CDR: RE: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)
Arnold G. Reinhold
reinhold at world.std.com
Fri Oct 27 13:20:11 PDT 2000
At 1:00 PM -0500 10/27/2000, Carskadden, Rush wrote:
>Are you guys still talking about the feasibility of a cipher that
>implements each AES candidate in turn with the same key? I don't
>really get this idea. Provided you were actually using the same key
>with each stage of the encryption, then your system is only gong to
>be as secure as the key of the first algorithm. In fact, it seems
>that if the key is compromised at any one point, then the entire
>system is shot, given that you know the algorithm (Kerckhoff's
>principle IIRC). Maybe I am misunderstanding.
>
That is the theoretical question that I am asking. What you say
appears to be the conventional wisdom, and I am claiming that it is
wrong. As long as there is some way to make sure that none of the
ciphers in a chain are inverses of the others, or close to an
inverse, in some sense, then I claim as long as one of the ciphers is
strong, there is no way to get any information out about the keys
from the other ciphers, even if they are all designed to reveal that
information.
As a practical matter, you may as well derive the sub keys from the
master key using a one-way hash, but I am questioning the theoretical
justification for doing that. Massey and Maurer base their paper on
oracles that give you the key for all component ciphers but one. I am
saying such oracles cannot exist if one of the ciphers is strong and
"inverses" of the strong cipher are excluded.
Arnold Reinhold
More information about the cypherpunks-legacy
mailing list