[Cryptography] Spice Mix Mode.
Ray Dillinger
bear at sonic.net
Tue Mar 21 18:20:52 EDT 2017
Here is a very simple mode where you don't need any IV, where repeated
blocks within a message (or in many messages sent using the same key)
don't appear related, and you don't need any other block to decrypt the
current block. It's even easy to implement correctly.
All you have to concede is a certain amount of bandwidth overhead for
the spice mix, and a certain amount of CPU overhead to generate the
spice mix.
If Alice is willing to pay, say 12.5% of her bandwidth and CPU, and
she's using a cipher with 512-bit blocks, she transmits her message in
blocks that consist of 448 message bits plus 64 bits from /dev/urandom.
Bob requires no IV, and can decrypt blocks one at a time in any order.
He doesn't need to anticipate the random bits in any way, and doesn't
need to wait to the end of the message; he can simply decrypt,
discarding the random bits as they arrive. Eve doesn't get a plaintext
IV to help her do a key search, and Mallory loses the ability to make
any change smaller than scrambling a whole block. Identical blocks in
the plaintext don't appear related, unless the random field happens to
be the same. And if Alice & Bob are worried about that they can go to a
2048 bit block length and use 256-bit random fields, or allow a larger
overhead cost for the spice mix.
There is the possibility for malware on Alice's machine to use the
"extra" bits to exfiltrate data or form a side channel. But if malware
has the ability to compromise her system's RNG she's already screwed, so
IMO this additional malware capability doesn't cost her anything she
hasn't already lost.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170321/ab9bdb25/attachment.sig>
More information about the cryptography
mailing list