2

Why isn't data encrypted with multiple uncompromised (so far) ciphers? Feel free to answer for a single private key for both and separate private keys.

For example, encrypting data with TwoFish and then AES?

Is it a matter of doubling resource consumption vs a small security improvement? Can two ciphers together be weaker than either cipher separately (in practice or theory)?

If the latter, why not apply one cipher to the data and one to a one time pad and transmit both? ( Can a message and one time pad each encrypted with separate ciphers be weaker than the stronger of either cipher? )

If I understand 2DES doesn't give you nearly the bump in security you'd think it would vs 3DES. But IIRC 2DES is still stronger than DES.

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Tyler Spaeth
  • 95
  • 3

1 Answers1

3

Why isn't data encrypted with multiple uncompromised (so far) ciphers?

  1. Since about 1980, when modern widely deployed symmetric encryption actually fails on the field, that's not due to a theoretical break of the cipher, because the art/science of making ciphers has matured¹,². Successful attacks are on compromised or leaking implementations, key management/generation, short keys (perhaps deliberately³), operating mode, and human factors, which are issues that multiple ciphers do not solve. Hence multiple ciphers would only guard against a risk that now fails to materialize.
  2. Before about 1990-2000, strong crypto was illegal for civilians or discouraged, including in many western countries. Thus multiple cascaded ciphers could not be widely⁴ used in commercial products when they where most useful: before the knowledge to make good crypto became commonplace.
  3. Multiple ciphers add complication, and complex systems fail more.
  4. Multiple ciphers increase the computational cost of encryption, and the cost of hardware when hardware is used (as is increasingly the case for AES, the de-facto standard for built-in-CPU cipher nowadays).
  5. If multiple cascaded ciphers use the same key, the security can become that of the weakest cipher, especially against side-channel attacks, which are among the ones that do happen. Therefore we need multiple keys for multiple ciphers, which goes against usability, or/and introduces more complexity.

¹ The closest thing to an exception is RC4, but most actual attacks against systems using RC4 are due to poor key management/operating mode. Also, RC4 was initially used for applications with 40-bit security.

² Asymmetric encryption, signature, and hashes matured later, say 2000.

³ That's why DES has a 56-bit keys, see this. Another example is GSM's A5/1, which is breakable mostly because it uses a small state, presumably because authorities wanted to be able to break it (though I lack a clear reference proving that assertion).

⁴ There are a few examples of cascaded encryption used in disk encryption products where it is an option to damp paranoia / an accessory for security theater. It's an option in TrueCrypt/VeraCrypt, and the successful attacks against this product work irrespective of use of this option.

fgrieu
  • 149,326
  • 13
  • 324
  • 622