In cryptography, Triple DES is a block cipher formed from the Data Encryption Standard (DES) cipher by using it three times. Triple DES is also known as TDES or, more standard, TDEA (Triple Data Encryption Algorithm NIST, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67.). The non-standard convention to use DES (standard) when we actually mean DEA (algorithm) is so widespread that in order to avoid confusion we use it in this article. On the other hand, since there are variations of TDES which use two different keys (2TDES) and three different keys (3TDES) the non-standard abbreviation 3DES is confusing and should be avoided.

When it was found that a 56-bit key of DES is not enough to guard against brute force attacks, TDES was chosen as a simple way to enlarge the key space without a need to switch to a new algorithm. The use of three steps is essential to prevent meet-in-the-middle attacks that are effective against double DES encryption. Note that DES is not a group; if it were one, the TDES construction would be equivalent to a single DES operation and no more secure.

The simplest variant of TDES operates as follows: $\backslash textrm\{DES\}(k\_3;\backslash textrm\{DES\}(k\_2;\backslash textrm\{DES\}(k\_1;\; M)))$, where $M$ is the message block to be encrypted and $k\_1$, $k\_2$, and $k\_3$ are DES keys. This variant is commonly known as EEE because all three DES operations are encryptions. In order to simplify interoperability between DES and TDES the middle step is usually replaced with decryption (EDE mode): $\backslash textrm\{DES\}(k\_3;\backslash textrm\{DES\}^\{-1\}(k\_2;\backslash textrm\{DES\}(k\_1;\; M)))$ and so a single DES encryption with key $k$ can be represented as TDES-EDE with $k\_1\; =\; k\_2\; =\; k\_3\; =\; k$. The choice of decryption for the middle step does not affect the security of the algorithm.

In general TDES with three different keys (3TDES) has a key length of 168 bits: three 56-bit DES keys (with parity bits 3TDES has the total storage length of 192 bits), but due to the meet-in-the-middle attack the effective security it provides is only 112 bits. A variant, called two-key TDES (2TDES), uses k₁ = k₃, thus reducing the key size to 112 bits and the storage length to 128 bits. However, this mode is susceptible to certain chosen-plaintext or known-plaintext attacks Ralph Merkle, Martin Hellman: On the Security of Multiple Encryption (PDF), Communications of the ACM, Vol 24, No 7, pp 465-467, July 1981 Paul van Oorschot, Michael Weiner, A known-plaintext attack on two-key triple encryption, EUROCRYPT'90, LNCS 473, 1990, pp. 318–325. and thus it is officially NIST, Recommendation for Key Management — Part 1: general, NIST Special Publication 800-57 designated to have only 80-bits of security.

As of 2005, the best attack known on 3TDES requires around 2³² known plaintexts, 2¹¹³ steps, 2⁹⁰ single DES encryptions, and 2⁸⁸ memoryStefan Lucks: Attacking Triple Encryption (PDF). Fast Software Encryption 1998: pp239–253 (the paper presents other tradeoffs between time and memory). This is not currently practical. If the attacker seeks to discover any one of many cryptographic keys, there is a memory-efficient attack which will discover one of 2²⁸ keys, given a handful of chosen plaintexts per key and around 2⁸⁴ encryption operationsEli Biham: How to Forge DES-Encrypted Messages in 2²⁸ Steps (PostScript). 1996.. This attack is highly parallelizable and verges on the practical, given billion-dollar budgets and years to mount the attack, though the circumstances in which it would be useful are limited.

TDES is slowly disappearing from use, largely replaced by its natural successor, AES. One large-scale exception is within the electronic payments industry, which still uses 2TDES extensively and continues to develop and promulgate standards based upon it (e.g. EMV, available from EMVCo). This guarantees that TDES will remain an active cryptographic standard well into the future.

By design, DES and therefore TDES, suffer from slow performance in software; on modern processors, AES tends to be around six times faster. TDES is better suited to hardware implementations, and indeed where it is still used it tends to be with a hardware implementation (e.g., VPN appliances and the Nextel cellular and data network), but even there AES outperforms it. Finally, AES offers markedly higher security margins: a larger block size, potentially longer keys, and (as of 2005) freedom from cryptanalytic attacks.

See also

• DESX

References