DES-EEE2;DES-EDE2;Merkle;VAn Oorshot;Wiener;attacks;keys;multiple encryption">

For some time it has been common practice to protect and transport
a key for DES encryption with triple-DES. This means that the
plaintext is, in effect, encrypted three times. There are, of
course. a variety of ways of doing this; we will explore these
ways below. See Question 85 for a discussion of multiple encryption
in general.

A number of modes of triple-encryption have been proposed:

- DES-EEE3: Three DES encryptions with three different keys.
- DES-EDE3: Three DES operations in the sequence
*encrypt-decrypt-encrypt
* with three different keys.
- DES-EEE2 and DES-EDE2: Same the previous formats except that
the first and third operations use the same key.

Attacks on two-key triple-DES have been proposed by Merkle and
Hellman [MH81] and Van Oorschot and Wiener [VW91], but the data
requirements of these attacks make them impractical. Further information
on triple-DES can be obtained from various sources
[Bih95][KR96].

The use of double and triple encryption does not always provide
the additional security that might be expected. Preneel [Pre94]
provides the following comparisons in the security of various
versions of multiple-DES and it can be seen that the most secure
form of multiple encryption is triple-DES with three *distinct
* keys.

**# of** **# of Keys** **Computation** **Storage** **Type of Attack**
**Encryptions**
**single** 1 2^{56} - known plaintext
**single** 1 2^{38} 2^{38} chosen plaintext
**single** 1 - 2^{56} chosen plaintext
**double** 2 2^{112} - known plaintext
**double** 2 2^{56} 2^{56} known plaintext
**double** 2 - 2^{112} chosen plaintext
**triple** 2 2^{112} - known plaintext
**triple** 2 2^{56} 2^{56} 2^{56} chosen plaintext
**triple** 2 2^{120-t} 2^{t} 2^{t} known plaintext
**triple** 2 - 2^{56} chosen plaintext
**triple** 3 2^{112} 2^{56} known plaintext
**triple** 3 2^{56} 2^{112} chosen plaintext

Table 1: Comparison of different forms of DES multiple encryption