[Cryptography] RFC: block cipher randomization

Jerry Leichter leichter at lrw.com
Mon Jun 27 21:37:26 EDT 2016

> Because there are known characteristics of many plaintexts (e.g., XML streams, Zip packages, even compressed streams), I have always fancied shuffling the ciphertext or the plaintext, as most appropriate, and having the means of determining the permutation obtained by key expansion or something equally devious....
If you're going to go this route, there's little reason to believe that you can beat the classic DESX construction - W1 XOR DES(W2 XOR P) - where P is the plaintext and W1 and W2 are "whitening" keys.  This construction was analyzed by Rogoway years ago - quick intro at http://web.cs.ucdavis.edu/~rogaway/papers/cryptobytes.pdf - and is surprisingly strong.  (Granted, its strength is analyzed against brute force attacks - an issue for DES but not for modern ciphers.)  Still, it will hide any fixed pieces of plaintext quite nicely.  (And, yes, you need to apply the XOR both before and after encryption or the construction adds little.)

                                                        -- Jerry

More information about the cryptography mailing list