[Cryptography] basic cryptography ... was: key breaking
John Denker
jsd at av8n.com
Mon Nov 23 20:04:39 EST 2015
On 11/23/2015 11:23 AM, Viktor Dukhovni wrote:
> The other key can simply be the same for every block, no need for
> RC4:
>
> K_1 xor AES(K_2, data) xor K_1
>
> Same K_1 for every block. The DESX trick is not as cheesy as it
> might seem. The DJB attack fails provided no single K_1 is shared
> by many K_2's. (See the "Even Mansour" paper).
OK.
However, it is still true, as pointed out on Mon, Nov 23, 2015
at 12:30:08PM -0500 by Phillip Hallam-Baker:
>> You have just invented
>> a new cipher with an extra round.
Also with extra keying material required.
As with any cipher in this class, to have any semblance of security
for multi-block messages, you still need to do something like CBC.
So the parties need to agree on K_1, K_2, and IV. Even then, we
still have all the nastiness associated with chaining modes:
-- Doesn't work for datagrams.
-- Doesn't work for random-access disk sectors.
-- Doesn't parallelize.
-- Doesn't solve all the security problems.
======================
Contrast that with:
i = block #
(V_i, W_i) = ChaCha(K_1, i)
ciphertext_i = V_i XOR AES(K_2, plaintext_i) XOR W_i
++ Works for datagrams.
++ Works for random-access disk sectors.
++ Parallelizes.
++ Does not require chaining.
++ Solves a bunch of problems that CBC doesn't.
++ Does not depend on encrypt-then-MAC.
++ Compatible with any imaginable authentication scheme
(encrypt-then-MAC or otherwise) at this layer or higher or lower.
++ Does not require an IV.
++ The amount of keying material (K_1 and K_2) is not increased
relative to vanilla AES/CBC.
++ Affordable. Slightly more work than vanilla AES/CBC, but only
very slightly. Cheaper than AES/CBC/MAC. Possibly slightly cheaper
than enchilada. Definitely cheaper than disk-encryption modes such
as CMC and EME.
++ Hard to break. Would require serious breakage of both AES and ChaCha.
++ Easy to analyze. Even Mansour and all that.
This provides as much diffusion as AES/ECB (in contrast to ChaCha by
itself, which doesn't). However, I don't want to emphasize diffusion.
It's overrated. It asks the plaintext to do something it shouldn't
be asked to do, i.e. to provide randomness. This can backfire bigtime
during chosen-plaintext attacks. I would prefer to see the keys provide
sufficient randomness. That's their job.
Did I mention that chaining modes are a nasty hack?
On 11/16/2015 01:51 PM, Perry E. Metzger wrote:
> CBC in particular has
> proven much more problematic than was assumed 25 years ago.
Indeed. It's time to do something better.
More information about the cryptography
mailing list