Are you guys still talking about the feasibility of a cipher that implements each AES candidate in turn with the same key? I don't really get this idea. Provided you were actually using the same key with each stage of the encryption, then your system is only gong to be as secure as the key of the first algorithm. In fact, it seems that if the key is compromised at any one point, then the entire system is shot, given that you know the algorithm (Kerckhoff's principle IIRC). Maybe I am misunderstanding. ok, Rush Carskadden -----Original Message----- From: Arnold G. Reinhold [mailto:reinhold@WORLD.STD.COM] Sent: Friday, October 27, 2000 12:29 PM To: Damien Miller Cc: John Kelsey; Bram Cohen; cryptography@c2.net; cypherpunks@cyberpass.net Subject: Re: Paranoid Encryption Standard (was Re: Rijndael & Hitachi) At 4:16 PM +1100 10/27/2000, Damien Miller wrote:
On Thu, 26 Oct 2000, Arnold G. Reinhold wrote:
simple way to combine the AES finalists and take advantage of all the testing that each has already undergone. And, IMHO, it is an interesting theoretical question as well. Even if the answer is "yes," I am not advocating that it be used in most common applications, e.g network security, because there are so many greater risks to be dealt with. But it might make sense in some narrow, high value, applications.
What threat model do you propose that would require this?
o Your opponent has the cryptologic capabilities of the a major world power o The content has very high value (multi-billion dollar deal, could bring down a government, could start a war) o Long term protection is required (30+ years) o You are in a position to properly secure the terminals at both ends 0 Efficiency is not a concern For example, a chief of state's personal diary, an opposition leader's communications, best and final bids on large projects, etc.
I can't think of anything that isn't contrived and couldn't be served by using 3DES.
In a way I see this question as how one should manage the transition from 3DES to AES. Does one keep using DES until the big day and then switch to AES? Or does a blended solution make sense in some cases? While I think there may be a use for something like a Paranoid Encryption Standard in very unusual situations, I don't wish to waste more of people's time arguing with those who say there's no need for it at all. I don't have any compelling evidence. It's pure speculation. I am really more interested in the theoretical "why not?" question, i.e. is there any real downside in combining ciphers in this way, besides efficiency? Conventional wisdom seems to be more cautious than I think is justified and I am trying to prove that. Arnold Reinhold