[Cryptography] Shortening block cipher length...

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Jul 20 01:10:38 EDT 2021


Patrick Chkoreff <pc at fexl.com> writes:

>Now, in light of the case you make here against XOR stream ciphers, I am
>concerned about this function which appears in DJB's code:
>
>   stream_xor

Thus my proposed addition to the Immutable Laws of Cryptography:

  "Any cipher or mode that puts a single operation like XOR or addition
  between the plaintext and an attacker is fundamentally unsafe, no matter how
  mathematically elegant or provably something-or-other it is".

(Feel free to quote that wherever you need to :-).

GCM is doubly unsafe because it relies on both the XOR and the addition in
order to be secure.  And if you're thinking "who could get an addition
wrong?", experienced cryptographers, not just generic non-cryptographer
programmers, have got this wrong because you can do it with an unnoticeable
single-character typo.

>I wonder if DJB's philosophy regarding your points there is simply:

... "when I use this, I know what I'm doing".

Unfortunately everyone else isn't DJB, and frequently gets it wrong.  To
paraphrase an old paper on formal methods "stream ciphers are perfectly safe
when implemented and applied by geniuses.  Unfortunately, geniuses are in
short supply".

When I'm asked to do code audits and need a quick result, either because the
people who asked for the audit don't really think they need anything done or
sometimes because I'm lazy, the first rule is "shersher la GCM".  With that to
guide you to where the mistakes are being made, you just keep looking for
locations where there's IV/counter reuse or ways in which an attacker can
encourage IV/counter reuse.  Then once you've got the easy break you can
justify a more in-depth audit, or preferably use of a less unsafe encryption
mechanism.

Peter.



More information about the cryptography mailing list