[19640] in cryptography@c2.net mail archive
RE: long-term GPG signing key
daemon@ATHENA.MIT.EDU (Trei, Peter)
Tue Jan 17 10:18:01 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 13 Jan 2006 09:57:25 -0500
From: "Trei, Peter" <ptrei@rsasecurity.com>
To: "Alexander Klimov" <alserkli@inbox.ru>
Cc: <cryptography@metzdowd.com>
Alexander Klimov wrote:
>On Wed, 11 Jan 2006, Ian G wrote:
>> Even though triple-DES is still considered to have avoided that trap,
>> its relatively small block size means you can now put the entire=20
>> decrypt table on a dvd (or somesuch, I forget the maths).
> This would need 8 x 2^{64} bytes of storage which is approximately=20
> 2,000,000,000 DVD's (~ 4 x 2^{32} bytes on each).
> Probably, you are referring to the fact that during encryption of=20
> a whole DVD, say, in CBC mode two blocks are likely to be the=20
> same since there are an order of 2^{32} x 2^{32} pairs.
I've actually seen something like this happen in real life.=20
As you know, RSA has been running a series of 'Secret Key=20
Challenges', wherein we ask people to try to brute-force=20
messages encrypted with RC5 at various keystrengths. There is
a cash prize for the person turning in the correct response.
The messages are encrypted in CBC mode with 32 bit blocks.=20
The start of the message has a known plaintext
Most of the recent challenges have been won by distributed.net.
While they were working on the 64 bit challenge, I received an
email saying that a proposed solution had been found, and was asked
to check it. (We set up the challenges in such a way that the
correct keys are unknown, even to us).=20
The supplied key correctly decrypted the first block, but the
rest were gibberish. After scratching our heads, we realized=20
that d.net had found a collision.
It was almost a year later they found the correct key, for the
$10,000 prize. They immediately started on the 72 bit challenge.
(I'm not holding my breath).
Peter Trei
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
