Decimal encryption
Eric Rescorla
ekr at networkresonance.com
Wed Aug 27 16:34:50 EDT 2008
At Wed, 27 Aug 2008 16:10:51 -0400 (EDT),
Jonathan Katz wrote:
>
> On Wed, 27 Aug 2008, Eric Rescorla wrote:
>
> > At Wed, 27 Aug 2008 17:05:44 +0200,
> > There are a set of techniques that allow you to encrypt elements of
> > arbitrary sets back onto that set.
> >
> > The original paper on this is:
> > John Black and Phillip Rogaway. Ciphers with arbitrary ?nite domains. In
> > CT-RSA, pages 114?130, 2002.
>
> But he probably wants an encryption scheme, not a cipher.
Hmm... I'm not sure I recognize the difference between encryption
scheme and cipher. Can you elaborate?
> Also, correct me if I am wrong, but Black and Rogaway's approach is not
> efficient for large domains. But if you use their approach for small
> domains then you open yourself up to dictionary attacks.
I suppose it depends what you mean by "small" and "large".
A lot of the relevant values are things like SSNs, CCNs, etc.
which fall in the 10-20 digit category, where the Luby-Rackoff
approach is efficient. As I understand the situation, the
cycle following approach is efficient as long as the set
is reasonably close to the L-R block size.
As far as dictionary attacks go, for any small domain permutation
you have to worry about table construction attacks. The only
defense I know of is randomized encryption which defeats the
non-expansion requirement.
WRT to the security of the L-R construction, Spies claims that
I believe that Patarin's 2004 result [0] is relevant here, but
I'm not qualified to evaluate it. Anyway, the reference I provided
earlier [1] provides a summary of the claimed security properties
of L-R + Cycle Following.
-Ekr
[0] Jacques Patarin. Security of random feistel schemes with 5 or more rounds.
In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in
Computer Science, pages 106?122. Springer, 2004.
[1] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/
ffsem/ffsem-spec.pdf
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list