[cryptography] Compositing Ciphers?

Thor Lancelot Simon tls at panix.com
Fri Sep 6 23:37:32 EDT 2013

On Sat, Sep 07, 2013 at 02:53:22AM +0200, Natanael wrote:
> http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html
> Apparently it's called "cascade encryption" or "cascade encipherment",
> and the implementations are apparently called "robust combiners". And
> by the way, Truecrypt already lets you pick your chosen combo of AES
> and two other ciphers.

If you want to do this with stream ciphers, a fundamentally different
approach would be to use Knuth's "Algorithm M" (Knuth, 2ed, vol.1 , p 32):

	Algorithm M (Randomizing by shuffling).  Given methods for generating
	sequences (Xn) and (Yn), this algorithm will successively output
	the terms of a "considerably more random" sequence.  We use a table
	V[0], V[1], ... V[k-1], where k is some number chosen for convenience,
	usually in the neighborhood of 100.  Initially, the V-table is filled
	with the first k values of the X-sequence.

	M1. [Generate X, Y.]   Set X and Y equal to the next members of the
	sequences (Xn) and (Yn), respectively.

	M2. [Extract j.] Set j <- [kY/m] where m is the modulus used in
	the sequence (Yn); that is, j is a random value, 0 <= j < k,
	determined by Y.
	M3 [Exchange.] Output V[j] and then set V[j] <- X.

The reference proceeds to give two examples.

If there are more modern (post-1981) references that agitate against this
method of combining two keystream generators, I'd love to learn of them.


More information about the cryptography mailing list