[Cryptography] quantum computers & crypto

Christian Huitema huitema at huitema.net
Mon Nov 8 18:31:40 EST 2021

On 11/8/2021 1:00 PM, Ray Dillinger wrote:
> On 11/8/21 5:42 PM, Jerry Leichter wrote:
>>>> [Suggestions for ciphers with longer keys]
>>> Why not just use Triple AES26, ala Triple DES?  E_AES256_k1 -> D_AES256_k2 -> E_AES256_k1 ?  Voila (albeit @1/3 the throughput), 512 bits!
>>> Or even Triple AES256 with three different keys, Ek1 -> Dk2 -> Ek3 for 768 bits?
> I can't think of a very strong argument that Triple AES, applied one
> block at a time, would _necessarily_ be stronger than AES.  It is very
> likely to be.  Almost certain to be.  It would be very surprising if it
> weren't.  But I remember the 'Double DES' superencryption proposal and
> how certain that seemed and how very surprising was the analysis that
> proved it wasn't.
> My goto example of 'more isn't always better' is shuffling a card deck.
> Shuffling is understood as randomizing the order of the cards.  So you
> may decide that 'shuffle(n)' to shuffle the cards n times is a good
> randomization algorithm.
> But if you do 52 perfect shuffles in a row you bring the deck back into
> its original order.  No matter what (n) you use, it will never be 'more
> secure' than some (n) less than 52.  The so-called 'perfect shuffle' is
> actually fairly lousy considered as a randomization algorithm, but you
> see the point.

Really? Did you mean to write 52! perfect shuffles in a row?

-- Christian Huitema

More information about the cryptography mailing list