If Kerckhoff's Principle holds, why do we need a cipher at all?












10














I understand Kerckhoff's principle, in a very practical sense, that the best attack that can be performed on a given cryptographic algorithm should be only as practical, if not less practical, than an exhaustive key search, that is, testing every possible key. My question is, if this is the case, then why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?










share|improve this question







New contributor




Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 5




    Related questions: one-time pad: Why is it useless in practice and Is modern encryption needlessly complicated?
    – Ella Rose
    2 days ago






  • 24




    Your question is unclear to me; to convert a plaintext and a key (of whatever length) to a ciphertext, you need an algorithm for transformation. That transformation algorithm is called the cipher. Without a cipher, no encryption, full stop. When you say "why not use a ridiculously long key", how do you intend to encrypt the plaintext?
    – marcelm
    2 days ago






  • 1




    @marcelm I assume the encryption would be using a one-time-pad of some sort, which arguably to some extent renders the algorithm so trivial that it's solely the key that's providing security, not the algorithm (probably some variant of XOR).
    – March Ho
    2 days ago








  • 4




    This "ridiculously long key" is exactly a one-time pad, and all of the usual disadvantages apply.
    – chrylis
    2 days ago






  • 1




    @MarchHo & chrylis - Maybe Will was talking about OTP, but I'd prefer to hear confirmation from him; maybe he meant something else. Either way, OTP is still a cipher, however trivial ;)
    – marcelm
    2 days ago
















10














I understand Kerckhoff's principle, in a very practical sense, that the best attack that can be performed on a given cryptographic algorithm should be only as practical, if not less practical, than an exhaustive key search, that is, testing every possible key. My question is, if this is the case, then why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?










share|improve this question







New contributor




Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 5




    Related questions: one-time pad: Why is it useless in practice and Is modern encryption needlessly complicated?
    – Ella Rose
    2 days ago






  • 24




    Your question is unclear to me; to convert a plaintext and a key (of whatever length) to a ciphertext, you need an algorithm for transformation. That transformation algorithm is called the cipher. Without a cipher, no encryption, full stop. When you say "why not use a ridiculously long key", how do you intend to encrypt the plaintext?
    – marcelm
    2 days ago






  • 1




    @marcelm I assume the encryption would be using a one-time-pad of some sort, which arguably to some extent renders the algorithm so trivial that it's solely the key that's providing security, not the algorithm (probably some variant of XOR).
    – March Ho
    2 days ago








  • 4




    This "ridiculously long key" is exactly a one-time pad, and all of the usual disadvantages apply.
    – chrylis
    2 days ago






  • 1




    @MarchHo & chrylis - Maybe Will was talking about OTP, but I'd prefer to hear confirmation from him; maybe he meant something else. Either way, OTP is still a cipher, however trivial ;)
    – marcelm
    2 days ago














10












10








10


3





I understand Kerckhoff's principle, in a very practical sense, that the best attack that can be performed on a given cryptographic algorithm should be only as practical, if not less practical, than an exhaustive key search, that is, testing every possible key. My question is, if this is the case, then why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?










share|improve this question







New contributor




Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I understand Kerckhoff's principle, in a very practical sense, that the best attack that can be performed on a given cryptographic algorithm should be only as practical, if not less practical, than an exhaustive key search, that is, testing every possible key. My question is, if this is the case, then why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?







encryption algorithm-design keys






share|improve this question







New contributor




Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 2 days ago









Will Burghard

5713




5713




New contributor




Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Will Burghard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 5




    Related questions: one-time pad: Why is it useless in practice and Is modern encryption needlessly complicated?
    – Ella Rose
    2 days ago






  • 24




    Your question is unclear to me; to convert a plaintext and a key (of whatever length) to a ciphertext, you need an algorithm for transformation. That transformation algorithm is called the cipher. Without a cipher, no encryption, full stop. When you say "why not use a ridiculously long key", how do you intend to encrypt the plaintext?
    – marcelm
    2 days ago






  • 1




    @marcelm I assume the encryption would be using a one-time-pad of some sort, which arguably to some extent renders the algorithm so trivial that it's solely the key that's providing security, not the algorithm (probably some variant of XOR).
    – March Ho
    2 days ago








  • 4




    This "ridiculously long key" is exactly a one-time pad, and all of the usual disadvantages apply.
    – chrylis
    2 days ago






  • 1




    @MarchHo & chrylis - Maybe Will was talking about OTP, but I'd prefer to hear confirmation from him; maybe he meant something else. Either way, OTP is still a cipher, however trivial ;)
    – marcelm
    2 days ago














  • 5




    Related questions: one-time pad: Why is it useless in practice and Is modern encryption needlessly complicated?
    – Ella Rose
    2 days ago






  • 24




    Your question is unclear to me; to convert a plaintext and a key (of whatever length) to a ciphertext, you need an algorithm for transformation. That transformation algorithm is called the cipher. Without a cipher, no encryption, full stop. When you say "why not use a ridiculously long key", how do you intend to encrypt the plaintext?
    – marcelm
    2 days ago






  • 1




    @marcelm I assume the encryption would be using a one-time-pad of some sort, which arguably to some extent renders the algorithm so trivial that it's solely the key that's providing security, not the algorithm (probably some variant of XOR).
    – March Ho
    2 days ago








  • 4




    This "ridiculously long key" is exactly a one-time pad, and all of the usual disadvantages apply.
    – chrylis
    2 days ago






