CBCS is IACBC, has no Intellectual Property

William Allen Simpson wsimpson at greendragon.com
Mon Aug 13 19:28:54 EDT 2001

I was recently directed to the IACBC-IP.PDF claims.  Although I cannot
attend your conference (due to a conflict with another conference 
beginning the next day), please consider these brief comments. 

I support the inclusion of an Integrity-Aware CBC mode, but would prefer 
that it be called Cipher Block CheckSum (CBCS), as it has been in my 
original messages and papers circa 1994-1997.

Although these papers were directed at the specific application of 
Internet Protocol Security (IPSec), of which I was a principle author, 
the CBCS modes are sufficiently general to use in any AES application.

CBC with checksums was first discussed on the IPSec mailing list in 
1994, and formally presented at IETF.  Specifications were distributed 
world-wide via the IETF on-line collection of internet-drafts.

Whitening the plaintext and/or ciphertext with a constant, pseudo-random 
sequence, cryptographic hash used as a pseudo-random function, and such 
combinations were documented in part 4 of "Internet Security Transform 
Enhancements", draft-simpson-ipsec-enhancement-00.txt, April 1996.

The more recent "Cipher Block CheckSums (CBCS)" was first documented in 
draft-simpson-cbcs-00.txt, July 1997, although earlier less generic 
versions were discussed on various mailing lists.

These capabilities have all been implemented in the "Photuris: 
Session-Key Management Protocol" (RFCs 2522 and 2523), and discussed 
on the Photuris implementors' mailing list.

The IACBC diagrams are subsumed in the CBCS diagrams.

Variants with only plaintext whitening (series Sa) or only ciphertext 
whitening (Sb) are described in the text.

CBCS2 with 1 encryption key (k) and 2 integrity keys (Sa, Sb):

              IVa     P1              P2              Pi
               |      |               |               |
            +-----+   v   +-----+     v   +-----+     v
        Sa->|  S  |->(X)->|  S  |->->(X)->|  S  |->->(X)->
            +-----+   |   +-----+     |   +-----+     |
                      v      ^        v      ^        v
                   +-----+   ^     +-----+   ^     +-----+
                k->|  E  |   ^  k->|  E  |   ^  k->|  E  |
                   +-----+   ^     +-----+   ^     +-----+
                      |      ^        |      ^        |
              IVb     +->->->+        +->->->+        +->->->
               |      |               |               |
            +-----+   v   +-----+     v   +-----+     v
        Sb->|  S  |->(X)->|  S  |->->(X)->|  S  |->->(X)->
            +-----+   |   +-----+     |   +-----+     |
                      v      ^        v      ^        v
                      +->->->+        +->->->+        +->->->
                      |               |               |
                      C1              C2              Ci

The IBM patent may be restricted to their particular summation function 
Fk(), several of which are suggested for various block sizes.

CBCS and CBCS2 both recommended a different function, specified 
generically, independent of block size:

1) addition modulo 2**N with end around carry (N = bits in block);
2) count of the number of 1-bits in the sum (population count);
3) left circular rotation of the sum by the bit count.

Any such F() could be substituted, and the function specification is 
not a requirement of CBCS generically.  As a practical matter, a single 
function MUST be chosen for interoperability.
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list