01 '23 at 04:45
  • Follow-up questions: How could collision-resistance of this function be broken with a PC considering output size alone? What if we consider that DES has an 8-byte key? A hard one: we use this compression function in a toy Merkle-Damgård hash (with the 168-bit block size in the question). Does DES's complementation property or/and it's weak keys allow to break collision resistance without a computer? – fgrieu Dec 01 '23 at 05:26
  • @fgrieu thanks for the response. For my question about the total mapping size, I’ve understood this to mean that the mapping for the Davies-Meyer compression function would be 168+64=232 bits of input to —> 64 bits of output? Or should I not include the 168 key bits as part of the input size since that’s not actually the message being encoded? Your follow up questions are interesting, I'll think them over and get back to you if I have any solid answers, thanks! – mjg4 Dec 01 '23 at 14:01
  • If only one input is accounted for, it must be the 168-bit one, because in Merkle-Damgård using the Davies-Meyer construction, this input is freely chosen by adversaries. But I believe your 168+64=232 is fine because 1) If "total" has a meaning, it must be that we account for the two inputs of the Davies-Meyer compression function. 2) Commonly, proof of security of Merkle-Damgård using the Davies-Meyer compression function assumes that DM is collision-resistant for adversaries in control of both inputs, even though they have only partial control on the chaining input (here the 64-bit one). – fgrieu Dec 01 '23 at 18:43
  • @fgrieu If I were to express this compression function in terms of mathematical notation, could I say f: {0,1}^168 x {0,1}^64 -> {0,1}^64 ? Rather than arguing with language that there is a total input of 232 bits. I appreciate your help. In relation to your follow-up questions, the 64-bit block size could leave it vulnerable to a birthday attack, could this endageer the collision resistance of a Merkle-Damgard hash that is constructed using this compression function? – mjg4 Dec 01 '23 at 23:45
  • Yes stating the full input domain of this particular DM function is best. Notice that the question might have another ambiguity: formally, the key input of DES is 8 bytes, with 8 out of the 64 bits either ignored, or each checked to be the NXOR of 7 other ones (that's to weaken DES as decided by US authorities circa 1975). On the followups: yes 64-bit output leaves DM, and with it MD, vulnerable to collision with computation feasible by one PC. Today we need like 160 output bits at least for good collision resistance. – fgrieu Dec 02 '23 at 06:58

0 Answers0