From: “John Kelsey” <kelsey@plnet.net>
To: “cypherpunks” <cypherpunks@Algebra.COM>
Message Hash: eb34f32ce4e11c3ce3a15ffd669e0c3b6b4bd7a80df416fb4b081ad297de1de9
Message ID: <199801221532.JAA28790@email.plnet.net>
Reply To: N/A
UTC Datetime: 1998-01-22 15:36:48 UTC
Raw Date: Thu, 22 Jan 1998 23:36:48 +0800
From: "John Kelsey" <kelsey@plnet.net>
Date: Thu, 22 Jan 1998 23:36:48 +0800
To: "cypherpunks" <cypherpunks@Algebra.COM>
Subject: Re: (eternity) Eternity as a secure filesystem/backup medium
Message-ID: <199801221532.JAA28790@email.plnet.net>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
[ To: cypherpunks ## Date: 01/21/98 ##
Subject: Re: (eternity) Eternity as a secure filesystem/backup
medium ]
>Subject: Re: (eternity) Eternity as a secure filesystem/backup
medium
>From: Adam Back <aba@dcs.ex.ac.uk>
>Date: 1998/01/18
>1. communications crypto used by the author in submitting
> the document is broken
This is only a threat if the authorities have a good idea
who submitted the data, and want to prove it. Otherwise,
you end up with billions of encrypted documents, each
encrypted with a moderately weak cipher. (Even assuming
that the cipher turns out to have only 40 bits of strength,
this is too expensive to do for more than a handful of
documents.)
>2. the eternity architecture contains encrypted documents to
> frustrate attempts to locate documents, and to hide the
> contents of documents from individual servers
Again, this won't be too economical unless the eternity
service is rarely used.
>3. communications crypto used to request and deliver
> documents is broken thus revealing the readers identity
>So it is useful to design upgrade paths for ciphers into the
>protocols where possible.
Definitely--this is always a good idea, right?
>Other approaches we could take are to use very conservative
>cipher key sizes and protocols combining multiple ciphers in
>ways which gives us the security of the best of the ciphers.
>For example:
> R = random, C = 5DES( R ) || blowfish-484( M xor R )
>Where 5DES is say E-D-E-D-E with 5 independent DES keys.
>Constructs to combine in strong ways hash functions, macs,
>symmetric and asymmetric ciphers would be useful. Is there
>much research in this area?
Yes. Massey and Maurer did a Journal of Cryptography paper
titled ``The Importance of Being First,'' which says that
in any chain of encryptions with different ciphers and
independent keys, such as E_1(E_2(E_3(data))), the whole
thing is provably as strong as the first cipher used on the
data (E_3, in my example above). This is really obvious,
when you reflect that an attacker can always try to break
data encrypted with E_3 by superencrypting it with E_1 and
E_2, and then mounting his attack on E_1(E_2(E_3(data))).
Of course, if keys aren't independent among the three
ciphers, then you don't get any guarantee of this kind.
The other thing to note is that if you're just generating
keystream sequences, as you would with RC4 or SEAL, then all
ciphers are ``first.''
Rivest and Sherman also did some work on randomized
encryption, of the kind you discuss, in the Crypto '82
proceedings. Your construction is very similar to one of
theirs. Let M = message and R = a message-sized random
number, then in
E_1(R), E_2(R XOR M)
both E_1 and E_2 must be broken to learn M. (Imagine this
isn't the case, then either E_1 or E_2 wasn't broken. If
you didn't break E_2 but broke E_1, then you only learn R,
which is useless to you--it's random and uncorrelated with
M. If you broke E_2 but not E_1, you would have a message
encrypted with a one-time pad.)
This generalizes nicely to
E_1(R1), E_2(R2), ..., E_N(RN), E_{N+1}(R1 XOR R2 XOR ... XOR M).
If those random numbers are really random, then if any one
of those ciphers resists your attacks, the message can't be
recovered.
Now, you can also do this with things that approximate
random functions, which they also discuss. Thus, you might
use:
f_1(),f_2(), ..., f_n() are N independently-keyed different
cryptographic functions that approximate random functions.
The funny thing is, if you instantiate this intelligently,
you get a message encrypted by N different stream ciphers,
perhaps with a random parameter per message thrown in during
keying of those ciphers. Thus, suppose
s_1(K1) = RC4(K1)
s_2(K2) = 3DES-OFB(K2)
s_3(K3) = SHA1-Counter-Mode(K3)
s_4(K4) = Blowfish-OFB(K4)
s_5(K5) = SAFER-SK128(K5).
and that these keys are different per message and are all
independent. Then, you get the result that
M XOR s_1(K1) XOR S_2(k2) XOR ... XOR s_5(k5).
leaves no way to recover M unless all five s_i() can be
guessed.
Note that, in practice, this isn't likely to be useful
unless you've done the same kind of thing for symmetric key
distribution, random number generation, etc. Otherwise,
your attacker in 2050 will bypass the symmetric encryption
entirely and factor your RSA modulus, or guess all the
entropy sources used for your PRNG, or whatever else you can
think of.
The good news, though, is that active attacks (like chosen
input attacks) and many side-channel attacks (e.g., timing
attacks) turn out not to be possible if you are trying to
mount them after the encryption has been carried out.
>Adam
- --John Kelsey, kelsey@counterpane.com / kelsey@plnet.net
NEW PGP print = 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNMeCqSZv+/Ry/LrBAQGxpgQAloxNjdZMf6l/7U520ZSIVuk7lFZcu0+J
5tUyQgHtS4EAplC1OBnYc8B3pzCir6VCXinmNbClgalXhrRFfmV7vTQLZySaVv/+
0T44TFkJ0Ldu4cTsA2ertL0jcCXiBp38mhVK2IFbPtN+04B+een8jrUYtzx/qIj5
ztBpBb4yil8=
=wBTR
-----END PGP SIGNATURE-----
Return to January 1998
Return to “Tim May <tcmay@got.net>”