The symmetric ciphers

Johan Wevers johanw at
Thu Oct 31 23:00:26 CET 2013

On 31-10-2013 22:36, Robert J. Hansen wrote:

> ... Or, in other words, your very first line assumes a level of
> mathematical knowledge that the overwhelming majority of people lack:
> namely, the abilities of understanding mathematical notion and TeX.

I am quite confident the majority of the people don't understand this,
but they don't need to. Someone can prove wether AES / Twofish / ... /
combinations of them is a group or not, and can then explain that
combinations are safer / at least as safe / less safe.

Since I majored in physics and didn't get that much discrete math, I may
could not even understand such a proof myself completely. But assuming
the conclusion is accepted by knowledgable people I would trust the
reasoning. I also didn't check the proof that DES is not a group, but I
trust that if it was incorrect I would heve heard about that. The same
mechanism as why I trust gpg does not contain any deliberate backdoor,
even when I didn't check the entire soucre myself.

> Abstract mathematics is the sort of thing that needs to be avoided at
> all costs when giving explanations to non-specialists.  It just doesn't
> work.

For non-speciallists you can stick with the conclusion: it has been
proven that X is true of not true without giving details about the proof.

> A quick search of Google Scholar does not turn up any articles about
> whether AES forms a group.  I don't know one way or another.  My
> suspicion is that it does not, but I'm not willing to trust that suspicion.

OK, I assumed someone would have checkeds that by now. Probably I was
wrong about that.

>> However, encrypting a message with AES with key1 and then encrypting it
>> again with key2 (key1 unrelated to key2) can't make it less secure since
>> any attacker can encrypt the intercepted encrypted message again with
>> little effort.

> Beware of saying "can't" unless you've got a formal mathematical proof
> in your hands.

Any attacker can encrypt my message again with a nonrelated key (and
only with a nonrelated key since they don't know the key I used). If
that would make it easier to break AES then re-encrypting the message
that would be a better than pure brute force attack on AES.

> It is true that one of AES's design goals was exactly as you say above. 
> However, there is no proof that they succeeded.  A lot of eminent
> mathematicians think it's overwhelmingly probable they succeeded, but
> I'm unaware of anyone who believes this has been proven.

My argument is that even if it turns out to be not the case, that method
would just be an attack on AES.

ir. J.C.A. Wevers
PGP/GPG public keys at

More information about the Gnupg-users mailing list