3-DES

Designers:

Whitfield Diffie, Martin Hellman, Walt Tuchmann

Published:

1978

Aliases:

"TripleDES", "DES-EDE3", "3DES", "OpenPGP.Cipher.2"

References:

• [Def] U.S. National Institute of Standards and Technology,
• DRAFT FIPS PUB 46-3, "Data Encryption Standard",
• U.S. Department of Commerce, 1999.
• NIST FIPS PUB 46-2, "Data Encryption Standard",
• U.S. Department of Commerce, December 1993.
• "Chapter 12 Data Encryption Standard," and "Section 15.2 Triple Encryption,"
• Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
• [Inf, An] R.C. Merkle,
• Secrecy, authentication, and public key systems,
• UMI Research Press, Ann Arbor, Michigan, 1979.
• [Inf, An] R.C. Merkle, M. Hellman,
• "On the Security of Multiple Encryption,"
• Communications of the ACM, vol. 24 no. 7, 1981, pp. 465-467.
• [An] Paul van Oorshot, Michael Wiener,
• "A Known-Plaintext Attack on Two-Key Triple Encryption,"
• Advances in Cryptology - EUROCRYPT '90 Proceedings, Volume 473 of Lecture Notes in Computer Science (I.B. Damg?rd, ed.), pp. 318-325. Springer-Verlag, 1991.
• [An] J. Kelsey, B. Schneier, D. Wagner,
• "Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES",
• Advances in Cryptology - Crypto '96 Proceedings, pp. 237-251. Springer-Verlag, August 1996.
• "Attacking Triple Encryption,"
• Fast Software Encryption '98
• Volume 1372 of Lecture Notes in Computer Science (S. Vaudenay, ed.), Springer-Verlag, 1998.
• "On the security of double and 2-key triple modes of operation."
• Fast Software Encryption 6,
• Volume 1636 of Lecture Notes in Computer Science (L. Knudsen, ed.), Springer-Verlag, 1999.
• [Test] U.S. National Institute of Standards and Technology
• Key length: 128 or 192 bits; default 192 bits, as encoded. 112 or 168 bits excluding parity.
• Block size: 8 bytes.

Comments:

• If the key length is 128 bits including parity (i.e. two-key triple DES), the first 8 bytes of the encoding represent the key used for the two outer DES operations, and the second 8 bytes represent the key used for the inner DES operation.
• If the key length is 192 bits including parity (i.e. three-key triple DES), then three independent DES keys are represented, in the order in which they are used for encryption.
• Implementations MUST ignore (i.e. not check) the parity bits of keys. KeyGenerators for DESede MUST, however, output keys with correct parity.

Security comment:

Quoting from the paper "Attacking Triple Encryption" cited above:

[A]bout 2108 steps of computation are sufficient to break three-key triple DES. If one concentrates on the number of single DES operations and assumes the other operations to be much faster, 290 of these are enough.

Better attacks than this are available against two-key triple DES (which should only be used for backward compatibility, if at all).