From dawagner@flagstaff.princeton.edu Wed Jun 21 08:46:14 EDT 1995
Article: 36299 of sci.crypt
Path: cnn.Princeton.EDU!flagstaff.princeton.edu!dawagner
From: dawagner@flagstaff.princeton.edu (David A. Wagner)
Newsgroups: sci.crypt
Subject: Re: independent DES keys are not extra secure
Date: 21 Jun 1995 12:39:15 GMT
Organization: Princeton University
Lines: 40
Message-ID: <3s93tj$nrc@cnn.Princeton.EDU>
References: <3s6i97$5ms@cyber.tn.tudelft.nl> <3s76f1$hud@blackice.winternet.com>
NNTP-Posting-Host: flagstaff.princeton.edu
In article <3s76f1$hud@blackice.winternet.com>,
Bruce Schneier wrote:
>
> I think independent subkeys can be a good idea, if the keys bits are
> available. It certainly can't hurt,
>
Sure it can! It opens you up to nasty nasty related key attacks.
Just a trivial attack breaks DES with independent subkeys with 16
chosen related key queries (and ~ 32 chosen plaintexts). I'd bet
it's not too hard to come up with even better related key attacks
if you spend an hour or two...
Do you really trust your protocol to protect you against that kind
of attack? I'd guess lots of protocols don't.
I think the importance of the key schedule is often underestimated.
P.S. Here's the silly related key attack I was thinking of.
Obtain E(K,P), E(K,Q), E(K',P), and E(K',Q) with two chosen
plaintext queries, where K' is obtained by flipping one bit in
the last round subkey of K, and P,Q are any two known plaintexts.
Now concentrate on S-box 1 in the last round: you know the input
(up to an xor with 6 key bits) and you know the xor of the output
for K and K'; so you can find those 6 key bits entering S-box 1
in the last round. Continue, deriving the entire round 16 subkey.
You can now peel off the last round and attack DES with 15 rounds
of independent subkeys: i.e. get E(K'',P) and E(K'',Q) where K''
is obtained by flipping one bit in the 15th round subkey of K.
Etc. etc.
Of course, this attack doesn't work at all when you use the DES
key schedule: you can't flip just one bit in the last round subkey
without flipping other rounds' subkey bits at the same time.
-------------------------------------------------------------------------------
David Wagner dawagner@princeton.edu