Re: On living with the 56-bit key length restriction

Jim Gillogly (jim@acm.org)
Wed, 23 Dec 1998 14:55:27 -0800

• Next message: K. M. Ellis: "Re: US Approves Export of Crypto Product w/o GAK"
• Previous message: Jim Gillogly: "Re: On living with the 56-bit key length restriction"
• Maybe in reply to: Mok-Kong Shen: "On living with the 56-bit key length restriction"
• Next in thread: Cicero: "Cascades ( was: On living with the 56-bit key...)"
• Reply: Cicero: "Cascades ( was: On living with the 56-bit key...)"

I normally ignore messages on this thread, since I'm not interested in
living with 56-bit key lengths, but this message caught my eye:

J.A. Terranson writes:
> Is it (theoretically or practically) so easy that if I was to post an
> encrypted message, along with the type of encryption used, the original
> language, the key length of, say, 30 bits, and how many times it had been
> re-encrypted, that the message could actually be successfully attacked in
> a reasonable time?

It depends entirely on the type of encryption used and the details of the
implementation. As a limiting example, if it's simple substitution,
you can encrypt it multiple times with as many 30-bit keys as you want
and it won't improve the security.

Many encryption packages have some kind of indicator or magic number at
the front to let you know which package produced the text; if the target
plaintext is the result of a previous PGP encryption, you'll be able to
recognize the PGP packet structure (if binary) or the ASCII armor (if not).
Similarly, PKzip ciphertext will have a distinctive "magic number", Kremlin
files have a great deal of identifying info, and so on. If the cipher
doesn't produce all 256 byte values, the cryptanalyst wins again. For these
the work factor would be about N * (cost of one 30 bit search), where N is
the number of steps in the cascade, rather than the (30 * N) bit search you
were hoping for. The number of re-encryptions should also be long enough
to avoid a meet-in-the-middle attack: if N=2, the attacker could save all
2^30 encryptions of a guessed block of plaintext and all 2^30 decryptions
of the corresponding ciphertext and check for a match in those sets.

If you use a good modern cipher for each step of the 30-bit cascade and
include no identifying information in each step, there should be no
other shortcut. "Good" for this purpose means it produces a distribution
of bytes indistinguishable from uniform random to someone who doesn't
know the key.

-- 
	Jim Gillogly
	1 Afteryule S.R. 1999, 22:30
	12.19.5.14.6, 12 Cimi 19 Mac, Seventh Lord of Night

• Next message: K. M. Ellis: "Re: US Approves Export of Crypto Product w/o GAK"
• Previous message: Jim Gillogly: "Re: On living with the 56-bit key length restriction"
• Maybe in reply to: Mok-Kong Shen: "On living with the 56-bit key length restriction"
• Next in thread: Cicero: "Cascades ( was: On living with the 56-bit key...)"
• Reply: Cicero: "Cascades ( was: On living with the 56-bit key...)"