[147163] in cryptography@c2.net mail archive
Re: [Cryptography] The paranoid approach to crypto-plumbing
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Mon Sep 16 17:43:18 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <r422Ps-1075i-12B5E1BE25FD4D27AD79323ECFA8C3A7@Williams-MacBook-Pro.local>
Date: Mon, 16 Sep 2013 15:36:48 -0400
To: Bill Frantz <frantz@pwpconsult.com>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 16, 2013, at 12:44 PM, Bill Frantz <frantz@pwpconsult.com> wrote:
> After Rijndael was selected as AES, someone suggested the really paranoid should super encrypt with all 5 finalests in the competition. Five level super encryption is probably overkill, but two or three levels can offer some real advantages. So consider simple combinations of techniques which are at least as secure as the better of them....
This is trickier than it looks.
Joux's paper "Multicollisions in iterated hash functions" http://www.iacr.org/archive/crypto2004/31520306/multicollisions.ps
shows that "finding ... r-tuples of messages that all hash to the same value is not much harder than finding ... pairs of messages". This has some surprising implications. In particular, Joux uses it to show that, if F(X) and G(X) are cryptographic hash functions, then H(X) = F(X) || G(X) (|| is concatenation) is about as hard as the harder of F and G - but no harder.
That's not to say that it's not possible to combine multiple instances of cryptographic primitives in a way that significantly increases security. But, as many people found when they tried to find a way to use DES as a primitive to construction an encryption function with a wider key or with a bigger block size, it's not easy - and certainly not if you want to get reasonable performance.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
