On the Security of Double and 2-Key Triple Modes of Operation

  • Helena Handschuh
  • Bart Preneel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1636)


The DES has reached the end of its lifetime due to its too short key length and block length (56 and 64 bits respectively). As we are awaiting the new AES, triple (and double) encryption are the common solution. However, several authors have shown that these multiple modes are much less secure than anticipated. The general belief is that these schemes should not be used, as they are not resistant against attacks requiring 264 chosen plaintexts. This paper extends the analysis by considering some more realistic attack models. It also presents an improved attack on multiple modes that contain an OFB mode and discusses practical solutions that take into account realistic constraints.


Block Cipher Replay Attack Double Mode Linear Cryptanalysis Collision Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    ANSI draft X9.52, “Triple Data Encryption Algorithm Modes of Operation,” Revision 6.0, 1996.Google Scholar
  2. 2.
    M. Bellare, A. Desai, E. Jokipii, P. Rogaway, “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation,” Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997.Google Scholar
  3. 3.
    E. Biham, “New types of cryptanalytic attacks using related keys,” EUROCRYPT’93, LNCS 765, Springer-Verlag, 1994, pp. 398–409.Google Scholar
  4. 4.
    E. Biham, “On modes of operation,” Fast Software Encryption’93, LNCS 809, Springer-Verlag, 1994, pp. 116–120.Google Scholar
  5. 5.
    E. Biham, “Cryptanalysis of multiple modes of operation,” ASIACRYPT’94, LNCS 917, Springer-Verlag, 1994, pp. 278–292.Google Scholar
  6. 6.
    E. Biham, “Cryptanalysis of triple-modes of operation,” Technion Technical Report CS0885, 1996.Google Scholar
  7. 7.
    E. Biham, L. R. Knudsen, “Cryptanalysis of the ANSI X9.52 CBCM mode,” EUROCRYPT’98, LNCS 1403, Springer-Verlag, 1998, pp. 100–111.Google Scholar
  8. 8.
    E. Biham, A. Shamir, “Differential Cryptanalysis of the Data Encryption Standard,” Springer-Verlag, 1993.Google Scholar
  9. 9.
    D. Coppersmith, “A chosen-ciphertext attack on triple-DES modes,” 1994.Google Scholar
  10. 10.
    D. Coppersmith, “A chosen-plaintext attack on 2-key inner triple DES CBC/EDE,” 1995.Google Scholar
  11. 11.
    D. Coppersmith, D. B. Johnson, S. M. Matyas, “A proposed mode for triple-DES encryption,” IBM Journal of Research and Development, Vol. 40, No. 2, 1996, pp. 253–262.CrossRefGoogle Scholar
  12. 12.
    The Electronic Frontier Foundation, “Cracking DES. Secrets of Encryption Research, Wiretap Politics & Chip Design,” O’Reilly, May 1998.Google Scholar
  13. 13.
    FIPS 46, “Data Encryption Standard,” US Department of Commerce, National Bureau of Standards, 1977 (revised as FIPS 46-1:1988; FIPS 46–2:1993).Google Scholar
  14. 14.
    FIPS 81, “DES Modes of Operation,” US Department of Commerce, National Bureau of Standards, 1980.Google Scholar
  15. 15.
    P. Flajolet, A. M. Odlyzko, “Random mapping statistics,” EUROCRYPT’89, LNCS 434, Springer-Verlag, 1990, pp. 329–354.Google Scholar
  16. 16.
    B. S. Kaliski, M.J.B. Robshaw, “Multiple encryption: Weighing security and performance,” Dr. Dobb’s Journal, January 1996, pp. 123–127.Google Scholar
  17. 17.
    J. Kilian, P. Rogaway, “How to protect DES against exhaustive key search, CRYPTO’96, LNCS 1109, Springer-Verlag, 1996, pp. 252–267.Google Scholar
  18. 18.
    L. R. Knudsen, “Block Ciphers-Analysis, Design and Applications,” PhD thesis, Aarhus University, Denmark, 1994.Google Scholar
  19. 19.
    L. R. Knudsen, “DEAL: a 128-bit block cipher,” AES submission, 1998.Google Scholar
  20. 20.
    L. Knudsen, B. Preneel, “MacDES: MAC algorithm based on DES,” Electronics Letters, Vol. 34, No. 9, 1998, pp. 871–873CrossRefGoogle Scholar
  21. 21.
    S. Lucks, “Attacking triple encryption,” Fast Software Encryption’98, LNCS 1372, Springer-Verlag, 1998, pp. 239–253.CrossRefGoogle Scholar
  22. 22.
    S. Lucks, “On the security of the 128-bit block cipher DEAL,” Fast Software Encryption, LNCS, L.R. Knudsen, Ed., Springer-Verlag, 1999.Google Scholar
  23. 23.
    M. Matsui, “Linear cryptanalysis method for DES cipher,” EUROCRYPT’93, LNCS 765, Springer-Verlag, 1993, pp. 386–397.Google Scholar
  24. 24.
    R. C. Merkle, M. E. Hellman, “On the security of multiple encryption,” Communications of the ACM, Vol. 24, No. 7, 1981, pp. 465–467.CrossRefMathSciNetGoogle Scholar
  25. 25.
    W. Tuchman, “Hellman presents no shortcut solutions to the DES,” Spectrum, Vol. 16, 1979, pp. 40–41.Google Scholar
  26. 26.
    P. C. van Oorschot, M. J. Wiener, “A known-plaintext attack on two-key triple encryption,” EUROCRYPT’90, LNCS 473, 1990, pp. 318–325.Google Scholar
  27. 27.
    P. C. van Oorschot, M. J. Wiener, “Improving implementable meet-in-the-middle attacks by orders of magnitude,” CRYPTO’96, LNCS 1109, 1996, pp. 229–236.Google Scholar
  28. 28.
    D. Wagner, “Cryptanalysis of some recently-proposed multiple modes of operation,” Fast Software Encryption’98, LNCS 1372, Springer-Verlag, 1998, pp. 254–269.CrossRefGoogle Scholar
  29. 29.
    M.J. Wiener, “Efficient DES key search,” Technical Report TR-244, School of Computer Science, Carleton University, Ottawa, Canada, May 1994. Presented at the rump session of Crypto’93 and reprinted in W. Stallings, Practical Cryptography for Data Internetworks, IEEE Computer Society Press, 1996, pp. 31–79.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Helena Handschuh
    • 1
  • Bart Preneel
    • 2
  1. 1.Gemplus/ENSTFrance
  2. 2.Katholieke Universiteit LeuvenFrance

Personalised recommendations