Re: Needle in a haystack--or is this just stupid?

From: Terry Ritter (
Date: 07/02/05

Date: 1 Jul 2005 17:06:32 -0700

John E. Hadstate wrote:
> <Crypto@S.M.S> wrote in message
> >
> > The underlying layers are protecting against the most
> > obvious
> > failure: a new algorithm which makes your hashing or
> > encryption
> > algorithm less than secure.
> If you don't have complete faith in a particular algorithm,
> why are you using it at all?

The history of cryptography is rife with
actual occurrences of the answer to that
question. Many people have had "complete
faith" in their ciphers, and the ciphers
were weak anyway. Faith has nothing to do
with cryptographic strength.

I suppose that most people have faith in a
cipher because they are told by "experts" to
have such faith. Unfortunately, there can
be no expertise on the capabilities of our
opponents, since they do not talk. Claims
of absolute strength are almost always
irrational and unsupportable.

In fact, our *opponents* may swear up and down
that anything other than a particular cipher
is unreasonable, just to get us to use a
particular cipher. But if we look at their
argument in detail, there are always problems:
There can be no rational basis for claiming
complete strength.

There is no mathematical proof of security
for any cipher in practice. The obvious
consequence is that any cipher may have
weakness. It is rationally impossible to
pick "a particular algorithm" in which to
have faith, when no such faith can be had.

>If you do, why bother with
> "layering?" An attacker is not going to peel off layers;
> he's going to attack the whole concoction.

To the contrary: Attempting to "peel off layers"
is a common approach. Each round in a conventional
block cipher can be considered a "layer" (although
I distinguish between rounds and layers in analysis
to expose different issues). Various block cipher
attacks attempt to expose outer rounds in hopes
of making progress.

Seeing a cipher as some sort of black box that
cannot usefully be partitioned is very uncommon
and also unlikely to succeed. Ciphers are usually
attacked by exploiting known characteristics and
limitations in their design.

Many of the attacks in the literature are
known-plaintext attacks, to the extent that
attack power is often described by the number
of known-plaintext blocks needed. Clearly, a
sequence of ciphers hides known-plaintext for
each of the individual ciphers, thus avoiding
that class of attack on the individual ciphers.
If that was the strongest attack, avoiding
that attack makes the cipher stronger.

The advantage is in doing something that could
reasonably add strength, and which apparently
does add strength inside block ciphers. The
alternative would seem to be to do nothing at
all under the unproven assertions that nothing
is needed or that nothing else could possibly

But if it is reasonable to assert strength (as
in nothing else is needed), it should be almost
as reasonable to assert that nobody is listening,
in which case we need no cipher at all. Such
assertions are just nonsense.

And to assert that nothing else could help would
imply a design perfection we rarely see in things
constructed by Man.

> There's no real reason to think that your "layered" cipher
> is more difficult to attack by treating it as a black box
> and ignoring the layering altogether. (Read on.)
> > Please read
> > this link, as it makes the point very clearly about
> > unknown,
> > yet to be discovered attacks:
> >
> >
> >
> I have read most, if not all, of Terry's web pages. I agree
> with most of his conclusions, am fascinated by some of them,
> and am utterly baffled by a tiny fraction of them. Terry
> is, so far as I know, a successful crypto engineer who tends
> to do things his own way. I won't fault his approach.
> It makes no sense to me that we should conclude that the
> composition of two ciphers is "more secure" than either
> cipher alone when we can't agree on how to quantify what we
> mean by "secure". We can't prove that any unbroken cipher
> is "secure", so how can we prove that the composition of two
> such ciphers is "more secure". It's not reasonable, and
> it's not even common sense.

The issue is not about strong ciphers. If we can
guarantee a cipher to be strong, we only need one

Unfortunately, we don't have that guarantee.
The direct consequence is that any cipher we use
may be weak to some form of effective attack.
Using that cipher alone means cryptographic failure.
The hoped-for advantage of using multiple ciphers
is to do something to prevent that failure.

Placing a weak cipher in a stack with other ciphers
means that the ability to attack that single cipher
is restricted or eliminated. Even if an opponent
could break all three ciphers in a stack, that
does not mean the ciphers can be similarly attacked
when they are applied in sequence. This is
analogous to conventional block ciphers composed
of rounds: individual rounds are weak, but the
sequence of rounds is arguably stronger.

> > Because in the long run, it all comes down to
> > budgets, and how much energy/money the attackers are
> > willing
> > to throw at the problem. An attacker with infinite
> > resources
> > can break anything. History has shown us that.
> Well, barring Joe Peschel's picking of the obvious nit, the
> world of cryptography changed significantly after computers
> and information theory were applied to it. Having
> historical perspective is fine, but directly applying
> lessons learned before the advent of current technology is
> not particularly well-reasoned.

So your point would be that no computer ciphers
have been found weak?

Terry Ritter   1.3MB Crypto Glossary