[Cryptography] RFC: block cipher randomization

[Dennis E. Hamilton]

> -----Original Message-----
> From: cryptography [mailto:cryptography-
> bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf Of Jerry
> Leichter
> Sent: Monday, June 27, 2016 18:37
> To: dennis.hamilton at acm.org
> Cc: cryptography at metzdowd.com
> Subject: Re: [Cryptography] RFC: block cipher randomization
> 
> > Because there are known characteristics of many plaintexts (e.g., XML
> streams, Zip packages, even compressed streams), I have always fancied
> shuffling the ciphertext or the plaintext, as most appropriate, and
> having the means of determining the permutation obtained by key
> expansion or something equally devious....
> If you're going to go this route, there's little reason to believe that
> you can beat the classic DESX construction - W1 XOR DES(W2 XOR P) -
> where P is the plaintext and W1 and W2 are "whitening" keys.  This
> construction was analyzed by Rogoway years ago - quick intro at
> http://web.cs.ucdavis.edu/~rogaway/papers/cryptobytes.pdf - and is
> surprisingly strong.  (Granted, its strength is analyzed against brute
> force attacks - an issue for DES but not for modern ciphers.)  Still, it
> will hide any fixed pieces of plaintext quite nicely.  (And, yes, you
> need to apply the XOR both before and after encryption or the
> construction adds little.)
[orcmid] 

Agreed.  Thanks.  I need to ponder some cases where completely-known plaintext suspects are easily come by and the attack is off-line against persistent data.  Still, it seems that the DESX/FX scheme is at least as effective and far easier than what I was thinking of. 

Oh, and thanks for pointing to conditions where successful "whitening" is understandable.

> 
>                                                         -- Jerry
> 
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography