Banks and 128 bit DES

[Padgett 0sirius]

>I've heard this (or equivalent) statement a number of times recently, but 
>have not been able to find a reference to such a result. Both Schneier and 
>MvOV say the same thing... that the best attack against 2-key is 2^120/p 
>(where p is the number of known plaintexts, and is better than 2^112 when 
>p > 256), whereas the best attack against 3-key is 2^112, flat, and 
>requires chosen plaintexts. Both require 2^56 (or 2^57) storage. So, in 
>practice, there really is an advantage to 3-key.

Like I said, when teaching to novices I avoid the "Boring Math". I agree
there is a difference, however it is Not Very Much and since we are not
dealing in fractals, may be discarded. For the forseeable future it is
cheaper to buy an employee than it is to attack a key greater than 2^90 and
2^112 is A Lot More. It is more meaningful to determine what is enough. 

In a world of computers, I tend to use register sizes as quanta. For 32 or
64 bit registers, 64 and 128 are nice numbers and 112 bit 3DES uses 64 and
is "Good Enough". 

So triple-key 3DES may be slightly better than two-key 3DES but both are
strong enough that brute force attacks on either is nonsensical so the
minor added strength is no real advantage. However 168 bit keys are
verboden in some parts of the world where 112/128 is legal so there is a
political disadvantage.

I really need to take the time to publish my thesis on "Quantum Economics
or The Theory of Good Enough"(C).  It goes into the linear nature of
advance below the curve and the need for step change above.
      	A. Padgett Peterson, P.E., CISSP: Cybernetic Psychophysicist
 Anti-Virus, Cryptographics, & Antique Radio Researcher
http://www.freivald.org/~padgett/index.html
 mailto:padgett@gdi.net     PGP 6.5 Key on request