> Stephen wrote: > On Wed, Jul 11, 2001 at 06:40:45PM +0100, Dale Amon wrote: > > 3) Encrypting sequentially with two different symmetric > > keys of 256 bits will have an end result that has a > > security of 256 <= equivkeysize <= 512. > > The worst (and most obvious) example would be two algorithms X, Y where > X(P) -> C > and > Y(C) -> P > First, I'm finding this one of the more interesting discussions that I've seen here, so in that spirit of friendly (and perhaps insufficiently knowledgeable) argument for the fun of it... Not to disagree too much, but I was assuming y = f(k1,f(k2,x) where k1 != k2 and f(k,x) is the same in both cases. I avoided saying y = f(k, g(k,x)) because as you point out, you can define f and g as inverses. I am also assuming symmetric keys. Most writers seem to be saying that reapplication of the same algorithm gains you 1b. I'm not sure I followed why any of the common ciphers would lose bits by applying them twice with different keys. I accept that mainstream ciphers are fairly immune to a known plaintext attack; I do know there was some discussion of this sort of attack against DES some years back that put banks at risk. Can you really say with confidence that if an attacker knows a few megabytes of content on your encrypted disk that they actually gain zero information about the encryption key? Is this mathematically provable? I'm not even suggesting enough information to break the key, only whether the search space of possible values has been constrained in any way at all. -- ------------------------------------------------------ Use Linux: A computer Dale Amon, CEO/MD is a terrible thing Village Networking Ltd to waste. Belfast, Northern Ireland ------------------------------------------------------ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/