Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:28
Greg Rose (ggr@qualcomm.com)
Thu, 18 Feb 1999 09:29:39 -0800
At 18:58 17/02/99 -0700, staym@accessdata.com wrote:
>Given plaintext P and key Kn, calculate Cn=E(Kn,P). Take a subset of
>the bits of Cn and call them K(n+1). Repeat.
I assume you mean a 56-bit subset.
>If DES is close to a random function, this should have a period of about
>2^56. Does it?
No, it shouldn't. Menezes et. al. has a great summary treatment of this.
Most starting points should lead into a cycle after about 2^28 non-cycle
"tail" states. The biggest cycle should be of length about 2^28; there
should be about 28 cycles. (All of this from memory, please forgive me for
leaving out the constants and perhaps getting the exponents a little wrong.)
*That's* the behaviour that a random function would exhibit. If DES differs
from that, that's an interesting result. In particular, if it had the
behaviour you suggest, there'd be a 2^28 time, 2^28 memory, known plaintext
attack (I think) based on Hellmann's tradeoff.
Greg.
Greg Rose INTERNET: ggr@Qualcomm.com
Qualcomm Australia VOICE: +61-2-9181-4851 FAX: +61-2-9181-5470
Suite 410, Birkenhead Point, http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:28