Combining multiple symmetric encryption algorithms - implications?

Question

I was just wondering if I add more security by combining two or more symmetric encryption algorithms on a plain text.

For example: Plaintext → AES → Twofish → Serpent

Of course a different key and IV (produced with a cryptographic secure prng) is used for each algorithm. Speed fortunately is not important.

Or does this form of combination has other implications I do not see?

There is a question like that here at Crypto.SE (Is TrueCrypt's multiple/cascading encryption safe?) but it focuses on using the same key.

Answer 1

I can see based upon your question that you're not already a crypto-expert. Given that, I think the single most useful answer I can give you is this:

Multiple encryption addresses a problem that mostly doesn't exist. Modern ciphers rarely get broken -- at least, not in the Swordfish sense. You're far more likely to get hit by malware or an implementation bug than you are to suffer from a catastrophic attack on AES.

That's a quote from http://blog.cryptographyengineering.com/2012/02/multiple-encryption.html, which is an excellent article on this topic.

Moreover, if you have to ask this question, you should not be using multiple encryption. It's a little bit tricky, and you're more likely to screw something up than to get any meaningful security gain.

Bottom line: No, you can't add more security by using multiple encryption. The block cipher isn't the weak link, and strengthening the strongest link in a system does not add more security. Modern block ciphers appear to be effectively unbreakable; if that's correct, multiple encryption is pointless. So, my recommendation is: don't do it. It doesn't solve any real-world problem, it doesn't add much benefit, and it adds the extra risk that you might screw something up. Use standard well-vetted cryptographic solutions, like TLS, Truecrypt, GPG, etc.

Answer 2

Block ciphers are already built of multiple components: AES = fixed 8-bit sbox, MDS matrix multiplication, 8-bit rotations Twofish = key dependent sboxes, MDS matrix, 1 and 8-bit rotations, PHT

Chaining ciphers adds more components, more rounds, more complexity

Depending on chaining implementation, a different IV is not required for each cipher. For example, the first algorithm uses the selected mode, and the next in the chain only use ECB; or the other way around. Choosing the modes and the order they are chained is important.

Different keys should be used, otherwise there is no increase in effective key space, just cipher complexity and round count.

As long as the algorithms are not some kind of inversion of eachother, it effectively increases the total keyspace of the cipher chain, in addition to increasing the round count. Additionally, the different building blocks make certain attacks more difficult, where the similarity between rounds is exploited. It is better to build a cipher with more complexity than rely on the complexity of the chain, as one complete weak cipher may be "peeled off".

Rounds of one cipher cancelling out rounds of another is a distinct concern, and if the ciphers are the same (DES to 2DES, 3DES,.. NDES) there are attacks that will exploit this and reduce the effective key space. Assuming the underlying block ciphers are strong against all attacks, the upper bound on the chain security will be the combined upper bounds of each cipher's security, but can be lower in practice, especially if implemented poorly.

I tried to summarize points in one of the comments to the original post, certain points may be unclear or not touched upon