On 9/16/13 at 12:36 PM, leich...@lrw.com (Jerry Leichter) wrote:
On Sep 16, 2013, at 12:44 PM, Bill Frantz <fra...@pwpconsult.com> wrote:
After Rijndael was selected as AES, someone suggested the really paranoid
should super encrypt with
all 5 finalests in the competition. Five level super encryption
is probably overkill, but two or three levels can offer some
real advantages. So consider simple combinations of techniques
which are at least as secure as the better of them....
This is trickier than it looks.
Joux's paper "Multicollisions in iterated hash functions"
http://www.iacr.org/archive/crypto2004/31520306/multicollisions.ps
shows that "finding ... r-tuples of messages that all hash to
the same value is not much harder than finding ... pairs of
messages". This has some surprising implications. In
particular, Joux uses it to show that, if F(X) and G(X) are
cryptographic hash functions, then H(X) = F(X) || G(X) (|| is
concatenation) is about as hard as the harder of F and G - but
no harder.
That's not to say that it's not possible to combine multiple
instances of cryptographic primitives in a way that
significantly increases security. But, as many people found
when they tried to find a way to use DES as a primitive to
construction an encryption function with a wider key or with a
bigger block size, it's not easy - and certainly not if you
want to get reasonable performance.
This kind of result is why us crypto plumbers should always
consult real cryptographers. :-)
I am not so much trying to make the construction better than the
algorithms being used, like 3DES is much more secure than 1DES,
(and significantly extended the useful life of DES); but to make
a construction that is at least as good as the best algorithm
being used.
The idea is that when serious problems are discovered with one
algorithm, you don't have to scramble to replace the entire
crypto suite. The other algorithm will cover your tail while you
make an orderly upgrade to your system.
Obviously you want to chose algorithms which are likely to have
different failure modes -- which I why I suggest that RC4 (or an
extension thereof) might still be useful. The added safety also
allows you to experiment with less examined algorithms.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz |The nice thing about standards| Periwinkle
(408)356-8506 |is there are so many to choose| 16345
Englewood Ave
www.pwpconsult.com |from. - Andrew Tanenbaum | Los Gatos,
CA 95032
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
