I come to the conclusion that theHi Steve, Long time listener. I’m a little confused on the key length discussion. I always thought that encrypting twice merely doubled the effective strength. Here’s my reasoning: Imagine you have an algorithm and a key that you can fully brute force in one day. If you add one bit to the key, you double the key space, and therefore it takes twice as long to brute force (or two days.) If you instead encrypt twice, then it takes one day to decrypt the outer ciphertext, at which point you get back the first output of ciphertext. Then in one more day, you can brute force the first/inner ciphertext. Like in the first example, this takes two days. It seems to me that these are equivalent. Is there something I’m missing?

*fastest*you could decrypt the plain text while not

*knowing any key*is, as above, theoretically 2 days given the other assumptions.

There is a big but (or two or three):

- You don't know any keys nor any plain text
- You have to assume the ciphertext produced is correct and then process that blob
- You also, as an attacker, would not know how many times the plain text has been encrypted

It's almost a mix between security and obscurity - tihnk of it as strong encryption as a control to protect the data with the repeated cycles to be a deterrent attack which would likely result in the attacker wasting lots of compute time and/or giving up.

What do others think?

Last edited: