[Cryptography] End-to-End, One-to-Many, Encryption Question

Peter Fairbrother zenadsl6186 at zen.co.uk
Sun Jun 15 14:29:02 EDT 2014 

On 12/06/14 11:50, Ben Laurie wrote:
> On 12 June 2014 07:35, Bill Frantz <frantz at pwpconsult.com> wrote:
>> On 6/11/14 at 5:49 PM, kentborg at borg.org (Kent Borg) wrote:
>>
>>> Is there a way to encrypt once with key A, super-encrypt with
>>> key B1 (not knowing any other keys), and finally decrypt with key
>>> C1 (not knowing any other keys)?  Or, super-encrypt with key B2,
>>> then decrypt with key C2?
>>
>>
>> This problem is similar to the problem which would occur if an
>> encryption algorithm was a group. If the algorithm is a group,
>> then there is a key C which can decrypt a message which is
>> encrypt(B, encrypt(A, text)). DES was proven to not be a group,
>> making triple-DES a viable way to get the security of a longer
>> encryption key.
>
> All symmetric crypto algorithms need to have keys that are not a
> group, or there is a meet-in-the-middle attack available.

All symmetric block ciphers (eg otp is a group, but it does not have a
mitm attack) - but a block cipher whose keys formed a group would be
very useful, and doubling key size will usually defeat that attack, and
can often be done at minimal or no cost.

The easiest group block cipher I know of is Pohlig-Hellman, a simple
modular exponentiation cipher, which can be done in either the group Z_p
or the group of quadratic residues mod p - but the computational
requirements are large.

Actually it is not usually necessary to double key size, the storage
requirements of the meet-in-the-middle attack can be very large, eg 2^64
for a 128-bit key - it is not really necessary to use a 256-bit key,
2^128 fast storage is pretty well unthinkable.


If any cipher designers are listening, can we have a secure group block
cipher with less work please? It won't be as famous as AES, but it will
get used, unlike most ciphers you design.


-- Peter Fairbrother


> _______________________________________________ The cryptography
> mailing list cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>

More information about the cryptography mailing list