[Cryptography] Shortening block cipher length...

Phillip Hallam-Baker phill at hallambaker.com
Sun Jul 18 19:48:01 EDT 2021 

On Sun, Jul 18, 2021 at 6:35 PM Ray Dillinger <bear at sonic.net> wrote:

>
>
> On 7/18/21 12:11 AM, Natanael wrote:
>
>
>
> Den sön 18 juli 2021 01:18Ray Dillinger <bear at sonic.net> skrev:
>
>>
>>
>>      Counter mode, classically, is P XOR E(Ctr) = C.  Using the same set
>> of operations the same number of times each you can implement a clearly
>> superior counter mode E(P XOR Ctr) = C.
>>
> ...
>
> XOR is not a good combiner here for a plain counter, P XOR Ctr exposes if
> the plaintext iterates (or rather decreases) by the same value as the
> counter in between blocks. If P goes down by one and Ctr up by one, C is
> identical for the for the two blocks.
>
> Either the counter must be pseudorandom or you must use a different
> combiner like a keyed permutation (double block cipher invocation per
> message block).
>
>>
>      You are absolutely right.  The counter needs to be obfuscated.  Still
> better than classic counter mode IMO, but the counter still needs to be
> obfuscated.
>
>      So.  Darn.  The improvement requires at least one more operation than
> classic XOR construction.  I don't think the additional operation needs to
> be as heavy as a cipher block invocation though.  I'd be happy with a
> relatively weak construction for the counter, because it's sitting behind a
> block cipher invocation. For example one could use a Mersenne Twister as a
> counter, and that's pretty darn light.
>
>      With or without the additional expense of an obfuscated counter,
> however, I'm going to stand by the assertion that nobody should ever use
> Counter Mode, nor any XOR-construction stream cipher, because every bit of
> ciphertext needs to be a function of every bit of at least one decent-size
> block of plaintext.
>

Congrats, you have essentially re-invented OCB.

But that is fine because (1) Rogaway is a very smart guy and (2) this is
probably how I would teach OCB mode if I do another crypto course.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210718/b380267b/attachment.htm>

More information about the cryptography mailing list