CDR: RE: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

Carskadden, Rush carskar at netsolve.net
Fri Oct 27 11:00:54 PDT 2000


Are you guys still talking about the feasibility of a cipher that implements
each AES candidate in turn with the same key? I don't really get this idea.
Provided you were actually using the same key with each stage of the
encryption, then your system is only gong to be as secure as the key of the
first algorithm. In fact, it seems that if the key is compromised at any one
point, then the entire system is shot, given that you know the algorithm
(Kerckhoff's principle IIRC). Maybe I am misunderstanding. 

ok,
Rush Carskadden


-----Original Message-----
From: Arnold G. Reinhold [mailto:reinhold at WORLD.STD.COM]
Sent: Friday, October 27, 2000 12:29 PM
To: Damien Miller
Cc: John Kelsey; Bram Cohen; cryptography at c2.net;
cypherpunks at cyberpass.net
Subject: Re: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)



At 4:16 PM +1100 10/27/2000, Damien Miller wrote:
>On Thu, 26 Oct 2000, Arnold G. Reinhold wrote:
>
>> simple way to combine the AES finalists and take advantage of all the
>> testing that each has already undergone.  And, IMHO, it is an
>> interesting theoretical question as well.  Even if the answer is
>> "yes," I am not advocating that it be used in most common
>> applications, e.g network security, because there are so many greater
>> risks to be dealt with. But it might make sense in some narrow, high
>> value, applications.
>
>What threat model do you propose that would require this?

o Your opponent has the cryptologic capabilities of the a major world power
o The content has very high value (multi-billion dollar deal, could 
bring down a government, could start a war)
o Long term protection is required (30+ years)
o You are in a position to properly secure the terminals at both ends
0 Efficiency is not a concern

For example, a chief of state's personal diary, an opposition 
leader's communications, best and final bids on large projects, etc.

>
>I can't think of anything that isn't contrived and couldn't be served
>by using 3DES.
>

In a way I see this question as how one should manage the transition 
from 3DES to AES. Does one keep using DES until the big day and then 
switch to AES? Or does a blended solution make sense in some cases?

While I think there may be a use for something like a Paranoid 
Encryption Standard in very unusual situations, I don't wish to waste 
more of people's time arguing with those who say there's no need for 
it at all. I don't have any compelling evidence.  It's pure 
speculation.

I am really more interested in the theoretical "why not?" question, 
i.e. is there any real downside in combining ciphers in this way, 
besides efficiency?  Conventional wisdom seems to be more cautious 
than I think is justified and I am trying to prove that.

Arnold Reinhold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4410 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks-legacy/attachments/20001027/1f0a84ec/attachment.txt>


More information about the cypherpunks-legacy mailing list