  • 1




    @MarchHo & chrylis - Maybe Will was talking about OTP, but I'd prefer to hear confirmation from him; maybe he meant something else. Either way, OTP is still a cipher, however trivial ;)
    – marcelm
    2 days ago








5




5




Related questions: one-time pad: Why is it useless in practice and Is modern encryption needlessly complicated?
– Ella Rose
2 days ago




Related questions: one-time pad: Why is it useless in practice and Is modern encryption needlessly complicated?
– Ella Rose
2 days ago




24




24




Your question is unclear to me; to convert a plaintext and a key (of whatever length) to a ciphertext, you need an algorithm for transformation. That transformation algorithm is called the cipher. Without a cipher, no encryption, full stop. When you say "why not use a ridiculously long key", how do you intend to encrypt the plaintext?
– marcelm
2 days ago




Your question is unclear to me; to convert a plaintext and a key (of whatever length) to a ciphertext, you need an algorithm for transformation. That transformation algorithm is called the cipher. Without a cipher, no encryption, full stop. When you say "why not use a ridiculously long key", how do you intend to encrypt the plaintext?
– marcelm
2 days ago




1




1




@marcelm I assume the encryption would be using a one-time-pad of some sort, which arguably to some extent renders the algorithm so trivial that it's solely the key that's providing security, not the algorithm (probably some variant of XOR).
– March Ho
2 days ago






@marcelm I assume the encryption would be using a one-time-pad of some sort, which arguably to some extent renders the algorithm so trivial that it's solely the key that's providing security, not the algorithm (probably some variant of XOR).
– March Ho
2 days ago






4




4




This "ridiculously long key" is exactly a one-time pad, and all of the usual disadvantages apply.
– chrylis
2 days ago




This "ridiculously long key" is exactly a one-time pad, and all of the usual disadvantages apply.
– chrylis
2 days ago




1




1




@MarchHo & chrylis - Maybe Will was talking about OTP, but I'd prefer to hear confirmation from him; maybe he meant something else. Either way, OTP is still a cipher, however trivial ;)
– marcelm
2 days ago




@MarchHo & chrylis - Maybe Will was talking about OTP, but I'd prefer to hear confirmation from him; maybe he meant something else. Either way, OTP is still a cipher, however trivial ;)
– marcelm
2 days ago










4 Answers
4






active

oldest

votes


















28















...why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?




Designing a cipher is significantly less hassle then using a ridiculously long key.



Designing a cipher only needs to be done once by a competent professional.



Using a ridiculously long key would need to be:




  • Done by all parties


    • "all parties" includes everyone with a networked electronic device

    • Almost all of them are not competent professionals

    • Requires a pre-existing secure channel, or more likely a face-to-face meeting


      • "secure channel" must not use encryption, otherwise the problem is circular





  • Done pairwise for each group of communicating parties


    • e.g. You have to go through the key establishment process for every particular site you want to visit

    • A web site with 1000 users that each have a 1GB key would need to have access to 1TB of reliable, secure storage just to store the key material (that's a small website)



  • Done repeatedly


    • You will eventually run out of key material

    • Your keys could become compromised


      • Updating them in a useful time frame will be next to impossible





  • Destroyed securely after use


    • Re-using any part of the key will lead to a practical lose of confidentiality


      • In a practical scenario (e.g. HTTP requests) known-plaintext attacks apply, which will allow trivial recovery of the key






It simply would not work in practice. A proper cipher will.






share|improve this answer































    17














    Edit: I wrote the below on autopilot with the definition in the question. I have since realised an additional mistaken detail: the rule about no attacks better than key exhaustion is not called Kerckhoff's principle. Kerckhoff's principle is a related rule of cipher design that the key is the only component that can be relied upon to be secret.





    When you say "If Kerckhoff's principle holds", I think you might have slightly misunderstood Kerckhoff's principle. It is not a scientific hypothesis about some property of all ciphers so much as a design principle for making good ciphers.



    By way of analogy, suppose I have "Lancelot's principle" about suits of armour. Lancelot's principle is really simple: everything covered by armour should withstand three strikes from a longsword. Now it might be tempting to ask "If Lancelot's principle holds, why bother with fancy metalwork? If armour is always going to block a sword, let's just get the local tailor to make cloth** armour that covers every inch of you and your horse." Of course Lancelot's principle isn't actually saying that anything we call armour can block a sword: instead it's saying that something that can't block a sword shouldn't be counted on to serve as armour.



    So, let's pick on some random thousand byte polyalphabetic Vigenère cipher. It's been known for over a hundred years how to use frequency analysis to break a polyalphabetic cipher. So long as the message is long enough, this attack takes linear time in the size of the key (whereas key exhaustion takes exponential time). So, it is not that this Vigenère is guaranteed by Kerckhoff's principle to resist anything short of exhaustive key search. Rather a Vigenère algorithm fails the test posed by Kerckhoff's principle, and therefore shouldn't be used as a cipher.



    I hope that clears things up.





    ** If someone with dual interests in crypto and military history turns up to tell me that cloth is surprisingly effective against swords, replace cloth with body paint or something.






    share|improve this answer



















    • 5




      Since you mentioned in footnote - type of cloth has been used as armor either standalone or with mail/plate. That said a) in pre-industrial revolution time for common folk the cloth was still expensive item and b) it would fail Lancelot's principle.
      – Maciej Piechotka
      2 days ago





















    2














    There's a simple maxim that demonstrates otherwise. It's much much harder to make true random numbers/your 'ridiculous' key than it is to make pseudo random numbers.



