-----BEGIN PGP SIGNED MESSAGE----- At 01:44 PM 10/10/00 -0400, Arnold G. Reinhold wrote: ...
I was thinking it might be useful to define a "Paranoid Encryption Standard (PES)" that is a concatenation of all five AES finalists, applied in alphabetical order, all with the same key (128-bit or 256-bit). If in fact RC6 is the only finalist still subject to licensing by its developer, it could be replaced by DEAL (alphabetized under "D"). Since DEAL is based on DES, it brings the decades of testing and analysis DES has received to the party.
This basic idea is discussed in Massey and Maurer's ``The Importance of Being First'' paper. There are a couple issues: a. The keys need to be independent. (Otherwise, imagine if cipher #1 is DES encryption, and cipher #2 is DES decryption.) b. There order of the ciphers matters for the kind of security proof you can do. If you do Twofish, then Rijndael, you can prove that a known-plaintext attack on this system = a known plaintext attack on Twofish and a chosen-plaintext attack on Rijndael. (That is, the combined system can be no easier to break than the easier of a known-plaintext attack on Twofish or a chosen-plaintext attack on Rijndael.) A smarter way to do this is to do OFB-mode or counter-mode with all N ciphers. That way, you can prove that breaking the resulting cipher is equivalent to breaking OFB mode encryption under all N of the ciphers.
DEAL was dinged in the first round because "it is claimed that DEAL-192 is no more secure than DEAL-128" and "equivalent keys are claimed for a fraction (2**-64) of the 192-bit and 256-bit key spaces." http://csrc.nist.gov/encryption/aes/round1/r1report.htm#sec2.3.1 I don't think either issues is reason to exclude DEAL in this role, though if there were tweaks to DEAL that resolved them, they might be worth including.
The dings in DEAL wouldn't amount to much in this setting, in practice. (Okay, so the dings in DEAL wouldn't ever matter in practice, unless you wanted to use DEAL alone for a hashing construction.)
Arnold Reinhold
--John Kelsey, Counterpane Internet Security, kelsey@counterpane.com PGP Fingerprint: 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> Comment: foo iQCVAwUBOeUCFiZv+/Ry/LrBAQF0bwP+OGBvMrvtcFQyOupBv4ulvTzjMtFWcSMU FfRRzFq3YSw3M2KkBsFiK2RPJJngh2LBfGLLSW8F5COpXkWmByKbrABqNsWufx5V 8fBexLjwZwC2zyJq/R+ynfdlx7IqYycjL1ZpRek2hwL5VYFKu2CCROCU9xcAunXK 6KEPFGPQ7iQ= =yCFE -----END PGP SIGNATURE-----