[Cryptography] The paranoid approach to crypto-plumbing

Bill Frantz frantz at pwpconsult.com
Mon Sep 16 18:20:37 EDT 2013


On 9/16/13 at 12:36 PM, leichter at lrw.com (Jerry Leichter) wrote:

>On Sep 16, 2013, at 12:44 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
>>After Rijndael was selected as AES, someone suggested the really paranoid should super encrypt with
>all 5 finalests in the competition. Five level super encryption 
>is probably overkill, but two or three levels can offer some 
>real advantages. So consider simple combinations of techniques 
>which are at least as secure as the better of them....
>This is trickier than it looks.
>
>Joux's paper "Multicollisions in iterated hash functions" http://www.iacr.org/archive/crypto2004/31520306/multicollisions.ps
>shows that "finding ... r-tuples of messages that all hash to 
>the same value is not much harder than finding ... pairs of 
>messages".  This has some surprising implications.  In 
>particular, Joux uses it to show that, if F(X) and G(X) are 
>cryptographic hash functions, then H(X) = F(X) || G(X) (|| is 
>concatenation) is about as hard as the harder of F and G - but 
>no harder.
>
>That's not to say that it's not possible to combine multiple 
>instances of cryptographic primitives in a way that 
>significantly increases security.  But, as many people found 
>when they tried to find a way to use DES as a primitive to 
>construction an encryption function with a wider key or with a 
>bigger block size, it's not easy - and certainly not if you 
>want to get reasonable performance.

This kind of result is why us crypto plumbers should always 
consult real cryptographers. :-)

I am not so much trying to make the construction better than the 
algorithms being used, like 3DES is much more secure than 1DES, 
(and significantly extended the useful life of DES); but to make 
a construction that is at least as good as the best algorithm 
being used.

The idea is that when serious problems are discovered with one 
algorithm, you don't have to scramble to replace the entire 
crypto suite. The other algorithm will cover your tail while you 
make an orderly upgrade to your system.

Obviously you want to chose algorithms which are likely to have 
different failure modes -- which I why I suggest that RC4 (or an 
extension thereof) might still be useful. The added safety also 
allows you to experiment with less examined algorithms.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        |The nice thing about standards| Periwinkle
(408)356-8506      |is there are so many to choose| 16345 
Englewood Ave
www.pwpconsult.com |from.   - Andrew Tanenbaum    | Los Gatos, 
CA 95032



More information about the cryptography mailing list