    A cryptographic strength pseudo random number generator can be instantiated at the drop of a hat (or calling a C++ constructor with a seed value). Based on some experience, a clever DIY guy can probably make 10 megabits per second of true random bits. A modern photonics laboratory can do much better, but most don't have access to those resources. Even then, you have the Brobdingnagian problem of distributing the key between parties. If an unexpected party suddenly wants to join the discourse, you're in trouble distributing said key to expand the conversation.



    In the last six months, half a billion people visited Britain's BBC website which is served over HTTPS. Based on a recent page download survey suggesting a mean entertainment page size of 1.7MB , Auntie would have to generate > $10^{15}$ bits of key material/year. Many lava lamps would be required. It would take me 22 boring years to generate that much entropy. And ship it out of channel across international boundaries to ill defined transitory recipients. It's logistically impossible.



    You've discovered a one time pad. They have practical applications, but only on very limited criteria.





    Slight niggle: A one time pad à la random Vernam cipher is still a cipher.






    share|improve this answer































      1















      I understand Kerckhoff's principle ...



      ... then why go through the trouble of creating a cipher in the first place?




      I think you misunderstood something:



      Kerckhoff's principle does not say that a cryptosystem is secure. The principle says that the cipher used must have certain properties if the cryptosystem shall be secure.



      In other words: Kerckhoff's principle won't be satisfied if the cipher used is bad!



      An extreme counterexample



      We could design the following "cryptographic" system:





      • The key consists of any characters but the colon (:)

      • To encrypt the text, we simply add a colon followed by the key to the text; the result is our "ciphertext"

      • To decrypt the text, we check if the "ciphertext" ends with a colon followed by the key

      • If yes, we remove the colon and the key; the result is our plaintext

      • If no, our plaintext is "Sorry, wrong key!"


      Example:




      • The plaintext is: "This is a very secret text."

      • Our secret key is: "This is our secret key."

      • The "ciphertext" will be: "This is a very secret text.:This is our secret key."

      • If we use the correct key for decryption, the decrypted text will be: "This is a very secret text."

      • If we use any other key for decryption, the decrypted text will be: "Sorry, wrong key!"




      Not using the correct key for decryption will definitely not result in the correct plaintext but in: "Sorry, wrong key!"



      Do you think using a very long key will result in a secure encryption?






      share|improve this answer










      New contributor




      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.


















      • The principle in question states that the system should remain secure even if an adversary knows all of the steps of the algorithm, but does not have the key. The example provided here is broken with a single ciphertext-only attack, even to someone who previously did not know the algorithm.
        – Ella Rose
        4 hours ago










      • @EllaRose I doubt that there is any algorithm that allows "calculating" the algorithm from any information: Modify "my" algorithm in a way that the number 1234 must be added to every number when the "key" contains the word "hello". The plaintext "My cellphone password is 1111." would become: "My cellphone password is 2345.:Password is hello." If you don't test my algorithm with a number in the plaintext and the word "hello" in the key, you will never find out!
        – Martin Rosenau
        2 hours ago












      • @EllaRose ... and of course my intention was to show an example of an algorithm where Kerckhoff's principle definitely is not given.
        – Martin Rosenau
        2 hours ago











      Your Answer





      StackExchange.ifUsing("editor", function () {
      return StackExchange.using("mathjaxEditing", function () {
      StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
      StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
      });
      });
      }, "mathjax-editing");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "281"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      Will Burghard is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66162%2fif-kerckhoffs-principle-holds-why-do-we-need-a-cipher-at-all%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      28















      ...why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?




      Designing a cipher is significantly less hassle then using a ridiculously long key.



      Designing a cipher only needs to be done once by a competent professional.



      Using a ridiculously long key would need to be:




      • Done by all parties


        • "all parties" includes everyone with a networked electronic device

        • Almost all of them are not competent professionals

        • Requires a pre-existing secure channel, or more likely a face-to-face meeting


          • "secure channel" must not use encryption, otherwise the problem is circular





      • Done pairwise for each group of communicating parties


        • e.g. You have to go through the key establishment process for every particular site you want to visit

        • A web site with 1000 users that each have a 1GB key would need to have access to 1TB of reliable, secure storage just to store the key material (that's a small website)



      • Done repeatedly


        • You will eventually run out of key material

        • Your keys could become compromised


          • Updating them in a useful time frame will be next to impossible





      • Destroyed securely after use


        • Re-using any part of the key will lead to a practical lose of confidentiality


          • In a practical scenario (e.g. HTTP requests) known-plaintext attacks apply, which will allow trivial recovery of the key






      It simply would not work in practice. A proper cipher will.






      share|improve this answer




























        28















        ...why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?




        Designing a cipher is significantly less hassle then using a ridiculously long key.



        Designing a cipher only needs to be done once by a competent professional.



        Using a ridiculously long key would need to be:




        • Done by all parties


          • "all parties" includes everyone with a networked electronic device

          • Almost all of them are not competent professionals

          • Requires a pre-existing secure channel, or more likely a face-to-face meeting


            • "secure channel" must not use encryption, otherwise the problem is circular





        • Done pairwise for each group of communicating parties


          • e.g. You have to go through the key establishment process for every particular site you want to visit

          • A web site with 1000 users that each have a 1GB key would need to have access to 1TB of reliable, secure storage just to store the key material (that's a small website)



        • Done repeatedly


          • You will eventually run out of key material

          • Your keys could become compromised


            • Updating them in a useful time frame will be next to impossible





        • Destroyed securely after use


          • Re-using any part of the key will lead to a practical lose of confidentiality


            • In a practical scenario (e.g. HTTP requests) known-plaintext attacks apply, which will allow trivial recovery of the key






        It simply would not work in practice. A proper cipher will.






        share|improve this answer


























          28












          28








          28







          ...why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?




