# [cryptography] Compositing Ciphers?

Thor Lancelot Simon tls at panix.com
Fri Sep 6 23:37:32 EDT 2013

```On Sat, Sep 07, 2013 at 02:53:22AM +0200, Natanael wrote:
> http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html
> and the implementations are apparently called "robust combiners". And
> by the way, Truecrypt already lets you pick your chosen combo of AES
> and two other ciphers.

If you want to do this with stream ciphers, a fundamentally different
approach would be to use Knuth's "Algorithm M" (Knuth, 2ed, vol.1 , p 32):

Algorithm M (Randomizing by shuffling).  Given methods for generating
sequences (Xn) and (Yn), this algorithm will successively output
the terms of a "considerably more random" sequence.  We use a table
V, V, ... V[k-1], where k is some number chosen for convenience,
usually in the neighborhood of 100.  Initially, the V-table is filled
with the first k values of the X-sequence.

M1. [Generate X, Y.]   Set X and Y equal to the next members of the
sequences (Xn) and (Yn), respectively.

M2. [Extract j.] Set j <- [kY/m] where m is the modulus used in
the sequence (Yn); that is, j is a random value, 0 <= j < k,
determined by Y.

M3 [Exchange.] Output V[j] and then set V[j] <- X.

The reference proceeds to give two examples.

If there are more modern (post-1981) references that agitate against this
method of combining two keystream generators, I'd love to learn of them.

Thor
```