Would DES be secure with 128 bit keys?
Clash Royale CLAN TAG#URR8PPP
$begingroup$
Assuming you only modify the key schedule so that each of a 128-bit key is used at least once, would DES be about as secure as other ciphers such as AES? I am not talking about 2DES/3DES or other drawbacks like performance etc.
des
edited Feb 18 at 17:06
kelalaka
8,43822351
asked Feb 18 at 16:23
enigma969enigma969
183
$endgroup$
add a comment |
$begingroup$
Assuming you only modify the key schedule so that each of a 128-bit key is used at least once, would DES be about as secure as other ciphers such as AES? I am not talking about 2DES/3DES or other drawbacks like performance etc.
des
edited Feb 18 at 17:06
kelalaka
8,43822351
asked Feb 18 at 16:23
enigma969enigma969
183
$endgroup$
4
$begingroup$
You should also define the new key schedule. When parameters changed, It usually requires new design and analysis. See AES-128 vs AES-256.
$endgroup$
– kelalaka
Feb 18 at 17:08
1
$begingroup$
One could take this question to be about Lucifer, or about Lucifer with the S-boxes as modified by the NSA to make them resist differential cryptanalysis.
$endgroup$
– Squeamish Ossifrage
Feb 18 at 17:32
add a comment |
$begingroup$
Assuming you only modify the key schedule so that each of a 128-bit key is used at least once, would DES be about as secure as other ciphers such as AES? I am not talking about 2DES/3DES or other drawbacks like performance etc.
des
edited Feb 18 at 17:06
kelalaka
8,43822351
asked Feb 18 at 16:23
enigma969enigma969
183
$endgroup$
Assuming you only modify the key schedule so that each of a 128-bit key is used at least once, would DES be about as secure as other ciphers such as AES? I am not talking about 2DES/3DES or other drawbacks like performance etc.
des
des
edited Feb 18 at 17:06
kelalaka
8,43822351
asked Feb 18 at 16:23
enigma969enigma969
183
edited Feb 18 at 17:06
kelalaka
8,43822351
asked Feb 18 at 16:23
enigma969enigma969
183
edited Feb 18 at 17:06
kelalaka
8,43822351
edited Feb 18 at 17:06
kelalaka
8,43822351
edited Feb 18 at 17:06
kelalaka
8,43822351
8,43822351
asked Feb 18 at 16:23
enigma969enigma969
183
asked Feb 18 at 16:23
enigma969enigma969
183
asked Feb 18 at 16:23
enigma969enigma969
183
183
4
$begingroup$
You should also define the new key schedule. When parameters changed, It usually requires new design and analysis. See AES-128 vs AES-256.
$endgroup$
– kelalaka
Feb 18 at 17:08
1
$begingroup$
One could take this question to be about Lucifer, or about Lucifer with the S-boxes as modified by the NSA to make them resist differential cryptanalysis.
$endgroup$
– Squeamish Ossifrage
Feb 18 at 17:32
add a comment |
4
$begingroup$
You should also define the new key schedule. When parameters changed, It usually requires new design and analysis. See AES-128 vs AES-256.
$endgroup$
– kelalaka
Feb 18 at 17:08
1
$begingroup$
One could take this question to be about Lucifer, or about Lucifer with the S-boxes as modified by the NSA to make them resist differential cryptanalysis.
$endgroup$
– Squeamish Ossifrage
Feb 18 at 17:32
4
4
$begingroup$
You should also define the new key schedule. When parameters changed, It usually requires new design and analysis. See AES-128 vs AES-256.
$endgroup$
– kelalaka
Feb 18 at 17:08
$begingroup$
You should also define the new key schedule. When parameters changed, It usually requires new design and analysis. See AES-128 vs AES-256.
$endgroup$
– kelalaka
Feb 18 at 17:08
1
1
$begingroup$
One could take this question to be about Lucifer, or about Lucifer with the S-boxes as modified by the NSA to make them resist differential cryptanalysis.
$endgroup$
– Squeamish Ossifrage
Feb 18 at 17:32
$begingroup$
One could take this question to be about Lucifer, or about Lucifer with the S-boxes as modified by the NSA to make them resist differential cryptanalysis.
$endgroup$
– Squeamish Ossifrage
Feb 18 at 17:32
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
No, DES* (which I'll call your "DES modified to use 128 bit keys") would not be as secure as AES; two reasons spring immediately to mind:
Block size; DES* would still have 64 bit blocks; most block cipher modes start to leak information when you get close to the birthday bound; for DES*, that'd be 32Gigabytes, which isn't that long for common use. In contrast, AES (which has a 128 bit block size) has a birthday bound of circa 300Exabytes
Linear cryptanalysis; DES is known to be weak against linear cryptanalysis; depending on how you map the 128 bit keys to the DES* subkeys, DES* may very well be as well. Of course, AES is known to be immune to linear cryptanalysis
answered Feb 18 at 16:53
ponchoponcho
93k2145241
$endgroup$
3
$begingroup$
And that's already enough reason not to go for 128 bit DES, ignoring the less serious issues such as parity bits, weak keys and what-not.