          Designing a cipher is significantly less hassle then using a ridiculously long key.



          Designing a cipher only needs to be done once by a competent professional.



          Using a ridiculously long key would need to be:




          • Done by all parties


            • "all parties" includes everyone with a networked electronic device

            • Almost all of them are not competent professionals

            • Requires a pre-existing secure channel, or more likely a face-to-face meeting


              • "secure channel" must not use encryption, otherwise the problem is circular





          • Done pairwise for each group of communicating parties


            • e.g. You have to go through the key establishment process for every particular site you want to visit

            • A web site with 1000 users that each have a 1GB key would need to have access to 1TB of reliable, secure storage just to store the key material (that's a small website)



          • Done repeatedly


            • You will eventually run out of key material

            • Your keys could become compromised


              • Updating them in a useful time frame will be next to impossible





          • Destroyed securely after use


            • Re-using any part of the key will lead to a practical lose of confidentiality


              • In a practical scenario (e.g. HTTP requests) known-plaintext attacks apply, which will allow trivial recovery of the key






          It simply would not work in practice. A proper cipher will.






          share|improve this answer















          ...why go through the trouble of creating a cipher in the first place? Why not simply use a ridiculously long key, if you're gonna create a cipher that only takes as long as an exhaustive key search anyway?




          Designing a cipher is significantly less hassle then using a ridiculously long key.



          Designing a cipher only needs to be done once by a competent professional.



          Using a ridiculously long key would need to be:




          • Done by all parties


            • "all parties" includes everyone with a networked electronic device

            • Almost all of them are not competent professionals

            • Requires a pre-existing secure channel, or more likely a face-to-face meeting


              • "secure channel" must not use encryption, otherwise the problem is circular





          • Done pairwise for each group of communicating parties


            • e.g. You have to go through the key establishment process for every particular site you want to visit

            • A web site with 1000 users that each have a 1GB key would need to have access to 1TB of reliable, secure storage just to store the key material (that's a small website)



          • Done repeatedly


            • You will eventually run out of key material

            • Your keys could become compromised


              • Updating them in a useful time frame will be next to impossible





          • Destroyed securely after use


            • Re-using any part of the key will lead to a practical lose of confidentiality


              • In a practical scenario (e.g. HTTP requests) known-plaintext attacks apply, which will allow trivial recovery of the key






          It simply would not work in practice. A proper cipher will.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 days ago

























          answered 2 days ago









          Ella Rose

          15.3k44279




          15.3k44279























              17














              Edit: I wrote the below on autopilot with the definition in the question. I have since realised an additional mistaken detail: the rule about no attacks better than key exhaustion is not called Kerckhoff's principle. Kerckhoff's principle is a related rule of cipher design that the key is the only component that can be relied upon to be secret.





              When you say "If Kerckhoff's principle holds", I think you might have slightly misunderstood Kerckhoff's principle. It is not a scientific hypothesis about some property of all ciphers so much as a design principle for making good ciphers.



              By way of analogy, suppose I have "Lancelot's principle" about suits of armour. Lancelot's principle is really simple: everything covered by armour should withstand three strikes from a longsword. Now it might be tempting to ask "If Lancelot's principle holds, why bother with fancy metalwork? If armour is always going to block a sword, let's just get the local tailor to make cloth** armour that covers every inch of you and your horse." Of course Lancelot's principle isn't actually saying that anything we call armour can block a sword: instead it's saying that something that can't block a sword shouldn't be counted on to serve as armour.



              So, let's pick on some random thousand byte polyalphabetic Vigenère cipher. It's been known for over a hundred years how to use frequency analysis to break a polyalphabetic cipher. So long as the message is long enough, this attack takes linear time in the size of the key (whereas key exhaustion takes exponential time). So, it is not that this Vigenère is guaranteed by Kerckhoff's principle to resist anything short of exhaustive key search. Rather a Vigenère algorithm fails the test posed by Kerckhoff's principle, and therefore shouldn't be used as a cipher.



              I hope that clears things up.





              ** If someone with dual interests in crypto and military history turns up to tell me that cloth is surprisingly effective against swords, replace cloth with body paint or something.






              share|improve this answer



















              • 5




                Since you mentioned in footnote - type of cloth has been used as armor either standalone or with mail/plate. That said a) in pre-industrial revolution time for common folk the cloth was still expensive item and b) it would fail Lancelot's principle.
                – Maciej Piechotka
                2 days ago


















              17














              Edit: I wrote the below on autopilot with the definition in the question. I have since realised an additional mistaken detail: the rule about no attacks better than key exhaustion is not called Kerckhoff's principle. Kerckhoff's principle is a related rule of cipher design that the key is the only component that can be relied upon to be secret.





              When you say "If Kerckhoff's principle holds", I think you might have slightly misunderstood Kerckhoff's principle. It is not a scientific hypothesis about some property of all ciphers so much as a design principle for making good ciphers.



              By way of analogy, suppose I have "Lancelot's principle" about suits of armour. Lancelot's principle is really simple: everything covered by armour should withstand three strikes from a longsword. Now it might be tempting to ask "If Lancelot's principle holds, why bother with fancy metalwork? If armour is always going to block a sword, let's just get the local tailor to make cloth** armour that covers every inch of you and your horse." Of course Lancelot's principle isn't actually saying that anything we call armour can block a sword: instead it's saying that something that can't block a sword shouldn't be counted on to serve as armour.



