[Cryptography] Shortening block cipher length...

Phillip Hallam-Baker phill at hallambaker.com
Mon Mar 29 11:42:55 EDT 2021


OK so what I need right now turns out to be a 64 bit block cipher.

Relax: I am not using it for encryption.

What I want is a means of permuting my 64 bit session ID so that I don't
leak information. So the obvious way to do this is to use a block cipher
with a key.

The easiest way to do this is to simply use DES. It is more than capable of
being used for this purpose. But then I have to explain to everyone why it
is OK to use DES. So I could use 3DES but that is still icky and incurs the
cost of auditing the implementation decision.

Using DES is probably OK for now because this is an implementation issue,
not a specification  issue. This is self-to-self so there isn't an interop
constraint. But it would be nice to point to something principled.


The simplest clean option is to write a very simple block cipher using a
key derivation function to provide a schedule of XOR masks combined with n
bit rotations. That would make it easy to create a permutation algorithm
for an arbitrary length bit string.

More generally, could take an existing block cipher that has a 32-bit
rotate step and swap that out for an n bit rotate so that the data path is
effectively narrowed to n bits.

Question then is how many rounds? And to decide that I would need to define
an attack mode.

What I am trying to prevent here is leaking the sequence number so it is
probably simplest to analyze it as a block encryption function but the
security concern is much weaker.

This process doesn't need to be at all quick because it can be done
offline. And it might well be a good idea to make the algorithm a little
slow on purpose just to make sure nobody tries to use it as a replacement
for AES.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210329/041c77be/attachment.htm>


More information about the cryptography mailing list