[Cryptography] Shortening block cipher length...
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Mar 29 22:21:37 EDT 2021
Jon Callas <jon at callas.org> writes:
>I think it's very different when you're encrypting a 64-bit block,
>especially a single one, which is what I understand the use case to be.
Oh, Phil mentioned 16-32 bytes so I assumed it was more than one block, at
least of any common block cipher. In which case a tweakable block cipher
might be the appropriate solution, with T-HEAD as the tweak.
It really needs a bit more info:
- Can you use nonstandard building blocks or do you need to stick with e.g.
AES?
- Do you have room to communicate nonces/tweaks? How much?
- Are dictionary attacks an issue, or is there enough unique material (which
Phil's comment about T-HEAD implies) or changing keys that it's not an
issue?
If the presence of a nonce and use of nonstandard builing blocks is a
problem then there's the nonce-less two-pass encryption trick invented by
Colin Plumb which takes any standard block cipher, without needing a tweak/
nonce/whatever, and makes it as wide as you need it to be.
Peter.
More information about the cryptography
mailing list