              So, let's pick on some random thousand byte polyalphabetic Vigenère cipher. It's been known for over a hundred years how to use frequency analysis to break a polyalphabetic cipher. So long as the message is long enough, this attack takes linear time in the size of the key (whereas key exhaustion takes exponential time). So, it is not that this Vigenère is guaranteed by Kerckhoff's principle to resist anything short of exhaustive key search. Rather a Vigenère algorithm fails the test posed by Kerckhoff's principle, and therefore shouldn't be used as a cipher.



              I hope that clears things up.





              ** If someone with dual interests in crypto and military history turns up to tell me that cloth is surprisingly effective against swords, replace cloth with body paint or something.






              share|improve this answer



















              • 5




                Since you mentioned in footnote - type of cloth has been used as armor either standalone or with mail/plate. That said a) in pre-industrial revolution time for common folk the cloth was still expensive item and b) it would fail Lancelot's principle.
                – Maciej Piechotka
                2 days ago
















              17












              17








              17






              Edit: I wrote the below on autopilot with the definition in the question. I have since realised an additional mistaken detail: the rule about no attacks better than key exhaustion is not called Kerckhoff's principle. Kerckhoff's principle is a related rule of cipher design that the key is the only component that can be relied upon to be secret.





              When you say "If Kerckhoff's principle holds", I think you might have slightly misunderstood Kerckhoff's principle. It is not a scientific hypothesis about some property of all ciphers so much as a design principle for making good ciphers.



              By way of analogy, suppose I have "Lancelot's principle" about suits of armour. Lancelot's principle is really simple: everything covered by armour should withstand three strikes from a longsword. Now it might be tempting to ask "If Lancelot's principle holds, why bother with fancy metalwork? If armour is always going to block a sword, let's just get the local tailor to make cloth** armour that covers every inch of you and your horse." Of course Lancelot's principle isn't actually saying that anything we call armour can block a sword: instead it's saying that something that can't block a sword shouldn't be counted on to serve as armour.



              So, let's pick on some random thousand byte polyalphabetic Vigenère cipher. It's been known for over a hundred years how to use frequency analysis to break a polyalphabetic cipher. So long as the message is long enough, this attack takes linear time in the size of the key (whereas key exhaustion takes exponential time). So, it is not that this Vigenère is guaranteed by Kerckhoff's principle to resist anything short of exhaustive key search. Rather a Vigenère algorithm fails the test posed by Kerckhoff's principle, and therefore shouldn't be used as a cipher.



              I hope that clears things up.





              ** If someone with dual interests in crypto and military history turns up to tell me that cloth is surprisingly effective against swords, replace cloth with body paint or something.






              share|improve this answer














              Edit: I wrote the below on autopilot with the definition in the question. I have since realised an additional mistaken detail: the rule about no attacks better than key exhaustion is not called Kerckhoff's principle. Kerckhoff's principle is a related rule of cipher design that the key is the only component that can be relied upon to be secret.





              When you say "If Kerckhoff's principle holds", I think you might have slightly misunderstood Kerckhoff's principle. It is not a scientific hypothesis about some property of all ciphers so much as a design principle for making good ciphers.



              By way of analogy, suppose I have "Lancelot's principle" about suits of armour. Lancelot's principle is really simple: everything covered by armour should withstand three strikes from a longsword. Now it might be tempting to ask "If Lancelot's principle holds, why bother with fancy metalwork? If armour is always going to block a sword, let's just get the local tailor to make cloth** armour that covers every inch of you and your horse." Of course Lancelot's principle isn't actually saying that anything we call armour can block a sword: instead it's saying that something that can't block a sword shouldn't be counted on to serve as armour.



              So, let's pick on some random thousand byte polyalphabetic Vigenère cipher. It's been known for over a hundred years how to use frequency analysis to break a polyalphabetic cipher. So long as the message is long enough, this attack takes linear time in the size of the key (whereas key exhaustion takes exponential time). So, it is not that this Vigenère is guaranteed by Kerckhoff's principle to resist anything short of exhaustive key search. Rather a Vigenère algorithm fails the test posed by Kerckhoff's principle, and therefore shouldn't be used as a cipher.



              I hope that clears things up.





              ** If someone with dual interests in crypto and military history turns up to tell me that cloth is surprisingly effective against swords, replace cloth with body paint or something.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited 2 days ago

























              answered 2 days ago









              Josiah

              2915




              2915








              • 5




                Since you mentioned in footnote - type of cloth has been used as armor either standalone or with mail/plate. That said a) in pre-industrial revolution time for common folk the cloth was still expensive item and b) it would fail Lancelot's principle.
                – Maciej Piechotka
                2 days ago
















              • 5




                Since you mentioned in footnote - type of cloth has been used as armor either standalone or with mail/plate. That said a) in pre-industrial revolution time for common folk the cloth was still expensive item and b) it would fail Lancelot's principle.
                – Maciej Piechotka
                2 days ago










              5




              5




              Since you mentioned in footnote - type of cloth has been used as armor either standalone or with mail/plate. That said a) in pre-industrial revolution time for common folk the cloth was still expensive item and b) it would fail Lancelot's principle.
              – Maciej Piechotka
              2 days ago






              Since you mentioned in footnote - type of cloth has been used as armor either standalone or with mail/plate. That said a) in pre-industrial revolution time for common folk the cloth was still expensive item and b) it would fail Lancelot's principle.
              – Maciej Piechotka
              2 days ago













              2














              There's a simple maxim that demonstrates otherwise. It's much much harder to make true random numbers/your 'ridiculous' key than it is to make pseudo random numbers.