$endgroup$
– Maarten Bodewes♦
Feb 18 at 17:10
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67407%2fwould-des-be-secure-with-128-bit-keys%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
No, DES* (which I'll call your "DES modified to use 128 bit keys") would not be as secure as AES; two reasons spring immediately to mind:
Block size; DES* would still have 64 bit blocks; most block cipher modes start to leak information when you get close to the birthday bound; for DES*, that'd be 32Gigabytes, which isn't that long for common use. In contrast, AES (which has a 128 bit block size) has a birthday bound of circa 300Exabytes
Linear cryptanalysis; DES is known to be weak against linear cryptanalysis; depending on how you map the 128 bit keys to the DES* subkeys, DES* may very well be as well. Of course, AES is known to be immune to linear cryptanalysis
answered Feb 18 at 16:53
ponchoponcho
93k2145241
$endgroup$
3
$begingroup$
And that's already enough reason not to go for 128 bit DES, ignoring the less serious issues such as parity bits, weak keys and what-not.
$endgroup$
– Maarten Bodewes♦
Feb 18 at 17:10
add a comment |
$begingroup$
No, DES* (which I'll call your "DES modified to use 128 bit keys") would not be as secure as AES; two reasons spring immediately to mind:
Block size; DES* would still have 64 bit blocks; most block cipher modes start to leak information when you get close to the birthday bound; for DES*, that'd be 32Gigabytes, which isn't that long for common use. In contrast, AES (which has a 128 bit block size) has a birthday bound of circa 300Exabytes
Linear cryptanalysis; DES is known to be weak against linear cryptanalysis; depending on how you map the 128 bit keys to the DES* subkeys, DES* may very well be as well. Of course, AES is known to be immune to linear cryptanalysis
answered Feb 18 at 16:53
ponchoponcho
93k2145241
$endgroup$
3
$begingroup$
And that's already enough reason not to go for 128 bit DES, ignoring the less serious issues such as parity bits, weak keys and what-not.
$endgroup$
– Maarten Bodewes♦
Feb 18 at 17:10
add a comment |
$begingroup$
No, DES* (which I'll call your "DES modified to use 128 bit keys") would not be as secure as AES; two reasons spring immediately to mind:
Block size; DES* would still have 64 bit blocks; most block cipher modes start to leak information when you get close to the birthday bound; for DES*, that'd be 32Gigabytes, which isn't that long for common use. In contrast, AES (which has a 128 bit block size) has a birthday bound of circa 300Exabytes
Linear cryptanalysis; DES is known to be weak against linear cryptanalysis; depending on how you map the 128 bit keys to the DES* subkeys, DES* may very well be as well. Of course, AES is known to be immune to linear cryptanalysis
answered Feb 18 at 16:53
ponchoponcho
93k2145241
$endgroup$
No, DES* (which I'll call your "DES modified to use 128 bit keys") would not be as secure as AES; two reasons spring immediately to mind:
Block size; DES* would still have 64 bit blocks; most block cipher modes start to leak information when you get close to the birthday bound; for DES*, that'd be 32Gigabytes, which isn't that long for common use. In contrast, AES (which has a 128 bit block size) has a birthday bound of circa 300Exabytes
Linear cryptanalysis; DES is known to be weak against linear cryptanalysis; depending on how you map the 128 bit keys to the DES* subkeys, DES* may very well be as well. Of course, AES is known to be immune to linear cryptanalysis
answered Feb 18 at 16:53
ponchoponcho
93k2145241
answered Feb 18 at 16:53
ponchoponcho
93k2145241
answered Feb 18 at 16:53
ponchoponcho
93k2145241
answered Feb 18 at 16:53
ponchoponcho
93k2145241
93k2145241
3
$begingroup$
And that's already enough reason not to go for 128 bit DES, ignoring the less serious issues such as parity bits, weak keys and what-not.
$endgroup$
– Maarten Bodewes♦
Feb 18 at 17:10
add a comment |
3
$begingroup$
And that's already enough reason not to go for 128 bit DES, ignoring the less serious issues such as parity bits, weak keys and what-not.
$endgroup$
– Maarten Bodewes♦
Feb 18 at 17:10
3
3
$begingroup$
And that's already enough reason not to go for 128 bit DES, ignoring the less serious issues such as parity bits, weak keys and what-not.
$endgroup$
– Maarten Bodewes♦
Feb 18 at 17:10
$begingroup$
And that's already enough reason not to go for 128 bit DES, ignoring the less serious issues such as parity bits, weak keys and what-not.
$endgroup$
– Maarten Bodewes♦
Feb 18 at 17:10
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67407%2fwould-des-be-secure-with-128-bit-keys%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
$begingroup$
You should also define the new key schedule. When parameters changed, It usually requires new design and analysis. See AES-128 vs AES-256.
$endgroup$
– kelalaka
Feb 18 at 17:08
1
$begingroup$
One could take this question to be about Lucifer, or about Lucifer with the S-boxes as modified by the NSA to make them resist differential cryptanalysis.
$endgroup$
– Squeamish Ossifrage
Feb 18 at 17:32