[Cryptography] Gates are cheap. Should cipher design change?
Jon Callas
jon at callas.org
Thu Mar 31 18:46:00 EDT 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> On Mar 30, 2016, at 2:32 AM, ianG <iang at iang.org> wrote:
>
> On 30/03/2016 00:09 am, Jon Callas wrote:
>> You might be thinking of The Hasty Pudding Cipher by Rich Schroeppel which is in my opinion the most brilliant of the AES submissions. My comment at the time was that it didn't meet any of the requirements NIST had, but it met requirements they should have had. It's also the first cipher that had what we now call "tweaks."
>
> Curious - what requirements should NIST have had?
Adding crypto into a data processing workflow.
Ideally, crypto would be a transform that can transparently turn on or off so you can build a *system*. But that's a long discussion.
HPC had what we now call format-preserving encryption built into it. It had variable output block length, and that lessened if not eliminated the need for chaining.
>
> And, what are tweaks?
Slightly differently from what Jerry said, a tweak is a generalization of an IV or nonce or even counter. It's not intended to be secret, and need to have full security even when ordered. There are no related key attacks with tweaks.
For example, an IV in CBC or CFB mode is not secure if it's a counter. You run into problems if you do something like use a block number of a disk block. You could use counter mode for that, but you lose the robustness of a block cipher. Counter mode is a bad idea for disk encryption because a plaintext leak turns into cipher text leakage.
Tweaks also make a lot of mode things easier or lessen them. They also provide the function of "family keys" as well.
A tweak is a generic parameter that you can do whatever you want with it, and it doesn't alter the security of the cipher, in contrast to a key, which is assumed to be a secret parameter.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii
wsBVAwUBVv2oqfD9H+HfsTZWAQjLKwf7BNAz4a1PupNKTRYe+HlXN5694H/uNU5l
DsxH1RAPrxlqO7E2DjKMiNtm/5EyTPHPCkAXYdNj9jA7VLeL9tSpcuIViyl5OcIY
Sufu4Sa5o7eczNvV7LACSItaH0o1jDiXlbueivtW295K+59KuHQIVc106sziXL2P
F9Cgx3ntZX2SaIo203u+dBHixSNuGDgTvLNNGqWs9zTFHQTKjxNwmlaQlY6p/bjr
L8vm5X/JIkHvtBzOmTB5+P7epy4JoI3M8MfRYJFjpA1/YvtiAMIycvDI9Ky3GhSJ
5dl0uYk2ga27Fc4GmbX+gClXbpxMivH1JiiuGfLBC3TUX6hlxD1whg==
=Mq1i
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list