              A cryptographic strength pseudo random number generator can be instantiated at the drop of a hat (or calling a C++ constructor with a seed value). Based on some experience, a clever DIY guy can probably make 10 megabits per second of true random bits. A modern photonics laboratory can do much better, but most don't have access to those resources. Even then, you have the Brobdingnagian problem of distributing the key between parties. If an unexpected party suddenly wants to join the discourse, you're in trouble distributing said key to expand the conversation.



              In the last six months, half a billion people visited Britain's BBC website which is served over HTTPS. Based on a recent page download survey suggesting a mean entertainment page size of 1.7MB , Auntie would have to generate > $10^{15}$ bits of key material/year. Many lava lamps would be required. It would take me 22 boring years to generate that much entropy. And ship it out of channel across international boundaries to ill defined transitory recipients. It's logistically impossible.



              You've discovered a one time pad. They have practical applications, but only on very limited criteria.





              Slight niggle: A one time pad à la random Vernam cipher is still a cipher.






              share|improve this answer




























                2














                There's a simple maxim that demonstrates otherwise. It's much much harder to make true random numbers/your 'ridiculous' key than it is to make pseudo random numbers.



                A cryptographic strength pseudo random number generator can be instantiated at the drop of a hat (or calling a C++ constructor with a seed value). Based on some experience, a clever DIY guy can probably make 10 megabits per second of true random bits. A modern photonics laboratory can do much better, but most don't have access to those resources. Even then, you have the Brobdingnagian problem of distributing the key between parties. If an unexpected party suddenly wants to join the discourse, you're in trouble distributing said key to expand the conversation.



                In the last six months, half a billion people visited Britain's BBC website which is served over HTTPS. Based on a recent page download survey suggesting a mean entertainment page size of 1.7MB , Auntie would have to generate > $10^{15}$ bits of key material/year. Many lava lamps would be required. It would take me 22 boring years to generate that much entropy. And ship it out of channel across international boundaries to ill defined transitory recipients. It's logistically impossible.



                You've discovered a one time pad. They have practical applications, but only on very limited criteria.





                Slight niggle: A one time pad à la random Vernam cipher is still a cipher.






                share|improve this answer


























                  2












                  2








                  2






                  There's a simple maxim that demonstrates otherwise. It's much much harder to make true random numbers/your 'ridiculous' key than it is to make pseudo random numbers.



                  A cryptographic strength pseudo random number generator can be instantiated at the drop of a hat (or calling a C++ constructor with a seed value). Based on some experience, a clever DIY guy can probably make 10 megabits per second of true random bits. A modern photonics laboratory can do much better, but most don't have access to those resources. Even then, you have the Brobdingnagian problem of distributing the key between parties. If an unexpected party suddenly wants to join the discourse, you're in trouble distributing said key to expand the conversation.



                  In the last six months, half a billion people visited Britain's BBC website which is served over HTTPS. Based on a recent page download survey suggesting a mean entertainment page size of 1.7MB , Auntie would have to generate > $10^{15}$ bits of key material/year. Many lava lamps would be required. It would take me 22 boring years to generate that much entropy. And ship it out of channel across international boundaries to ill defined transitory recipients. It's logistically impossible.



                  You've discovered a one time pad. They have practical applications, but only on very limited criteria.





                  Slight niggle: A one time pad à la random Vernam cipher is still a cipher.






                  share|improve this answer














                  There's a simple maxim that demonstrates otherwise. It's much much harder to make true random numbers/your 'ridiculous' key than it is to make pseudo random numbers.



                  A cryptographic strength pseudo random number generator can be instantiated at the drop of a hat (or calling a C++ constructor with a seed value). Based on some experience, a clever DIY guy can probably make 10 megabits per second of true random bits. A modern photonics laboratory can do much better, but most don't have access to those resources. Even then, you have the Brobdingnagian problem of distributing the key between parties. If an unexpected party suddenly wants to join the discourse, you're in trouble distributing said key to expand the conversation.



                  In the last six months, half a billion people visited Britain's BBC website which is served over HTTPS. Based on a recent page download survey suggesting a mean entertainment page size of 1.7MB , Auntie would have to generate > $10^{15}$ bits of key material/year. Many lava lamps would be required. It would take me 22 boring years to generate that much entropy. And ship it out of channel across international boundaries to ill defined transitory recipients. It's logistically impossible.



                  You've discovered a one time pad. They have practical applications, but only on very limited criteria.





                  Slight niggle: A one time pad à la random Vernam cipher is still a cipher.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 2 days ago

























                  answered 2 days ago









                  Paul Uszak

                  7,04311534




                  7,04311534























                      1















                      I understand Kerckhoff's principle ...



                      ... then why go through the trouble of creating a cipher in the first place?




                      I think you misunderstood something:



                      Kerckhoff's principle does not say that a cryptosystem is secure. The principle says that the cipher used must have certain properties if the cryptosystem shall be secure.



                      In other words: Kerckhoff's principle won't be satisfied if the cipher used is bad!



