Rijndael & Hitachi
Arnold G. Reinhold
reinhold at world.std.com
Wed Oct 11 11:55:46 PDT 2000
>"Steven M. Bellovin" <smb at research.att.com> writes:
>
>> Precisely. What is the *real* threat model?
>>
>> History does indeed show that believed-secure ciphers may not be, and
>> that we do indeed need a safety margin. But history shows even more
>> strongly that there are many better ways to the plaintext, and that's
>> the real goal.
Ciphers are components of security systems, not complete security
systems. How best to improve a component is a legitimate engineering
question even if there is reason to believe they will often be
misapplied. At present there is no serious threat to 3DES, so why did
we bother with the whole AES exercise?
[Look at the benchmarks? --Perry]
Anyway, I think there is an interesting theoretical question here:
Design a cipher algorithm P that assumes as primitives 5 ciphers, C1,
...,C5 (or more generally N ciphers for odd N > 1) with the same
block size and key length. P is to have the same block size and key
length as the Ci and is to be provably secure against chosen
plaintext attacks even under the following conditions:
1. One of the Ci is a strong cipher (i.e. there is no attack faster
than trying all the keys)
2. An attacker gets to supply the other four Ci, subject to the
condition that they be cipher like: i.e. they must be bijections
between the input and output domains, the bijection is the same if
the key value is the same and there are no extra outputs.
3. The attacker knows the details of the secure algorithm.
P should be as simple as possible not employ any additional
cryptographic primitives (e.g hashes, S-boxes or special constants).
Derek Atkins adds:
>
>Why try to pick a Medeco when it's locking a glass door? :-)
The fact that some people put Medeco's in glass doors, doesn't mean
Medeco should never develop a better lock.
Arnold Reinhold
More information about the cypherpunks-legacy
mailing list