Anonglish (was: Re: Authenticating Meat)

Peter Fairbrother zenadsl6186 at zen.co.uk
Wed Apr 30 16:03:38 PDT 2003 

Trei, Peter wrote:
 
> It really depends on the cipher. If the cipher is a group, then case 1 is
> bad - since
> 
>> blowfish(blowfish(plaintext,key1),key2) = blowfish(plaintext, key3)
>> 
> Some ciphers, such as DES, are not groups. This is why double
> and triple DES are stronger than single DES.

The property of encryption in a particular cipher not being a group
operation is insufficient in itself to make multiple encryptions in that
cipher stronger than single encryptions in it. It may be the case that
multiple encryption is less secure than single encryption. Not likely, but
it is possible.


And Jamie Lawrence wrote:

> On Wed, 30 Apr 2003, Sunder wrote:

>> blowfish(blowfish(plaintext,key1),key2) is bad,
> 
> I believe it doesn't gain you anything, but it isn't "bad" in the sense
> of weakening anything.

If the encryption is a group operation then at best multiple encryptions
using that cipher are as strong as single encryptions - but if the keys are
related then it is possible that multiple encryptions may be weaker, and
it's a difficult (maybe even hard) problem to decide whether the keys are
related.


Then there's the meet-in-the-middle attack, qua google.



Using multiple encryption in different ciphers is a fraught subject, full of
potential pitfalls. It hasn't been well researched, probably partly because
it's so complex. It is possible that it can be less secure than single
encryption in a single cipher.

Personally, for the two ciphers case, I'd choose Blowfish and AES, ensuring
the keys are randomly and seperately generated, because Blowfish is a
Feistel cipher and AES isn't (and because both are well-peer-reviewed, and
available), but that's just a feeling which I can't really justify
mathematically.



(All this is a bit nit-picking-ish, except the [multiple encryption with a
ciher that is a group operation can't be stronger than a single encryption
with that cipher] bit, and anything else is not _likely_ to be relevant, but
it still should be considered when designing multiple encryption systems)

-- 
Peter Fairbrother

More information about the cypherpunks-legacy mailing list