What cryptanalysis is possible against two independent keystreams XORed against plaintext?

如果一個聰明人不確定哪些商業密碼標準對法西斯勢力來說是真正安全的，那麼對於公司和個人來說​​，顯然的選擇似乎是現在使用兩種獨立的算法進行加密。需要明確的是，我不是在談論 CBC 模式下的級聯密碼，例如 $ Encryption_2 $ ( $ Encryption_1 $ ( $ plaintext $ ))，攻擊者可以一次解開一層加密，因為他們可以直接訪問每個算法生成的密文。

我說的是在計數器模式（或流密碼算法）中使用兩個唯一密鑰和兩個分組密碼算法來生成兩個唯一密鑰流，然後將它們與明文進行異或（⊕）。例如：

• $ Key_1 $ = 256 位隨機密鑰
• $ Key_2 $ = 不同的 256 位隨機密鑰
• $ IV $ = AES 的 128 位隨機初始化向量
• $ Nonce $ = XSalsa20 的 192 位隨機隨機數
• $ Keystream_1 $ = $ AES $ [數學處理錯誤] [T數學處理錯誤] [R數學處理錯誤] $ _C $ $ _T $ $ _R $ $ (Key_1, IV, Counter) $
• $ Keystream_2 $ = $ XSalsa20(Key_2, Nonce, Counter) $
• 密文 = $ Keystream_1 $ ⊕ $ Keystream_2 $ ⊕ $ Plaintext $
• 解密 = $ Keystream_1 $ ⊕ $ Keystream_2 $ ⊕ $ Plaintext $
• 通過線路發送的數據 = $ IV $ | $ Nonce $ | $ Ciphertext $

密鑰交換、MAC 和傳輸協議超出了問題的範圍，我想專注於加密部分。

• It would appear that an attacker’s methods of cryptanalysis for each individual algorithm would not work as they do not have access to the plain ciphertext of either algorithm because the keystreams from each algorithm are XORed together.
• Known plaintext cryptanalysis would not work either. For example the first 5 bytes are hello, and they have a resulting ciphertext of xAi3z. With a single keystream they could get those 5 bytes of the keystream which would be the plaintext ⊕ the ciphertext. Then over the course of multiple ciphertexts/known plaintexts there might be a weakness to deduce the original key which generated the keystream. However with two independent keystreams, a cryptanalyst can’t know which combination of bits make up the combined keystream. For example: they know plaintext bit 0 and ciphertext bit 1, but do not know whether the keystream bits were definitively a 1 or a 0 bit, nor which bit came from which keystream.

Advantages:

• Protection from non-public flaws or weaknesses in either encryption algorithm.
• Cryptanalysis is almost impossible?
• Decryption requires breaking both algorithms.
• Brute force required to find two random keys instead of one ([Math Processing Error] $ 2^{256} + 2^{256} $ ) or [Math Processing Error] $ 2^{128} + 2^{128} $ (on a quantum computer).

Minor disadvantages:

• Generating and exchanging two keys instead of one.
• Slightly more network traffic required to send an extra IV or nonce with each transmission.
• Slower encryption and decryption.

My questions:

1. Assuming both algorithms are implemented properly, the random number generators produce truly random data and there is an attacker in a privileged network position intercepting multiple ciphertexts, how or what kind of cryptanalysis could the attacker perform against this scheme to break the confidentiality of messages?
2. 有沒有比暴力破解更快的方法來找到兩個加密密鑰或破壞消息的機密性？

Asmuth 和 Blakley 提供了一個證明，假設每個密碼系統的密鑰都是獨立選擇的，破解他們的複合密碼系統至少和破解其中最難的部分一樣難。

[Math Processing Error]$$ 1 $$ 在他們的工作的基礎上，級聯密碼實際上被證明比兩者中最難的部分更難破解。 誠然，您所談論的內容位於密碼指數和級聯密碼之間的尷尬位置。密碼指數（兩個密碼）定義為：

$$ M\oplus R\oplus R’>|>E(R)>|>E’(R’) $$其中 R 和 R’ 是真正的隨機位串。 除此之外，我不能給出太多具體的東西。希望這能回答你的問題。

1. C. Asmuth，G. 布萊克利。“一種用於建構比其他兩種密碼系統更難破解的密碼系統的有效算法”

在你的例子中， $ Encryption_1 $ 是[Math Processing Error] $ \textsf{AES}_{CTR} $ 和 $ Encryption_2 $ 是[數學處理錯誤] $ \textsf{Salsa20} $ . 然後，您提出的加密方法是 $ Encryption_1(Encryption_2(plaintext)) $ ，這實際上是流密碼的級聯。請注意，由於您只是對流進行 XOR，因此此級聯密碼commutes，也就是說，如果您使用，您將獲得相同的結果 $ Encryption_2(Encryption_1(plaintext)) $ .

在

[Math Processing Error]$$ 1 $$, Maurer 和 Massey 證明了以下結果：

Corollary 1. A cascade of commuting ciphers is at least as difficult to break as the most difficult-to-break component cipher.

So, basically, you can at least be sure that your proposed encryption method will not be weaker than the original stream ciphers used.

References:

[Math Processing Error]$$ 1 $$ Maurer, U. M., & Massey, J. L. (1993). Cascade ciphers: The importance of being first. Journal of Cryptology, 6(1), 55-61.

引用自：https://crypto.stackexchange.com/questions/22389