ekr at networkresonance.com
Wed Aug 27 16:34:50 EDT 2008
At Wed, 27 Aug 2008 16:10:51 -0400 (EDT),
Jonathan Katz wrote:
> On Wed, 27 Aug 2008, Eric Rescorla wrote:
> > At Wed, 27 Aug 2008 17:05:44 +0200,
> > There are a set of techniques that allow you to encrypt elements of
> > arbitrary sets back onto that set.
> > The original paper on this is:
> > John Black and Phillip Rogaway. Ciphers with arbitrary ?nite domains. In
> > CT-RSA, pages 114?130, 2002.
> But he probably wants an encryption scheme, not a cipher.
Hmm... I'm not sure I recognize the difference between encryption
scheme and cipher. Can you elaborate?
> Also, correct me if I am wrong, but Black and Rogaway's approach is not
> efficient for large domains. But if you use their approach for small
> domains then you open yourself up to dictionary attacks.
I suppose it depends what you mean by "small" and "large".
A lot of the relevant values are things like SSNs, CCNs, etc.
which fall in the 10-20 digit category, where the Luby-Rackoff
approach is efficient. As I understand the situation, the
cycle following approach is efficient as long as the set
is reasonably close to the L-R block size.
As far as dictionary attacks go, for any small domain permutation
you have to worry about table construction attacks. The only
defense I know of is randomized encryption which defeats the
WRT to the security of the L-R construction, Spies claims that
I believe that Patarin's 2004 result  is relevant here, but
I'm not qualified to evaluate it. Anyway, the reference I provided
earlier  provides a summary of the claimed security properties
of L-R + Cycle Following.
 Jacques Patarin. Security of random feistel schemes with 5 or more rounds.
In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in
Computer Science, pages 106?122. Springer, 2004.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography