Re: Can we obtain securer data encryption if we encrypt the data once more?
From: Ernst Lippe (ernstl-at-planet-dot-nl_at_ignore.this)
Date: 06/23/03
- Next message: Danilo Gligoroski: "Re: Hey - Livermore knows how to crack 3DES!"
- Previous message: Mrsjunecarey: "Re: Stream Cipher Like SEAL Wanted ...."
- In reply to: Mark Wooding: "Re: Can we obtain securer data encryption if we encrypt the data once more?"
- Next in thread: Mark Wooding: "Re: Can we obtain securer data encryption if we encrypt the data once more?"
- Reply: Mark Wooding: "Re: Can we obtain securer data encryption if we encrypt the data once more?"
- Reply: David Hopwood: "Re: Can we obtain securer data encryption if we encrypt the data once more?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Jun 2003 13:50:55 +0200
On Mon, 23 Jun 2003 10:36:14 +0000, Mark Wooding wrote:
> Richard Heathfield <invalid@address.co.uk.invalid> wrote:
>
>> > For if it does, an adversary faced with one of the two schemes can
>> > simply make up a key for the other one and pretend to himself that
>> > he's attacking the composition. Hence, the composition is at least
>> > as strong as the stronger scheme.
>>
>> Or there is mileage in this adversary's scheme.
>
> But that implies that, in fact, /both/ of the encryption schemes was
> weak, contrary to hypothesis. Hence the theorem is proved...
>
>> I'm not saying it isn't a daft idea. I'm just saying I don't recall
>> anyone mentioning a proof to support what I think even the most
>> amateurish amongst us (i.e. me) can intuitively understand to be true.
>
> Ah. That was indeed an attempt at just such a proof. I was going to
> embark on one of my usual incomprehensible articles filled with $(t, q,
> \epsilon)$-secure partridges in peartrees, but took them out.
>
> Just to keep the TeXnician in me happy, I'll write $E$ for the first
> encryption scheme, and $E'$ for the second; the composed scheme is then
> $E \o E'$ (where $\o$ is a little raised-`o' function composition sign).
>
> I'm going to try to prove that, if at least one of $E$ and $E'$ is
> secure, then the composition $E \o E'$ is secure. (Exactly what
> `secure' means is something I'm going to gloss over -- the proof works
> for a number of different definitions of `secure' and `composition', so
> you can slot your own in later...[1])
Essentially what you are trying to prove is what Maurer and Massey
called the Folk Theorem. Somewhat surprisingly perhaps, they
proved that is was false. Their article, "Cascade Ciphers: The
importance of being first" that you can find at
http://www.crypto.ethz.ch/pubs/MauMas93a contains a nice counter
example.
Also you forgot to require that the keys must be independent.
Without that condition you could select encryption with a certain
key as the first cipher and the corresponding decryption with the
same key as the second cipher. Each of these is secure when used
in isolation but when they are composed the end-result obviously
is not.
greetings,
Ernst Lippe
- Next message: Danilo Gligoroski: "Re: Hey - Livermore knows how to crack 3DES!"
- Previous message: Mrsjunecarey: "Re: Stream Cipher Like SEAL Wanted ...."
- In reply to: Mark Wooding: "Re: Can we obtain securer data encryption if we encrypt the data once more?"
- Next in thread: Mark Wooding: "Re: Can we obtain securer data encryption if we encrypt the data once more?"
- Reply: Mark Wooding: "Re: Can we obtain securer data encryption if we encrypt the data once more?"
- Reply: David Hopwood: "Re: Can we obtain securer data encryption if we encrypt the data once more?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
