[Cryptography] Gates are cheap. Should cipher design change?
dj at deadhat.com
dj at deadhat.com
Wed Mar 30 13:12:58 EDT 2016
> On 30/03/2016 00:09 am, Jon Callas wrote:
>> You might be thinking of The Hasty Pudding Cipher by Rich Schroeppel
>> which is in my opinion the most brilliant of the AES submissions. My
>> comment at the time was that it didn't meet any of the requirements NIST
>> had, but it met requirements they should have had. It's also the first
>> cipher that had what we now call "tweaks."
>
> Curious - what requirements should NIST have had?
Bigger or arbitrary block sizes.
Fine grained parallel scalabilty.
Intrinsic Side channel resistance.
To be fair those were not such hot topics at the time. But that's in part
because HW implementers didn't have much of a voice in the process.
Similarly for SHA3, the data for HW properties seemed to come from studies
on FPGAs that came up with the wrong answer for synthesis to cells and all
the performance and implementability went out of the window in the final
selection. Packing the room with European researchers determined the
outcome.
>
> And, what are tweaks?
>
>From here: https://www.cs.berkeley.edu/~daw/papers/tweak-crypto02.pdf
"Abstract. We propose a new cryptographic primitive, the tweakable
block cipher. Such a cipher has not only the usual inputsmessage and
cryptographic keybut also a third input, the tweak. The tweak serves
much the same purpose that an initialization vector does for CBC mode
or that a nonce does for OCB mode. Our proposal thus brings this feature
down to the primitive block-cipher level, instead of incorporating it only
at the higher modes-of-operation levels. We suggest that (1) tweakable
block ciphers are easy to design, (2) the extra cost of making a block
cipher tweakable is small, and (3) it is easier to design and prove
modes of operation based on tweakable block ciphers.
"
Which I take to mean "more data input bits" because it's inconvenient to
steal from the existing power-of-2 number of data bits or add a whole
extra block.
More information about the cryptography
mailing list