# The symmetric ciphers

Philipp Klaus Krause pkk at spth.de
Wed Oct 30 18:19:27 CET 2013

```-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 10.09.2013 15:30, schrieb Robert J. Hansen:
> On 9/10/2013 6:35 AM, Philipp Klaus Krause wrote:
>> I wonder if it would be a good idea to have an option to combine
>>  symmetric ciphers, e.g. users could state a preference list
>> like this:
>
> No.  This idea gets floated every few years and the answers never
> change.  It's not a good idea.  If you look in the list archives
> you can find some pretty long, detailed writeups on why.

I just tried googling a bit, but the only posts I found are those that
assume that the effort to break A+B would be a+b. I did not find the
detailed writeups you mentoned, or even anything else about the
assumption that breaking A+B takes at least effort max(a,b).

>> Assuming it takes effort a to break cipher A and effort b to
>> break cipher b, this should result in effort at least max(a, b)
>> needed to break A+B.
>
> Basically, though, it's "this is a naive and unfounded
> assumption."

Well, here's a (rough, and maybe naive) explanation of why I assumed
that the effort is at least max(a, b):

First, I assume assume that the effort for breaking anything so is
much more than the effort for encryption given the key, that the
latter is negligible.

So assume there is an attack on A+B. that allows to "break" A+B with
effort e less than max(a,b). That means that at least one of e < a or
e < b is true.
Case 1: e < a: Well, whenever someone is using A, we can just encrypt
the ciphertext using B with a key of our choice. Any attack on A+B
thus immediately translates into an attack on A, contradicting the
assmption e < a. The attack on A would be of the same type as the one
on A+B.
Case 2: e < b:
Hmm, this one seems harder. If I have an attack on A+B that yields
information about the key, I can get a chosen-ciphertext attack on B
from it.
An attack on A+B that yields information about the plaintext could be
combined with an attack on A that yields information on the key to get
an attack on B that yields information on the plaintext.
If A happens to have a weak key, I would get an attack on B that
yields information on the plaintext as well. Any way I should get an
interesting result of the type b < a + e. I think there is a stronger
result possible here, but I admit don't know how I could get there.

Philipp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iEYEARECAAYFAlJxP5wACgkQbtUV+xsoLpoIaACg8KWSjlIToJb40MzI4r+b1nT9
ySAAn0zbo5hbMReGpCycThO6Cy4BAg1H
=gNuW
-----END PGP SIGNATURE-----

```