CBCS is IACBC, has no Intellectual Property
William Allen Simpson
wsimpson at greendragon.com
Mon Aug 13 19:28:54 EDT 2001
I was recently directed to the IACBC-IP.PDF claims. Although I cannot
attend your conference (due to a conflict with another conference
beginning the next day), please consider these brief comments.
--
I support the inclusion of an Integrity-Aware CBC mode, but would prefer
that it be called Cipher Block CheckSum (CBCS), as it has been in my
original messages and papers circa 1994-1997.
Although these papers were directed at the specific application of
Internet Protocol Security (IPSec), of which I was a principle author,
the CBCS modes are sufficiently general to use in any AES application.
CBC with checksums was first discussed on the IPSec mailing list in
1994, and formally presented at IETF. Specifications were distributed
world-wide via the IETF on-line collection of internet-drafts.
Whitening the plaintext and/or ciphertext with a constant, pseudo-random
sequence, cryptographic hash used as a pseudo-random function, and such
combinations were documented in part 4 of "Internet Security Transform
Enhancements", draft-simpson-ipsec-enhancement-00.txt, April 1996.
The more recent "Cipher Block CheckSums (CBCS)" was first documented in
draft-simpson-cbcs-00.txt, July 1997, although earlier less generic
versions were discussed on various mailing lists.
These capabilities have all been implemented in the "Photuris:
Session-Key Management Protocol" (RFCs 2522 and 2523), and discussed
on the Photuris implementors' mailing list.
--
The IACBC diagrams are subsumed in the CBCS diagrams.
Variants with only plaintext whitening (series Sa) or only ciphertext
whitening (Sb) are described in the text.
CBCS2 with 1 encryption key (k) and 2 integrity keys (Sa, Sb):
IVa P1 P2 Pi
| | | |
+-----+ v +-----+ v +-----+ v
Sa->| S |->(X)->| S |->->(X)->| S |->->(X)->
+-----+ | +-----+ | +-----+ |
v ^ v ^ v
+-----+ ^ +-----+ ^ +-----+
k->| E | ^ k->| E | ^ k->| E |
+-----+ ^ +-----+ ^ +-----+
| ^ | ^ |
IVb +->->->+ +->->->+ +->->->
| | | |
+-----+ v +-----+ v +-----+ v
Sb->| S |->(X)->| S |->->(X)->| S |->->(X)->
+-----+ | +-----+ | +-----+ |
v ^ v ^ v
+->->->+ +->->->+ +->->->
| | |
C1 C2 Ci
--
The IBM patent may be restricted to their particular summation function
Fk(), several of which are suggested for various block sizes.
CBCS and CBCS2 both recommended a different function, specified
generically, independent of block size:
1) addition modulo 2**N with end around carry (N = bits in block);
2) count of the number of 1-bits in the sum (population count);
3) left circular rotation of the sum by the bit count.
Any such F() could be substituted, and the function specification is
not a requirement of CBCS generically. As a practical matter, a single
function MUST be chosen for interoperability.
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list