Why would you use symmetric encryption instead of asymmetric one?

How does one prove the security of consecutive encryption algorithms?

• If P is the plaintext, R is random data as long as the plaintext, and E1 and E2 are different encryption algorithms with independently chosen keys and IVs, my intuition says that:     C = E1 (R) || E2 (R xor P) (with || designating an append) is secure even if one of the two encryption algorithms are broken or its keys are known. If E1 and E2 are stream ciphers with no authentication, then this seems easier to analyze.  But if E1 or E2 have authentication built in (for example, a hash is appended before or after encryption for purposes of integrity verification) then the statement above still rings true to me, due to the information splitting.  Maybe there are some encryption modes where the security of C is not clearly or entirely confirmed; in that case I'd be interested to know. But it seems harder still to prove that:     C2 = E1 (E2 (P)) is secure when one of the two algorithms is vulnerable or its keys or IVs are known.  I believe that TrueCrypt allows the user to use consecutive algorithms so that in the event one of them is broken, then the data is still safe.  I'm wondering what it would take to show that the above C2 construction is also secure, and how that would differ from the proof for C's security at the top.  And what assumptions are involved (whether it's semantic or computational security). It seems essential that E1 and E2 are unrelated (or that the keys are derived independently).  Even if the same algorithm is chosen, but the key and IV are independently derived, then the analysis would seem to be equivalent.  And finally, as a compromise to assuming fully independent random derivation of the keys and IVs, suppose I let key K_i = H (K_master || i) and IV_i = H (K_master || "IV" || i) for i in {1, 2}.  Even though in that case all parameters are derived from one K_master, the resultant key values are likely to behave as if they are independent. Any thoughts or insights would be appreciated.

• Answer:

  "Encryption algorithm" is fairly broad.  Most algorithms are designed so that (if they aren't broken, the key is random and unknown, there's no side channel, etc) the adversary can't get information about the plaintext other than its length.  That is, the adversary cannot distinguish E(plaintext) from E(random) or E(otherplaintext) within the attack model. So if either of the ciphers in your first example is secure, then the adversary can't distinguish the cipher from a one-time pad, i.e. from random.  Likewise, in the second model, if E2 is secure then it completely obscures the plaintext.  If E1 is secure, then it completely obscures the ciphertext, which is enough for non-pathologically-chosen E2. In either case, if one of the ciphers is weak, the other one may also protect it slightly from attack, because in practice encryptions of unknown random data is harder to attack than known data. However, for authentication, the first model is not secure if either cipher is broken.  This is because the adversary can tweak the broken side, and it will affect the plaintext in the same way.  The second cipher is more secure against this, but it might still be technically insecure if E2 is broken (because it may be possible to come up with an equivalent ciphertext). Your keying scheme is safe so long as H is pseudorandom in context.  That is, there is no length extension attack here, and only 4 invocations are ever requested, so an attacker can't get much data even by recovering a key and IV.  However, keep in mind that most cryptosystems want to send multiple messages per key, so you'll have to add an "outer IV" of sorts in there.  Then an attacker could get more data if E1 or E2 is really badly broken.