Are you guys still talking about the feasibility of a cipher that implements each AES candidate in turn with the same key? I don't really get this idea. Provided you were actually using the same key with each stage of the encryption, then your system is only gong to be as secure as the key of the first algorithm. In fact, it seems that if the key is compromised at any one point, then the entire system is shot, given that you know the algorithm (Kerckhoff's principle IIRC). Maybe I am misunderstanding.

ok,
Rush Carskadden


-----Original Message-----
From: Arnold G. Reinhold [mailto:reinhold@WORLD.STD.COM]
Sent: Friday, October 27, 2000 12:29 PM
To: Damien Miller
Cc: John Kelsey; Bram Cohen; cryptography@c2.net;
cypherpunks@cyberpass.net
Subject: Re: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)



At 4:16 PM +1100 10/27/2000, Damien Miller wrote:
>On Thu, 26 Oct 2000, Arnold G. Reinhold wrote:
>
>> simple way to combine the AES finalists and take advantage of all the
>> testing that each has already undergone.  And, IMHO, it is an
>> interesting theoretical question as well.  Even if the answer is
>> "yes," I am not advocating that it be used in most common
>> applications, e.g network security, because there are so many greater
>> risks to be dealt with. But it might make sense in some narrow, high
>> value, applications.
>
>What threat model do you propose that would require this?

o Your opponent has the cryptologic capabilities of the a major world power
o The content has very high value (multi-billion dollar deal, could
bring down a government, could start a war)
o Long term protection is required (30+ years)
o You are in a position to properly secure the terminals at both ends
0 Efficiency is not a concern

For example, a chief of state's personal diary, an opposition
leader's communications, best and final bids on large projects, etc.

>
>I can't think of anything that isn't contrived and couldn't be served
>by using 3DES.
>

In a way I see this question as how one should manage the transition
from 3DES to AES. Does one keep using DES until the big day and then
switch to AES? Or does a blended solution make sense in some cases?

While I think there may be a use for something like a Paranoid
Encryption Standard in very unusual situations, I don't wish to waste
more of people's time arguing with those who say there's no need for
it at all. I don't have any compelling evidence.  It's pure
speculation.

I am really more interested in the theoretical "why not?" question,
i.e. is there any real downside in combining ciphers in this way,
besides efficiency?  Conventional wisdom seems to be more cautious
than I think is justified and I am trying to prove that.

Arnold Reinhold