[Cryptography] [Crypto-practicum] Justify the sequence of operations in CTR mode.

Ray Dillinger bear at sonic.net
Tue Feb 16 19:55:18 EST 2016



On 02/16/2016 11:03 AM, Ryan Carboni wrote:
> Why not use single-key Even-Mansour-like construction?
> 
> Ciphertext = E( E(CTR) XOR plaintext)) XOR E(CTR)
> 
> Costs only two encryptions, both parallelizable, and has the security of at
> least Even-Mansour with a single key, single plaintext-ciphertext pair. At
> which point the easiest route is to attack the kernel, not an oracle attack.

It's a good construction in terms of security, but as you say it
costs an extra encryption.  Which, on the whole, makes the cost
not significantly worse than an encryption plus a hash, which is
the other primary option for equivalent modes.

On the other hand these encryptions definitely are not parallelizable.
you can't start the inner decryption until you've done the outer one,
and you can't start the outer encryption until you've done the
inner one.

I'm liking Cox's long-block extension of Blake2b for a fast hash
though, and I think I've come up with a fast cipher based on it
(or possibly some other hash - still studying options) that
doesn't need an extra hashing or encrypting step.

It's a three-round Feistel cipher using the extended hash for a
round function.  The state of the sponge is initialized by
processing the key and IV, and not reinitialized between rounds.
It really is exactly that simple.

I've written code for it (based on BLAKE-512) in C.  for 64Kbyte
blocks (yes, that's eight thousand times the block size of a
conventional 64-bit cipher like 3DES) It's a bit hard on my L1
cache latency, but it looks like that's the *only* reason it's
not as fast as AES.

There is a part of my brain that wants the size of the sponge
state (the state of the hashing process in progress) to be at
least as large as the block size being generated.  It's all
about a cipher having an effective key size at least as long as
its block length, which has repeatedly bitten newb designers
with short-block ciphers whose state is the same size as the
blocks or long-block ciphers with state significantly smaller
than the blocks.  So somebody has a cipher with "sensible" 128-
bit keys, and then someone has to point out that because the
state of his generator is only 64 bits, every key has around
2^64 equivalent keys that initialize the generator to the same
value.  Therefore an opponent needs to search only a 64-bit
keyspace to find *some* key that will have the same effect as
the one he's actually using.

In this case the impulse to have generator state the same size
as the block is a silly impulse.


				Bear




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160216/a6ee0fe1/attachment.sig>


More information about the cryptography mailing list