[Cryptography] Shortening block cipher length...

Christian Huitema huitema at huitema.net
Mon Mar 29 20:44:00 EDT 2021


On 3/29/2021 8:42 AM, Phillip Hallam-Baker wrote:
> OK so what I need right now turns out to be a 64 bit block cipher.
>
> Relax: I am not using it for encryption.
>
> What I want is a means of permuting my 64 bit session ID so that I don't
> leak information. So the obvious way to do this is to use a block cipher
> with a key.
>
> The easiest way to do this is to simply use DES. It is more than capable of
> being used for this purpose. But then I have to explain to everyone why it
> is OK to use DES. So I could use 3DES but that is still icky and incurs the
> cost of auditing the implementation decision.
>
> Using DES is probably OK for now because this is an implementation issue,
> not a specification  issue. This is self-to-self so there isn't an interop
> constraint. But it would be nice to point to something principled.
>
>
> The simplest clean option is to write a very simple block cipher using a
> key derivation function to provide a schedule of XOR masks combined with n
> bit rotations. That would make it easy to create a permutation algorithm
> for an arbitrary length bit string.
>
> More generally, could take an existing block cipher that has a 32-bit
> rotate step and swap that out for an n bit rotate so that the data path is
> effectively narrowed to n bits.
>
> Question then is how many rounds? And to decide that I would need to define
> an attack mode.
>
> What I am trying to prevent here is leaking the sequence number so it is
> probably simplest to analyze it as a block encryption function but the
> security concern is much weaker.
>
> This process doesn't need to be at all quick because it can be done
> offline. And it might well be a good idea to make the algorithm a little
> slow on purpose just to make sure nobody tries to use it as a replacement
> for AES.

That exact same problem was solved in QUIC by using AES as a stream 
cipher. Sort of.

Assume the message is:

       <sequence_number><encrypted data>

What QUIC does, in a very simplified way, is pick a seed of 16 bytes of 
encrypted data bytes at a known position. Say, if your sequence number 
is 8 bytes, pick seed = bytes[8..23]. Encrypt that with AES to get 16 
bytes of "mask". Then take how many bytes you need (8 in your example) 
and XOR the sequence number with that.

-- Christian Huitema



More information about the cryptography mailing list