-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 10.09.2013 15:30, schrieb Robert J. Hansen: > On 9/10/2013 6:35 AM, Philipp Klaus Krause wrote: >> I wonder if it would be a good idea to have an option to combine >> symmetric ciphers, e.g. users could state a preference list >> like this: > > No. This idea gets floated every few years and the answers never > change. It's not a good idea. If you look in the list archives > you can find some pretty long, detailed writeups on why.
I just tried googling a bit, but the only posts I found are those that assume that the effort to break A+B would be a+b. I did not find the detailed writeups you mentoned, or even anything else about the assumption that breaking A+B takes at least effort max(a,b). >> Assuming it takes effort a to break cipher A and effort b to >> break cipher b, this should result in effort at least max(a, b) >> needed to break A+B. > > Basically, though, it's "this is a naive and unfounded > assumption." Well, here's a (rough, and maybe naive) explanation of why I assumed that the effort is at least max(a, b): First, I assume assume that the effort for breaking anything so is much more than the effort for encryption given the key, that the latter is negligible. So assume there is an attack on A+B. that allows to "break" A+B with effort e less than max(a,b). That means that at least one of e < a or e < b is true. Case 1: e < a: Well, whenever someone is using A, we can just encrypt the ciphertext using B with a key of our choice. Any attack on A+B thus immediately translates into an attack on A, contradicting the assmption e < a. The attack on A would be of the same type as the one on A+B. Case 2: e < b: Hmm, this one seems harder. If I have an attack on A+B that yields information about the key, I can get a chosen-ciphertext attack on B from it. An attack on A+B that yields information about the plaintext could be combined with an attack on A that yields information on the key to get an attack on B that yields information on the plaintext. If A happens to have a weak key, I would get an attack on B that yields information on the plaintext as well. Any way I should get an interesting result of the type b < a + e. I think there is a stronger result possible here, but I admit don't know how I could get there. Philipp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlJxP5wACgkQbtUV+xsoLpoIaACg8KWSjlIToJb40MzI4r+b1nT9 ySAAn0zbo5hbMReGpCycThO6Cy4BAg1H =gNuW -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users