[fc417fc802]

I'm not a cryptographer but to me "broken" seems to imply that the core algorithm itself can be attacked. If merely applying it in certain ways as part of some larger system can fail then aren't most (possibly all) ciphers broken? It's entirely possible to do all sorts of stupid things.

Granted, a 2^32 block limit is pretty severe by modern standards.

[upofadown]

Si (2^32)*8 works out to 34GB for TDES. How many applications involve encrypting that much data in one go?

[fc417fc802]

Sorry, calling that a block limit was an error by omission on my part. 2^32 yields a 50% chance of reuse. If we pick a sane security margin it's a lot smaller. Assuming I did the math correctly just now, 2^-32 only gives you ~2^17 blocks; dropping that to 2^-24 yields ~2^21 blocks.

[upofadown]

Off the top of my head, NIST was suggesting something like 8GB as the working limit. It would depend on your risk tolerance and the application in practice I guess. For something like video you might not really care about exposing a few 8 byte blocks here and there where the exposure is one block XORed with the other.

[fc417fc802]

An aside, personally I quite like TDES for the purpose of generating secure handles and the like. The larger block sizes of pretty much every other common algorithm yield URLs and integers that are more difficult to work with. 64 bits is a manageable enough length and you don't have to implement the algorithm yourself (at which point you'd have rolled your own crypto).

[tptacek]

Further aside, note that there are constructions designed specifically for that problem and its relatives:

https://www.cs.ucdavis.edu/~rogaway/papers/subset.pdf