I came across this question regarding the security of Quadruple DES (hypothetically DES done four times) in CBC encryption mode vs security of AES-128 in CBC encryption mode. What parameters help to decide the security, assuming 4 different keys (or other case with k1, k2, k3, k1) so the key length would be 224bits (3DES provides 100-bit security level) vs 128bits for AES.
Asked
Active
Viewed 664 times
1 Answers
4
In some applications, a serious limiting factor for the security of 4DES is its 64-bit block size. In common modes of operation, that limits the security to data sizes that are insufficient for many application nowadays. It makes 4DES much less secure than AES-128 is.
For example, assume a VPN in CBC mode using a fixed key. Assume an adversary injects known traffic consisting of a known repeated byte representing 99.9% of the payload for 64 GiB of reference ciphertext, then gets another 64 GiB of actual ciphertext. With good probability there is at least one match between one of the $2^{33}$ blocks (of 8 bytes) of the reference traffic and the $2^{33}$ blocks of the actual traffic. And any such matching block can be deciphered correctly with >99% probability.
If we want residual risk at most $\epsilon$ that this kind of attack succeeds, we need to limit the traffic with the same key to about $2^{36}\,\sqrt\epsilon$ bytes. For a residual risk of one in a million, that's about 64 MiB, not a lot by modern standards.
While DES-CTR with non-overlapping counter is less susceptible to this attack than DES-CBC, such mode is unusual, impractical, and remains vulnerable to a distinguishing attack at similar data size threshold.
fgrieu
- 149,326
- 13
- 324
- 622