   Are you guys still talking about the feasibility of a cipher that
   implements each AES candidate in turn with the same key? I don't really
   get this idea. Provided you were actually using the same key with each
   stage of the encryption, then your system is only gong to be as secure
   as the key of the first algorithm. In fact, it seems that if the key is
   compromised at any one point, then the entire system is shot, given
   that you know the algorithm (Kerckhoff's principle IIRC). Maybe I am
   misunderstanding.

   ok,
   Rush Carskadden

   -----Original Message-----
   From: Arnold G. Reinhold [[1]mailto:reinhold@WORLD.STD.COM]
   Sent: Friday, October 27, 2000 12:29 PM
   To: Damien Miller
   Cc: John Kelsey; Bram Cohen; cryptography@c2.net;
   cypherpunks@cyberpass.net
   Subject: Re: Paranoid Encryption Standard (was Re: Rijndael & Hitachi)

   At 4:16 PM +1100 10/27/2000, Damien Miller wrote:
   >On Thu, 26 Oct 2000, Arnold G. Reinhold wrote:
   >
   >> simple way to combine the AES finalists and take advantage of all
   the
   >> testing that each has already undergone.  And, IMHO, it is an
   >> interesting theoretical question as well.  Even if the answer is
   >> "yes," I am not advocating that it be used in most common
   >> applications, e.g network security, because there are so many
   greater
   >> risks to be dealt with. But it might make sense in some narrow, high
   >> value, applications.
   >
   >What threat model do you propose that would require this?

   o Your opponent has the cryptologic capabilities of the a major world
   power
   o The content has very high value (multi-billion dollar deal, could
   bring down a government, could start a war)
   o Long term protection is required (30+ years)
   o You are in a position to properly secure the terminals at both ends
   0 Efficiency is not a concern

   For example, a chief of state's personal diary, an opposition
   leader's communications, best and final bids on large projects, etc.

   >
   >I can't think of anything that isn't contrived and couldn't be served
   >by using 3DES.
   >

   In a way I see this question as how one should manage the transition
   from 3DES to AES. Does one keep using DES until the big day and then
   switch to AES? Or does a blended solution make sense in some cases?

   While I think there may be a use for something like a Paranoid
   Encryption Standard in very unusual situations, I don't wish to waste
   more of people's time arguing with those who say there's no need for
   it at all. I don't have any compelling evidence.  It's pure
   speculation.

   I am really more interested in the theoretical "why not?" question,
   i.e. is there any real downside in combining ciphers in this way,
   besides efficiency?  Conventional wisdom seems to be more cautious
   than I think is justified and I am trying to prove that.

   Arnold Reinhold

References

   1. mailto:reinhold@WORLD.STD.COM