[Cryptography] Key meshing (Re: [Crypto-practicum] Retire all 64-bit block ciphers.)
Kristian Gjøsteen
kristian.gjosteen at math.ntnu.no
Wed Aug 31 02:34:17 EDT 2016
30. aug. 2016 kl. 18.22 skrev Phillip Hallam-Baker <phill at hallambaker.com>:
> What I don't understand is why the various symmetric cipher modes we have keep the key fixed and modify the data.
>
> So for CBC we take
>
> C0 = E (B0 XOR IV, k)
> C1 = E (B1 XOR C0, k)
> ...
>
> Why not use:
>
> C0 = E (B0, k)
> C1 = E (B1, k + 1)
> ...
>
> This has the advantage that it can be applied to the use cases that motivated ECB and CBC. It doesn't require an initialization vector either.
You have now created a stateful cryptosystem. You have to remember the key between encryptions. This is inconvenient in many situations.
You have also made a system that needs a block cipher secure against related key attacks. As we know, a secure block cipher does not have to be secure against related key attacks, so you have to redo a lot of analysis.
Also, there’s this thing about the key schedule. Yes, modern computers can do key schedules real quick, but I still have other stuff for them to do, so not having to do key schedules is a good thing.
If you don’t care about cost, you can du stuff like
Ci = E(Bi, H(k, IV, i))
which would be secure if you use any decent hash function. Now you have a choice whether to include an IV or keep a state.
--
Kristian Gjøsteen
More information about the cryptography
mailing list