-----BEGIN PGP SIGNED MESSAGE-----
At 01:44 PM 10/10/00 -0400, Arnold G. Reinhold wrote:
...
>I was thinking it might be useful to define a "Paranoid
>Encryption Standard (PES)" that is a concatenation of all
>five AES finalists, applied in alphabetical order, all with
>the same key (128-bit or 256-bit). If in fact RC6 is the
>only finalist still subject to licensing by its developer,
>it could be replaced by DEAL (alphabetized under "D"). Since
>DEAL is based on DES, it brings the decades of testing and
>analysis DES has received to the party.
This basic idea is discussed in Massey and Maurer's ``The
Importance of Being First'' paper. There are a couple
issues:
a. The keys need to be independent. (Otherwise, imagine if
cipher #1 is DES encryption, and cipher #2 is DES
decryption.)
b. There order of the ciphers matters for the kind of
security proof you can do. If you do Twofish, then
Rijndael, you can prove that a known-plaintext attack on
this system = a known plaintext attack on Twofish and a
chosen-plaintext attack on Rijndael. (That is, the combined
system can be no easier to break than the easier of a
known-plaintext attack on Twofish or a chosen-plaintext
attack on Rijndael.)
A smarter way to do this is to do OFB-mode or counter-mode
with all N ciphers. That way, you can prove that breaking
the resulting cipher is equivalent to breaking OFB mode
encryption under all N of the ciphers.
>DEAL was dinged in
>the first round because "it is claimed that DEAL-192 is no
>more secure than DEAL-128" and "equivalent keys are claimed
>for a fraction (2**-64) of the 192-bit and 256-bit key
>spaces."
>http://csrc.nist.gov/encryption/aes/round1/r1report.htm#sec2.3.1
>I don't think either issues is reason to exclude DEAL in
>this role, though if there were tweaks to DEAL that resolved
>them, they might be worth including.
The dings in DEAL wouldn't amount to much in this setting,
in practice. (Okay, so the dings in DEAL wouldn't ever
matter in practice, unless you wanted to use DEAL alone for
a hashing construction.)
>Arnold Reinhold
--John Kelsey, Counterpane Internet Security, [EMAIL PROTECTED]
PGP Fingerprint: 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
Comment: foo
iQCVAwUBOeUCFiZv+/Ry/LrBAQF0bwP+OGBvMrvtcFQyOupBv4ulvTzjMtFWcSMU
FfRRzFq3YSw3M2KkBsFiK2RPJJngh2LBfGLLSW8F5COpXkWmByKbrABqNsWufx5V
8fBexLjwZwC2zyJq/R+ynfdlx7IqYycjL1ZpRek2hwL5VYFKu2CCROCU9xcAunXK
6KEPFGPQ7iQ=
=yCFE
-----END PGP SIGNATURE-----
