[Cryptography] RFC: block cipher randomization
Dennis E. Hamilton
dennis.hamilton at acm.org
Tue Jun 28 12:58:06 EDT 2016
> -----Original Message-----
> From: cryptography [mailto:cryptography-
> bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf Of Jerry
> Leichter
> Sent: Monday, June 27, 2016 18:37
> To: dennis.hamilton at acm.org
> Cc: cryptography at metzdowd.com
> Subject: Re: [Cryptography] RFC: block cipher randomization
>
> > Because there are known characteristics of many plaintexts (e.g., XML
> streams, Zip packages, even compressed streams), I have always fancied
> shuffling the ciphertext or the plaintext, as most appropriate, and
> having the means of determining the permutation obtained by key
> expansion or something equally devious....
> If you're going to go this route, there's little reason to believe that
> you can beat the classic DESX construction - W1 XOR DES(W2 XOR P) -
> where P is the plaintext and W1 and W2 are "whitening" keys. This
> construction was analyzed by Rogoway years ago - quick intro at
> http://web.cs.ucdavis.edu/~rogaway/papers/cryptobytes.pdf - and is
> surprisingly strong. (Granted, its strength is analyzed against brute
> force attacks - an issue for DES but not for modern ciphers.) Still, it
> will hide any fixed pieces of plaintext quite nicely. (And, yes, you
> need to apply the XOR both before and after encryption or the
> construction adds little.)
[orcmid]
Agreed. Thanks. I need to ponder some cases where completely-known plaintext suspects are easily come by and the attack is off-line against persistent data. Still, it seems that the DESX/FX scheme is at least as effective and far easier than what I was thinking of.
Oh, and thanks for pointing to conditions where successful "whitening" is understandable.
>
> -- Jerry
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list