[Cryptography] End-to-End, One-to-Many, Encryption Question
Ben Laurie
ben at links.org
Sun Jun 15 11:49:55 EDT 2014
On 13 June 2014 21:18, Jonathan Katz <jkatz at cs.umd.edu> wrote:
> On Thu, Jun 12, 2014 at 6:50 AM, Ben Laurie <ben at links.org> wrote:
>>
>> On 12 June 2014 07:35, Bill Frantz <frantz at pwpconsult.com> wrote:
>> > On 6/11/14 at 5:49 PM, kentborg at borg.org (Kent Borg) wrote:
>> >
>> >> Is there a way to encrypt once with key A, super-encrypt with key B1
>> >> (not
>> >> knowing any other keys), and finally decrypt with key C1 (not knowing
>> >> any
>> >> other keys)? Or, super-encrypt with key B2, then decrypt with key C2?
>> >
>> >
>> > This problem is similar to the problem which would occur if an
>> > encryption
>> > algorithm was a group. If the algorithm is a group, then there is a key
>> > C
>> > which can decrypt a message which is encrypt(B, encrypt(A, text)). DES
>> > was
>> > proven to not be a group, making triple-DES a viable way to get the
>> > security
>> > of a longer encryption key.
>>
>> All symmetric crypto algorithms need to have keys that are not a
>> group, or there is a meet-in-the-middle attack available.
>
>
> Getting a bit off track here, but I don't think this claim true for at least
> two reasons:
>
> First, the issue with being a group is that it implies that *double* or
> *triple*-key encryption does not yield the expected level security.
> Vulnerability of *single*-key encryption to a meet-in-the-middle attack is,
> as far as I know, specific to DES.
What? DES is not, AFAIK, vulnerable to meet-in-the-middle. But any
algorithm whose keys form a group under composition would be.
> Second, vulnerability to a meet-in-the-middle attack just means that the
> algorithm does not achieve security equal to its bit-length; it does not
> mean the algorithm is not secure. (Note that public-key algorithms do not
> achieve security equal to their bit-length either...)
True, the security would be half the bit length (at best). But since
symmetric algorithms exist whose security is thought to be roughly
equal to key length, half the key length is pretty crappy.
More information about the cryptography
mailing list