Anonymous (nobody@replay.com)
Sat, 18 Jul 1998 18:52:04 +0200
>>To reiterate what was said in my much-ridiculed other post (in this
>>soon-to-be-much-ridiculed post :), it's possible to chain them in a way
>>that lets the chain be provably as secure as one of the ciphers.
>
>Chaining them in OFB mode makes them provably as strong as the strongest.
Aye, but doing that with a disk encryptor is not wise. Using the same
methods folks use to recover badly-wiped files (or older and newer peeks
at the encrypted hard drive), someone could get the old and new ciphertext
contents of a changed sector, XOR them together, and get the difference
between the old and new plaintext contents. I don't like that. (a CFB-like
mode might keep provability and leak less data, but you still leak some,
and hopes of cryptodeniability are still lost)
Also, you have to independently key the ciphers to have the chain be
provably secure as all of them, which can be painful.
On the other hand, you can use the OFB mode of the first cipher to key all
the ciphers and use whatever mode is safe with a disk encryptor, keying
cipher first, which requires only one key and keeps provability for the
first cipher (i.e., if you break the chain, you either break the first
cipher or distinguish its OFB-mode output from random numbers).
...
>But if you have all those clock cycles to encrypt, I would just do
>three-key quintuple DES and be done with it.
Again, chains are _faster_ than multiple DESes -- Twofish=17.8/byte,
Blowfish=18/byte, Twofish+Blowfish=35.8/byte (Faster than 1DES) whereas
3DES=108/byte, by Counterpane's figures. I assume other chains wouldn't
lag behind too much.
So there is a real speed difference between a chain and multi-DES.
Depending on application, you might not care.
Now, I sense that this part is going to be found even sillier than my
appraisal of CAST as "moderately old," but here goes...
A chain with two fairly distinct designs (say, RC6+Blowfish -- about as
fast) may prove useful if some powerful new attack comes along and blows a
formerly-thought-to-be-sound cipher completely out of the water; it's less
likely, I think, to apply to a chain of multiple ciphers, even
less-analyzed ones, than to lots of applications of DES. I guess it's a
silly scenario. I don't know.
People who still want to use 81DES or whatever aren't prevented from doing
so by having chaining implemented as well.
>
>Bruce
>**********************************************************************
>Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
>101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
> Free crypto newsletter. See: http://www.counterpane.com
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:37 ADT