On Thu, Jul 12, 2001 at 11:13:43AM +0100, Dale Amon wrote: > First, I'm finding this one of the more interesting discussions > that I've seen here, so in that spirit of friendly (and > perhaps insufficiently knowledgeable) argument for the fun of it... > Not to disagree too much, but I was assuming > y = f(k1,f(k2,x) > where k1 != k2 and f(k,x) is the same in both cases. I > avoided saying > y = f(k, g(k,x)) > because as you point out, you can define f and g as > inverses. I am also assuming symmetric keys. > Most writers seem to be saying that reapplication of the > same algorithm gains you 1b. I'm not sure I followed why > any of the common ciphers would lose bits by applying > them twice with different keys. Most of them don't lose bits but, if you have a known plaintext situation, you have a condition for a "meet in the middle" attack where you attack the crypto system from both ends, encrypting the plaintext with K2 and decrypting with K1 searching for matching results in the middle. Bruce Schneier covers this attack in "Applied Cryptography" in discussing 3-DES and why a double application of DES is not significantly stronger than a single application. With enough memory, you effectively only gain one bit of strength (you double the difficulty of busting it) over the single encryption. So your example of: y = f(k1,f(k2,x)) Where k1 and k2 are two independent keys of length (n). Is only roughly equivalent to: y = f(Ka,x) Where ka is a key of length (n+1), not (2*n). > I accept that mainstream ciphers are fairly immune to > a known plaintext attack; I do know there was some > discussion of this sort of attack against DES some > years back that put banks at risk. > Can you really say with confidence that if an attacker > knows a few megabytes of content on your encrypted disk > that they actually gain zero information about the > encryption key? Is this mathematically provable? Say with confidence, I think so. Mathematically provable, possibly, possibly not. Math involves assumptions. As long as products of large primes are unfactorable, RSA will remain unbreakable. Does that prove it's unbreakable? (Maybe) What happens if a miracle occurs and some new profound revolution in mathematics takes place? (Oppss) Would I say with confidence that it's secure? (Yes) Could I be wrong? (Stop snickering) > I'm not even suggesting enough information to break the > key, only whether the search space of possible values has > been constrained in any way at all. That's what the cryptoanalysts are for... > -- > ------------------------------------------------------ > Use Linux: A computer Dale Amon, CEO/MD > is a terrible thing Village Networking Ltd > to waste. Belfast, Northern Ireland > ------------------------------------------------------ Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/