CDR: RE: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

Carskadden, Rush carskar at netsolve.net
Fri Oct 27 13:38:37 PDT 2000 

     Cool. I have to think about this some more and see if I can provide you
with a proof either way, but for now you're right. I am operating entirely
on conventional wisdom. That is not sound. My assumption here (offered for
your opinion) is that provided a working knowledge of the actual ciphers and
a copy of the key (compromised through a weakness in one of the ciphers),
that I could use that same key, along with the respective decryption
algorithms, to completely unravel all of the encryption. Granted,
step-by-step analysis would almost definitely not include plaintext related
attacks (as deciphered text from one algorithm simply results in
unobfuscated text resulting from the previously implemented cipher), but my
knee-jerk reaction here is to think that if one could compromise the last
cipher applied and derive the key, then the entire scheme would be blown. If
this is the case, then the strength of the entire cipher is only as strong
as it's weakest link. On the other hand, I would think that some chain of
ciphers that all used different keys (preferably not derivative) would seem
stronger to me. At any rate, please keep me posted on your thoughts.

ok,
Rush Carskadden



-----Original Message-----
From: Arnold G. Reinhold [mailto:reinhold at world.std.com]
Sent: Friday, October 27, 2000 3:20 PM
To: Carskadden, Rush; Damien Miller
Cc: John Kelsey; Bram Cohen; cryptography at c2.net;
cypherpunks at cyberpass.net
Subject: RE: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)


At 1:00 PM -0500 10/27/2000, Carskadden, Rush wrote:
>Are you guys still talking about the feasibility of a cipher that 
>implements each AES candidate in turn with the same key? I don't 
>really get this idea. Provided you were actually using the same key 
>with each stage of the encryption, then your system is only gong to 
>be as secure as the key of the first algorithm. In fact, it seems 
>that if the key is compromised at any one point, then the entire 
>system is shot, given that you know the algorithm (Kerckhoff's 
>principle IIRC). Maybe I am misunderstanding.
>

That is the theoretical question that I am asking. What you say 
appears to be the conventional wisdom, and I am claiming that it is 
wrong.  As long as there is some way to make sure that none of the 
ciphers in a chain are inverses of the others, or close to an 
inverse, in some sense, then I claim as long as one of the ciphers is 
strong, there is no way to get any information out about the keys 
from the other ciphers, even if they are all designed to reveal that 
information.

As a practical matter, you may as well derive the sub keys from the 
master key using a one-way hash, but I am questioning the theoretical 
justification for doing that.  Massey and Maurer base their paper on 
oracles that give you the key for all component ciphers but one. I am 
saying such oracles cannot exist if one of the ciphers is strong and 
"inverses" of the strong cipher are excluded.

Arnold Reinhold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4303 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks-legacy/attachments/20001027/e2f1b645/attachment.txt>

More information about the cypherpunks-legacy mailing list