                      An extreme counterexample



                      We could design the following "cryptographic" system:





                      • The key consists of any characters but the colon (:)

                      • To encrypt the text, we simply add a colon followed by the key to the text; the result is our "ciphertext"

                      • To decrypt the text, we check if the "ciphertext" ends with a colon followed by the key

                      • If yes, we remove the colon and the key; the result is our plaintext

                      • If no, our plaintext is "Sorry, wrong key!"


                      Example:




                      • The plaintext is: "This is a very secret text."

                      • Our secret key is: "This is our secret key."

                      • The "ciphertext" will be: "This is a very secret text.:This is our secret key."

                      • If we use the correct key for decryption, the decrypted text will be: "This is a very secret text."

                      • If we use any other key for decryption, the decrypted text will be: "Sorry, wrong key!"




                      Not using the correct key for decryption will definitely not result in the correct plaintext but in: "Sorry, wrong key!"



                      Do you think using a very long key will result in a secure encryption?






                      share|improve this answer










                      New contributor




                      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.


















                      • The principle in question states that the system should remain secure even if an adversary knows all of the steps of the algorithm, but does not have the key. The example provided here is broken with a single ciphertext-only attack, even to someone who previously did not know the algorithm.
                        – Ella Rose
                        4 hours ago










                      • @EllaRose I doubt that there is any algorithm that allows "calculating" the algorithm from any information: Modify "my" algorithm in a way that the number 1234 must be added to every number when the "key" contains the word "hello". The plaintext "My cellphone password is 1111." would become: "My cellphone password is 2345.:Password is hello." If you don't test my algorithm with a number in the plaintext and the word "hello" in the key, you will never find out!
                        – Martin Rosenau
                        2 hours ago












                      • @EllaRose ... and of course my intention was to show an example of an algorithm where Kerckhoff's principle definitely is not given.
                        – Martin Rosenau
                        2 hours ago
















                      1















                      I understand Kerckhoff's principle ...



                      ... then why go through the trouble of creating a cipher in the first place?




                      I think you misunderstood something:



                      Kerckhoff's principle does not say that a cryptosystem is secure. The principle says that the cipher used must have certain properties if the cryptosystem shall be secure.



                      In other words: Kerckhoff's principle won't be satisfied if the cipher used is bad!



                      An extreme counterexample



                      We could design the following "cryptographic" system:





                      • The key consists of any characters but the colon (:)

                      • To encrypt the text, we simply add a colon followed by the key to the text; the result is our "ciphertext"

                      • To decrypt the text, we check if the "ciphertext" ends with a colon followed by the key

                      • If yes, we remove the colon and the key; the result is our plaintext

                      • If no, our plaintext is "Sorry, wrong key!"


                      Example:




                      • The plaintext is: "This is a very secret text."

                      • Our secret key is: "This is our secret key."

                      • The "ciphertext" will be: "This is a very secret text.:This is our secret key."

                      • If we use the correct key for decryption, the decrypted text will be: "This is a very secret text."

                      • If we use any other key for decryption, the decrypted text will be: "Sorry, wrong key!"




                      Not using the correct key for decryption will definitely not result in the correct plaintext but in: "Sorry, wrong key!"



                      Do you think using a very long key will result in a secure encryption?






                      share|improve this answer










                      New contributor




                      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.


















                      • The principle in question states that the system should remain secure even if an adversary knows all of the steps of the algorithm, but does not have the key. The example provided here is broken with a single ciphertext-only attack, even to someone who previously did not know the algorithm.
                        – Ella Rose
                        4 hours ago










                      • @EllaRose I doubt that there is any algorithm that allows "calculating" the algorithm from any information: Modify "my" algorithm in a way that the number 1234 must be added to every number when the "key" contains the word "hello". The plaintext "My cellphone password is 1111." would become: "My cellphone password is 2345.:Password is hello." If you don't test my algorithm with a number in the plaintext and the word "hello" in the key, you will never find out!
                        – Martin Rosenau
                        2 hours ago












                      • @EllaRose ... and of course my intention was to show an example of an algorithm where Kerckhoff's principle definitely is not given.
                        – Martin Rosenau
                        2 hours ago














                      1












                      1








                      1







                      I understand Kerckhoff's principle ...



                      ... then why go through the trouble of creating a cipher in the first place?




                      I think you misunderstood something:



                      Kerckhoff's principle does not say that a cryptosystem is secure. The principle says that the cipher used must have certain properties if the cryptosystem shall be secure.



                      In other words: Kerckhoff's principle won't be satisfied if the cipher used is bad!



                      An extreme counterexample



                      We could design the following "cryptographic" system:





                      • The key consists of any characters but the colon (:)

                      • To encrypt the text, we simply add a colon followed by the key to the text; the result is our "ciphertext"

                      • To decrypt the text, we check if the "ciphertext" ends with a colon followed by the key

                      • If yes, we remove the colon and the key; the result is our plaintext

                      • If no, our plaintext is "Sorry, wrong key!"


                      Example:




                      • The plaintext is: "This is a very secret text."

                      • Our secret key is: "This is our secret key."

                      • The "ciphertext" will be: "This is a very secret text.:This is our secret key."

                      • If we use the correct key for decryption, the decrypted text will be: "This is a very secret text."

                      • If we use any other key for decryption, the decrypted text will be: "Sorry, wrong key!"




                      Not using the correct key for decryption will definitely not result in the correct plaintext but in: "Sorry, wrong key!"



                      Do you think using a very long key will result in a secure encryption?






                      share|improve this answer










                      New contributor




                      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.










                      I understand Kerckhoff's principle ...



