CDR: Re: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

[Arnold G. Reinhold]

At 4:16 PM +1100 10/27/2000, Damien Miller wrote:
>On Thu, 26 Oct 2000, Arnold G. Reinhold wrote:
>
>> simple way to combine the AES finalists and take advantage of all the
>> testing that each has already undergone.  And, IMHO, it is an
>> interesting theoretical question as well.  Even if the answer is
>> "yes," I am not advocating that it be used in most common
>> applications, e.g network security, because there are so many greater
>> risks to be dealt with. But it might make sense in some narrow, high
>> value, applications.
>
>What threat model do you propose that would require this?

o Your opponent has the cryptologic capabilities of the a major world power
o The content has very high value (multi-billion dollar deal, could 
bring down a government, could start a war)
o Long term protection is required (30+ years)
o You are in a position to properly secure the terminals at both ends
0 Efficiency is not a concern

For example, a chief of state's personal diary, an opposition 
leader's communications, best and final bids on large projects, etc.

>
>I can't think of anything that isn't contrived and couldn't be served
>by using 3DES.
>

In a way I see this question as how one should manage the transition 
from 3DES to AES. Does one keep using DES until the big day and then 
switch to AES? Or does a blended solution make sense in some cases?

While I think there may be a use for something like a Paranoid 
Encryption Standard in very unusual situations, I don't wish to waste 
more of people's time arguing with those who say there's no need for 
it at all. I don't have any compelling evidence.  It's pure 
speculation.

I am really more interested in the theoretical "why not?" question, 
i.e. is there any real downside in combining ciphers in this way, 
besides efficiency?  Conventional wisdom seems to be more cautious 
than I think is justified and I am trying to prove that.

Arnold Reinhold