Re: Multiple encryption: again, and again, and again...

From: Matthew Skala (
Date: 08/10/03

Date: 10 Aug 2003 09:40:45 -0400

In article <>,
Kev <> wrote:
>Now let's imagine that the plaintext is encrypted once with AES, and
>then the resultant ciphertext (pure ciphertext that is - no
>headers/footers) is re-encrypted with Blowfish. This time, the brute

>other. The only way to brute force this time is to take the very first
>Blowfish key, then try every single AES key, then the second Blowfish

A meet-in-the-middle attack is faster than pure brute force: take a
plaintext/ciphertext pair, encrypt plaintext with all possible AES keys,
store them, decrypt plaintext with all possible Blowfish keys, check the
results of that against the stored AES encryptions. The time cost is
(time for brute-forcing AES) plus (time for brute-forcing Blowfish) plus a
little bit of time (probably less than either of those) for doing the
correlation. You also need storage for every possible block - which is an
insanely unrealistic assumption, but no sillier than the assumption you're
already making of the attacker having time to brute-force AES or Blowfish
at all.

For the same reason we use triple DES instead of double DES, it's
necessary to use three stages of this kind of construction to get the
level of security that we'd naively expect to get from two stages.

>concern), if only as a safeguard against future advances it computing
>speed? Or do you think that a single strong 256-bit key is perfectly
>adequate, and safe against potential advances it computing speed, at
>least during our lifetimes?

One reason to avoid multiple layers of encryption is that it's an
inefficient use of key material. The same number of key bits with a
monolithic cipher would provide a better expected level of security, at
least if you're concerned about brute force instead of flaws in a
particular cipher. (Your example was of an attacker powerful enough to
brute-force AES or Blowfish, not an attacker with a magic AES-cancelling
wand or back door who would still have to attack Blowfish in the usual
way.) Since longer keys are harder to distribute securely and attackers
will be attacking key distribution in preference to ciphers anyway,
something that extends keys significantly in order to protect against an
attack you were already protected against adequately anyway, isn't a win.

Matthew Skala                    Embrace and defend.