data under one key, was Re: analysis and implementation of LRW

Allen netsecurity at
Sun Feb 4 18:40:11 EST 2007

Vlad "SATtva" Miller wrote:
> Allen wrote on 31.01.2007 01:02:
>> I'll skip the rest of your excellent, and thought provoking post as it
>> is future and I'm looking at now.
>> From what you've written and other material I've read, it is clear that
>> even if the horizon isn't as short as five years, it is certainly
>> shorter than 70. Given that it appears what has to be done is the same
>> as the audio industry has had to do with 30 year old master tapes when
>> they discovered that the binder that held the oxide to the backing was
>> becoming gummy and shedding the music as the tape was playing -
>> reconstruct the data and re-encode it using more up to date technology.
>> I guess we will have grunt jobs for a long time to come. :)
> I think you underestimate what Travis said about ensurance on a
> long-term encrypted data. If an attacker can (and it is very likely) now
> obtain your ciphertext encrypted with a scheme that isn't strong in
> 70-years perspective, he will be able to break the scheme in the future
> when technology and science allows it, effectively compromising [part
> of] your clients private data, despite your efforts to re-encrypt it
> later with improved scheme.
> The point is that encryption scheme for long-term secrets must be strong
> from the beginning to the end of the data needed to stay secret.

Imagine this, if you will. You have a disk with encrypted data 
and the key to decrypt it. You can take two paths that I can see:

1. Encrypt the old data and its key with the new, more robust, 
encryption algorithm and key as you migrate it from the now aged 
HD which is nearing the end of its lifespan. Then use the then 
current disk wiping technology of choice to destroy the old data. 
I think a blast furnace might be a great choice for a long time 
to come.

2. Decrypt the data using the key and re-encrypt it with the new 
algorithm using a new key, then migrate it to a new HD. Afterward 
destroy the old drive/data by your favorite method at the time. I 
still like the blast furnace as tool of choice.

Both approaches suffer from one defect in common - there is the 
assumption that the old disk you have the data on is the only 
copy in existence, clearly a *bad* idea if you should have a 
catastrophic failure of the HD or other storage device, so then 
it boils down to finding all known and unknown copies of the 
encrypted data and securely destroying them as well. Not a safe 
assumption as we know from looking at the history of papers dug 
up hundreds of years after the original appears to be lost forever.

Approach 1 also suffers from the problem that we may not have the 
software readily available waaay down the road to decrypt the 
many layers of the onion. And that will surely bring tears to our 

Since we know that we can not protect against future developments 
in cryptanalysis - just look at both linear and differential 
analysis versus earlier tools - how do we create an algorithm 
that is proof against the future? Frankly I don't think it is 
possible and storing all those one-time pads is too much of a 
headache, as well as risky, to bother with. So what do we do?

This is where I think we need to set our sights on "...good 
enough given what we know now...." This does not mean sloppy 
thinking, just that at some point you have done the best humanly 
possible to assess and mitigate risks.

Anyone got better ideas?



The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list