[Cryptography] [cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
Ray Dillinger
bear at sonic.net
Thu May 14 01:08:26 EDT 2015
On 05/13/2015 01:46 PM, dj at deadhat.com wrote:
> Orthogonally I have been thinking of ciphers taking the number of
> rounds as a parameter. Then use that in protocol negotiation.
> Algorithm gets weak, increase the rounds. It beats undeleteable
> cipher options.
>
> I spoke with a block cipher designer about this and his argument
> against was that if you can run the same data and key through with a
> different number of rounds, it's trivial to break. However I see this
> as just another constraint, like 'never use the same key and IV
> twice'. Never use the same key and iteration count twice.
It doesn't have to be trivial to break; If you introduce as a
first step a transformation of the data (even a fairly trivial
transformation as long as it's got any nonlinear component)
that depends on both the key *AND* the number of rounds the
subsequent encryption will do, then the information that can
be gleaned from selecting the number of rounds gets a *lot*
harder to get at.
For example, say you decide to do a key transformation, where the
"real" key as known to the user's key management software etc is
K: If 34 round foo uses F(K,34) internally as its key and 35 round
foo uses F(K,35) internally as its key, where F is nonlinear and
has no "special" properties w/r/t the cipher foo, then the
devastating round-reversal attack he was talking about ceases to
exist.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150513/82a46e03/attachment.sig>
More information about the cryptography
mailing list