Can we use EED with 2 keys $(k_1, k_1, k_3)$ rather than EDE $(k_1, k_2, k_1)$? We measure the strength of DES by the effort (in terms of the number of tries) in finding some $k_1$ & $k_2$ to match a known plaintext and ciphertext pair.
Will EED have the same strength as EDE? Which one is stronger?
$(k_1, k_1, k_2)$ can be split into $(k_1, k_1)$ with $2^{56}$ possibilities and $(k_2)$ with $2^{56}$ possibilities, so the meet-in-the-middle attack has cost $2^{56}$.
$(k_1, k_2, k_1)$ can be split into $(k_1, k_2)$ with $2^{112}$ possibilities and $(k_2)$ with $2^{56}$ possibilities or into $(k_1)$ with $2^{56}$ possibilities and $(k_2, k_1)$ with $2^{112}$, so no matter how you split it, the attack costs $2^{112}$.
=> $(k_1, k_2, k_1)$ is much stronger than $(k_1, k_1, k_2)$
Why is triple-DES using three different keys vulnerable to a meet-in-the-middle-attack?
Choosing encryption vs. decryption for the three steps has no effect on security.
By setting all keys to the same value you can emulate DES using 3DES with EDE and EED but not with EEE. Not sure if EDE offers any advantages over EED, except looking nicer due to being symmetric.
Why do we use encrypt-decrypt-encrypt (EDE) in 3DES, rather than encrypting three times?