                      ... then why go through the trouble of creating a cipher in the first place?




                      I think you misunderstood something:



                      Kerckhoff's principle does not say that a cryptosystem is secure. The principle says that the cipher used must have certain properties if the cryptosystem shall be secure.



                      In other words: Kerckhoff's principle won't be satisfied if the cipher used is bad!



                      An extreme counterexample



                      We could design the following "cryptographic" system:





                      • The key consists of any characters but the colon (:)

                      • To encrypt the text, we simply add a colon followed by the key to the text; the result is our "ciphertext"

                      • To decrypt the text, we check if the "ciphertext" ends with a colon followed by the key

                      • If yes, we remove the colon and the key; the result is our plaintext

                      • If no, our plaintext is "Sorry, wrong key!"


                      Example:




                      • The plaintext is: "This is a very secret text."

                      • Our secret key is: "This is our secret key."

                      • The "ciphertext" will be: "This is a very secret text.:This is our secret key."

                      • If we use the correct key for decryption, the decrypted text will be: "This is a very secret text."

                      • If we use any other key for decryption, the decrypted text will be: "Sorry, wrong key!"




                      Not using the correct key for decryption will definitely not result in the correct plaintext but in: "Sorry, wrong key!"



                      Do you think using a very long key will result in a secure encryption?







                      share|improve this answer










                      New contributor




                      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      share|improve this answer



                      share|improve this answer








                      edited 11 hours ago





















                      New contributor




                      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      answered 12 hours ago









                      Martin Rosenau

                      1113




                      1113




                      New contributor




                      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





                      New contributor





                      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      Martin Rosenau is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.












                      • The principle in question states that the system should remain secure even if an adversary knows all of the steps of the algorithm, but does not have the key. The example provided here is broken with a single ciphertext-only attack, even to someone who previously did not know the algorithm.
                        – Ella Rose
                        4 hours ago










                      • @EllaRose I doubt that there is any algorithm that allows "calculating" the algorithm from any information: Modify "my" algorithm in a way that the number 1234 must be added to every number when the "key" contains the word "hello". The plaintext "My cellphone password is 1111." would become: "My cellphone password is 2345.:Password is hello." If you don't test my algorithm with a number in the plaintext and the word "hello" in the key, you will never find out!
                        – Martin Rosenau
                        2 hours ago












                      • @EllaRose ... and of course my intention was to show an example of an algorithm where Kerckhoff's principle definitely is not given.
                        – Martin Rosenau
                        2 hours ago


















                      • The principle in question states that the system should remain secure even if an adversary knows all of the steps of the algorithm, but does not have the key. The example provided here is broken with a single ciphertext-only attack, even to someone who previously did not know the algorithm.
                        – Ella Rose
                        4 hours ago










                      • @EllaRose I doubt that there is any algorithm that allows "calculating" the algorithm from any information: Modify "my" algorithm in a way that the number 1234 must be added to every number when the "key" contains the word "hello". The plaintext "My cellphone password is 1111." would become: "My cellphone password is 2345.:Password is hello." If you don't test my algorithm with a number in the plaintext and the word "hello" in the key, you will never find out!
                        – Martin Rosenau
                        2 hours ago












                      • @EllaRose ... and of course my intention was to show an example of an algorithm where Kerckhoff's principle definitely is not given.
                        – Martin Rosenau
                        2 hours ago
















                      The principle in question states that the system should remain secure even if an adversary knows all of the steps of the algorithm, but does not have the key. The example provided here is broken with a single ciphertext-only attack, even to someone who previously did not know the algorithm.
                      – Ella Rose
                      4 hours ago




                      The principle in question states that the system should remain secure even if an adversary knows all of the steps of the algorithm, but does not have the key. The example provided here is broken with a single ciphertext-only attack, even to someone who previously did not know the algorithm.
                      – Ella Rose
                      4 hours ago












                      @EllaRose I doubt that there is any algorithm that allows "calculating" the algorithm from any information: Modify "my" algorithm in a way that the number 1234 must be added to every number when the "key" contains the word "hello". The plaintext "My cellphone password is 1111." would become: "My cellphone password is 2345.:Password is hello." If you don't test my algorithm with a number in the plaintext and the word "hello" in the key, you will never find out!
                      – Martin Rosenau
                      2 hours ago






                      @EllaRose I doubt that there is any algorithm that allows "calculating" the algorithm from any information: Modify "my" algorithm in a way that the number 1234 must be added to every number when the "key" contains the word "hello". The plaintext "My cellphone password is 1111." would become: "My cellphone password is 2345.:Password is hello." If you don't test my algorithm with a number in the plaintext and the word "hello" in the key, you will never find out!
                      – Martin Rosenau
                      2 hours ago














                      @EllaRose ... and of course my intention was to show an example of an algorithm where Kerckhoff's principle definitely is not given.
                      – Martin Rosenau
                      2 hours ago




                      @EllaRose ... and of course my intention was to show an example of an algorithm where Kerckhoff's principle definitely is not given.
                      – Martin Rosenau
                      2 hours ago










                      Will Burghard is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      Will Burghard is a new contributor. Be nice, and check out our Code of Conduct.













                      Will Burghard is a new contributor. Be nice, and check out our Code of Conduct.












                      Will Burghard is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Cryptography Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      Use MathJax to format equations. MathJax reference.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66162%2fif-kerckhoffs-principle-holds-why-do-we-need-a-cipher-at-all%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                      Alcedinidae

                      Origin of the phrase “under your belt”?