2

I came across this question regarding the security of Quadruple DES (hypothetically DES done four times) in CBC encryption mode vs security of AES-128 in CBC encryption mode. What parameters help to decide the security, assuming 4 different keys (or other case with k1, k2, k3, k1) so the key length would be 224bits (3DES provides 100-bit security level) vs 128bits for AES.

shijuza
  • 153
  • 6

1 Answers1

4

In some applications, a serious limiting factor for the security of 4DES is its 64-bit block size. In common modes of operation, that limits the security to data sizes that are insufficient for many application nowadays. It makes 4DES much less secure than AES-128 is.

For example, assume a VPN in CBC mode using a fixed key. Assume an adversary injects known traffic consisting of a known repeated byte representing 99.9% of the payload for 64 GiB of reference ciphertext, then gets another 64 GiB of actual ciphertext. With good probability there is at least one match between one of the $2^{33}$ blocks (of 8 bytes) of the reference traffic and the $2^{33}$ blocks of the actual traffic. And any such matching block can be deciphered correctly with >99% probability.

If we want residual risk at most $\epsilon$ that this kind of attack succeeds, we need to limit the traffic with the same key to about $2^{36}\,\sqrt\epsilon$ bytes. For a residual risk of one in a million, that's about 64 MiB, not a lot by modern standards.

While DES-CTR with non-overlapping counter is less susceptible to this attack than DES-CBC, such mode is unusual, impractical, and remains vulnerable to a distinguishing attack at similar data size threshold.

fgrieu
  • 140,762
  • 12
  • 307
  • 587