Rijndael & Hitachi

[Arnold G. Reinhold]

>"Steven M. Bellovin" <smb at research.att.com> writes:
>
>> Precisely.  What is the *real* threat model?
>>
>> History does indeed show that believed-secure ciphers may not be, and
>> that we do indeed need a safety margin.  But history shows even more
>> strongly that there are many better ways to the plaintext, and that's
>> the real goal.

Ciphers are components of security systems, not complete security 
systems. How best to improve a  component is a legitimate engineering 
question even if there is reason to believe they will often be 
misapplied. At present there is no serious threat to 3DES, so why did 
we bother with the whole AES exercise?

[Look at the benchmarks? --Perry]

Anyway, I think there is an interesting theoretical question here:

Design a cipher algorithm P that assumes as primitives 5 ciphers, C1, 
...,C5 (or more generally N ciphers for odd N > 1) with the same 
block size and key length.  P is to have the same block size and key 
length as the Ci and is to be provably secure against chosen 
plaintext attacks even under the following conditions:

1. One of the Ci is a strong cipher (i.e. there is no attack faster 
than trying all the keys)

2. An attacker gets to supply  the other four  Ci, subject to the 
condition that they be cipher like: i.e. they must be bijections 
between the input and output domains, the bijection is the same if 
the key value is the same and there are no extra outputs.

3. The attacker knows the details of the secure algorithm.


P should be as simple as possible not employ any additional 
cryptographic primitives (e.g hashes, S-boxes or special constants).

Derek Atkins adds:

>
>Why try to pick a Medeco when it's locking a glass door?  :-)

The fact that some people put Medeco's in glass doors, doesn't mean 
Medeco should never develop a better lock.


Arnold Reinhold