[Cryptography] Shortening block cipher length...
Adam P. Goucher
apgoucher at gmx.com
Sun Jul 18 06:01:44 EDT 2021
> Counter mode, classically, is P XOR E(Ctr) = C. Using the same
> set of operations the same number of times each you can implement
> a clearly superior counter mode E(P XOR Ctr) = C.
Firstly, E() in many stream ciphers -- such as ChaCha20 -- is
irreversible (and most probably not even a bijection).
Secondly, if the plaintext P contains a sequence of blocks that
increment (the simplest example being P = Ctr), then there will
be lots of repeated ciphertext blocks. For example, if you had:
P = [42, 43, 44, 45, ..., 68]
Ctr = [ 0, 1, 2, 3, ..., 26]
then the ciphertext would be:
[E(42), E(42), E(46), E(46), E(42), E(42), E(54), E(54), E(58),
E(58), E(62), E(62), E(58), E(58), E(54), E(54), E(42), E(42),
E(46), E(46), E(42), E(42), E(86), E(86), E(90), E(90), E(94)]
which contains some repeated blocks.
However, I do agree with your overall point, and have considered
using:
E = AES(P XOR ChaCha20(Ctr))
i.e. to apply the (reversible) AES encryption function (in the
naive 'electronic codebook' mode of operation, which on its own
is insecure) to the encrypted output of a standard ChaCha20
stream cipher. Assuming that the keys used for the two ciphers
are unrelated, then this can't be any *less* secure than standard
ChaCha20, and it also avoids the linearity property that wreaks
havoc whenever someone carelessly reuses a keystream for two
different plaintexts.
Best wishes,
Adam P. Goucher
More information about the cryptography
mailing list