[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5

Jerry Leichter leichter at lrw.com
Mon Mar 24 14:09:41 EDT 2014 

On Mar 24, 2014, at 11:16 AM, tpb-crypto at laposte.net wrote:
>> In the area of hashes, I feel less confidence. I'm not convinced 
>> that the analysis techniques are as mature, and I'm not sure we 
>> even have a good handle on the right questions to ask. When AES 
>> was selected, some people suggested that the really paranoid 
>> could used super encryption with each of the five finalists, 
>> each with its own key. I haven't heard of anyone actually using 
>> this suggestion -- even in hardware there would be many gate 
>> delays before the first block came out of the pipeline, but the 
>> combination is probably at least as secure as the strongest of 
>> the five.
There's a paper we mentioned here quite a way back that showed that if you're looking for collision resistance, using multiple hashes in parallel - i.e., compute and all k hashes and concatenate to produce a "super hash" - is only minimally stronger than the strongest of the hashes you started with.  (The paper proves this counter-intuitive result based on the - counterintuitive - ease of finding multi-collisions once you can find collisions.)

If you're looking to combine block ciphers, the simplest approach is probably to use counter mode for all of them and just XOR with all the ciphers.  This is certainly as strong as the strongest individual cipher, assuming they aren't correlated in some way (e.g., if I can toss a cipher into your pool, I'll choose the strongest one you've put in, "canceling" it.  One can imagine defenses, but they're all going to require some way of enforcing some notion of independence.)  I don't recall seeing any proposed cipher combination method that's provably *strictly stronger* than all its constituents.

How one constructs an authentication mode to go with the combined counter mode is a question to which I don't know the answer.

> Some of my customers demand such solutions, shouldn't we develop a protocol for piggy-backing crypto over crypto? It would be a cool thing.
Maybe.  And maybe we should have a protocol for those super-secure million-bit-key ciphers we keep hearing about. :-(

Just because people demand it doesn't mean it's a good idea.  First you need to find a piggy-backing method that has meaningful security benefits.  Then we can talk about a protocol.
                                                        -- Jerry


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140324/5343a2aa/attachment.bin>

More information about the cryptography mailing list