Re: Should be in crypto for John E. Hadstate Re: just stupid?

From: Terry Ritter (ritter_at_ciphersbyritter.com)
Date: 08/04/05


Date: 4 Aug 2005 12:31:38 -0700

Crypto@S.M.S wrote:
> Tom St Denis wrote:
>
> > Terry Ritter wrote:
> >
> >>>The end result of a multiple encryption of cipher A, B, and C is the cipher
> >>>ABC, a single cipher that, in effect, is now the "single point of failure."
> >>
> >>Obviously not: The cipher composed of ciphers
> >>A, B, and C still has ciphers B and C active
> >>when cipher A fails. That is the redundancy
> >>which specifically addresses the "single point
> >>of failure" problem. So if A has been broken
> >>in secret, I still win.
> >
> >
> > More nonsense. Who says this magical new attack only applies to A?
> >
> > Add fire element!!!! make it hot!!!!
> >
> > This isn't alchemy!
> >
> > Tom
> >
>
> And who says it doesn't. Nobody knows for sure.
> This uncertainty is one of the many reasons for using multi crypto.

The topic is Multiple Encryption. The question
is whether ME should be used. Certainly ME has
some obvious costs; the question is whether ME
provides compensating advantages. The issue ME
addresses is the case that our main cipher has
been broken in secret.

For analysis we have a straightforward comparison
between two systems:

The first system has exactly one cipher, for
convenience called A. That is the "main" cipher,
the one we would ordinarily use if we were going
to use just one cipher.

The other system has that same cipher plus others,
here called B and C.

The issue is what happens when A has been broken
in secret by our opponents. That would of course
mean that our secrecy was being compromised and
probably exploited.

In the first system, all secrecy is lost without
question so in that case cryptography has failed.
All the effort put into theory, proof, design,
analysis, implementation and operation was for
naught.

In the second system, B and C provide secrecy
as well as they can, which is all we can ever
do, which is obviously better than the abject
failure of the first system.

Despite the failure of A, there is reason to be
hopeful about security in the second system:
In most cases, the best attacks on A, B and C
cannot be applied when the ciphers are not
individually exposed. Thus, it not only seems
likely that the same attack which worked on the
first system will not break all of A, B, and C,
but it may not even be able to break A.

The conclusion may be that Multiple Encryption
seems to provide a significant advantage.
Whether or not that is worthwhile in the context
of particular data systems would depend upon a
deeper engineering analysis. Many commercial
systems may only need security similar to a
credit card we have no problems handing to a
poverty-stricken waiter. However, I would
expect that if serious cryptography is worth
doing, ME is almost always worth doing as well.

Why not analyze B being broken instead?
Because it does not matter:

B being broken obviously does not affect the
first system which does not use B.

Since A is in place in the second system, the
weakness of B does not affect the second system
either.

I suppose the overall conclusion is that Multiple
Encryption does indeed provide failure redundancy
over the case of using just one cipher.

---
Terry Ritter   1.3MB Crypto Glossary
http://www.ciphersbyritter.com/GLOSSARY.HTM


Relevant Pages

  • Re: Countering chosen-plaintext attacks
    ... >> attack on your cipher as proof that the cipher is safe from anyone ... > So we have a disagreement as you said. ... This is why it is called a chosen plaintext attack. ...
    (sci.crypt)
  • Re: demoing sslv2 vulns
    ... But SSL Strip is another attack, it's not because of the weak cipher ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: demoing sslv2 vulns
    ... Here is a demonstration for SSL Strip Attack: ... I don't think you can demonstrate weak cipher attacks via a POC coz ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • =?windows-1252?Q?Re=3A_Counteracting_Different_Attacks_by_Selective_Mea?= =?windows-1252?Q?n
    ...  The cipher that I have invented ... remaining attack i.e. ciphertext-only attack. ... Making my main keyet (the set of change-or-origin vectors random ... I have said just now that there are other keys also. ...
    (sci.crypt)
  • Re: demoing sslv2 vulns
    ... Yeah Richard you are correct this will be for Null prefix attack. ... I don't think you can demonstrate weak cipher attacks via a POC coz ... Information Assurance Certification Review Board ...
    (Pen-Test)