home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: sci.crypt
- Path: sparky!uunet!newsgate.watson.ibm.com!yktnews!admin!aixproj!uri
- From: uri@watson.ibm.com (Uri Blumenthal)
- Subject: RSA FAQ & Differential Cryptanalysis
- Sender: news@watson.ibm.com (NNTP News Poster)
- Message-ID: <1992Nov20.195655.147884@watson.ibm.com>
- Date: Fri, 20 Nov 1992 19:56:55 GMT
- Reply-To: uri@watson.ibm.com
- Disclaimer: This posting represents the poster's views, not necessarily those of IBM
- References: <1992Nov20.175252.25182@decuac.dec.com>
- Nntp-Posting-Host: aixproj.watson.ibm.com
- Organization: Why do you care?
- Lines: 34
-
- Hi folks,
-
- In FAQ (Version 1.0 draft 1e), RSADSI talks
- about DES and diff. cryptanalysis (page 35).
-
- Specifically, they say: "........This attack
- requires 2^47 chosen plaintexts, i.e.
- plaintexts chosen by the attacker.
- Changing the key frequently is <----
- not an adequate defense, because
- the attack tests each possible key how
- as soon as it is generated during the can
- attack; therefore the expected time to these
- succeed is not affected by key changes (as coexist
- long as the chosen plaintexts are always encrypted <----
- under the current key).
-
-
- Now - it surely looks like manure to me. If I change the key,
- all you've done with your chosen plaintexts is supposed to go
- down the tube and you have to start from the very beginning,
- or at least this was my understanding. Am I wrong on this?
-
- How can it be possible, that the expected time to succeed is
- not dependent on how often I change keys? Assume I have a
- counter, which automatically demands a new key as soon
- as 2^20 bytes are encrypted with the current one. How
- can such a scheme be vulnerable to diff. cryptan?
-
- --
- Regards,
- Uri. uri@watson.ibm.com
- ------------
- <Disclaimer>
-
