DES-EEE2;DES-EDE2;Merkle;VAn Oorshot;Wiener;attacks;keys;multiple encryption">
For some time it has been common practice to protect and transport a key for DES encryption with triple-DES. This means that the plaintext is, in effect, encrypted three times. There are, of course. a variety of ways of doing this; we will explore these ways below. See Question 85 for a discussion of multiple encryption in general.
A number of modes of triple-encryption have been proposed:
Attacks on two-key triple-DES have been proposed by Merkle and Hellman [MH81] and Van Oorschot and Wiener [VW91], but the data requirements of these attacks make them impractical. Further information on triple-DES can be obtained from various sources [Bih95][KR96].
The use of double and triple encryption does not always provide the additional security that might be expected. Preneel [Pre94] provides the following comparisons in the security of various versions of multiple-DES and it can be seen that the most secure form of multiple encryption is triple-DES with three distinct keys.
# of # of Keys Computation Storage Type of Attack Encryptions single 1 256 - known plaintext single 1 238 238 chosen plaintext single 1 - 256 chosen plaintext double 2 2112 - known plaintext double 2 256 256 known plaintext double 2 - 2112 chosen plaintext triple 2 2112 - known plaintext triple 2 256 256 256 chosen plaintext triple 2 2120-t 2t 2t known plaintext triple 2 - 256 chosen plaintext triple 3 2112 256 known plaintext triple 3 256 2112 chosen plaintextTable 1: Comparison of different forms of DES multiple encryption