"Steven M. Bellovin" <smb@research.att.com> writes:
Precisely. What is the *real* threat model?
History does indeed show that believed-secure ciphers may not be, and that we do indeed need a safety margin. But history shows even more strongly that there are many better ways to the plaintext, and that's the real goal.
Ciphers are components of security systems, not complete security systems. How best to improve a component is a legitimate engineering question even if there is reason to believe they will often be misapplied. At present there is no serious threat to 3DES, so why did we bother with the whole AES exercise? [Look at the benchmarks? --Perry] Anyway, I think there is an interesting theoretical question here: Design a cipher algorithm P that assumes as primitives 5 ciphers, C1, ...,C5 (or more generally N ciphers for odd N > 1) with the same block size and key length. P is to have the same block size and key length as the Ci and is to be provably secure against chosen plaintext attacks even under the following conditions: 1. One of the Ci is a strong cipher (i.e. there is no attack faster than trying all the keys) 2. An attacker gets to supply the other four Ci, subject to the condition that they be cipher like: i.e. they must be bijections between the input and output domains, the bijection is the same if the key value is the same and there are no extra outputs. 3. The attacker knows the details of the secure algorithm. P should be as simple as possible not employ any additional cryptographic primitives (e.g hashes, S-boxes or special constants). Derek Atkins adds:
Why try to pick a Medeco when it's locking a glass door? :-)
The fact that some people put Medeco's in glass doors, doesn't mean Medeco should never develop a better lock. Arnold Reinhold