Des and 3DES PRF: 16 or 8 bytes

[Sam Hartman]

>>>>> "Don" == Don Davis <dodavis at redhat.com> writes:

    Don> hi, sam -- i think an 8 byte hash is sufficiently limited
    Don> nowadays to justify using 16 byte as the prf output size.

You and everyone else comes to this conclusion when they examine the
problem for about 30 seconds.

As far as I can tell though, there is not a significant difference in
security properties until you start making 2**32 calls to the PRF with
the same key regardless of whether you use 8 or 16 bytes.  At that
point, I suspect but cannot show that there may be a
distinguishability attack, probably against both the 8 and 16 byte
versions.  I suspect an attack that was useful in breaking the use as
a key derivation function would be harder.

Sorry if I sound a bit frustrated on this one, but I've been seeing
the same argument again and again, and when I ask the person to look
into it, there doesn't seem to be a security justification behind it.


If you are seeing an attack, I'd appreciate a more detailed response
describing the attack and its assumptions.