[Cryptography] The paranoid approach to crypto-plumbing

Jerry Leichter leichter at lrw.com
Mon Sep 16 15:36:48 EDT 2013

On Sep 16, 2013, at 12:44 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
> After Rijndael was selected as AES, someone suggested the really paranoid should super encrypt with all 5 finalests in the competition. Five level super encryption is probably overkill, but two or three levels can offer some real advantages. So consider simple combinations of techniques which are at least as secure as the better of them....
This is trickier than it looks.

Joux's paper "Multicollisions in iterated hash functions" http://www.iacr.org/archive/crypto2004/31520306/multicollisions.ps
shows that "finding ... r-tuples of messages that all hash to the same value is not much harder than finding ... pairs of messages".  This has some surprising implications.  In particular, Joux uses it to show that, if F(X) and G(X) are cryptographic hash functions, then H(X) = F(X) || G(X) (|| is concatenation) is about as hard as the harder of F and G - but no harder.

That's not to say that it's not possible to combine multiple instances of cryptographic primitives in a way that significantly increases security.  But, as many people found when they tried to find a way to use DES as a primitive to construction an encryption function with a wider key or with a bigger block size, it's not easy - and certainly not if you want to get reasonable performance.
                                                        -- Jerry

More information about the cryptography mailing list