[Cryptography] Shortening block cipher length...
Dennis E. Hamilton
dennis.hamilton at acm.org
Tue Mar 30 11:06:35 EDT 2021
From: Phillip Hallam-Baker
[ . ]
> This is not a one shot affair. The idea is that there will be a large
number of streams created and in the typical case, we certainly expect that if
we allow 32 bits for the stream ID, we are expecting to generate up to 2^32
identifiers.
> So this really needs to be a full permutation. There is no space outside the
> identifier. No tweaks, no nonces.
[ ... ]
You keep saying "full permutation" and I think you mean isomorphism since
collisions on stream identifiers are not acceptable. There needs to be some
clarity on exactly what is "permuted" that is the basis for stream identifiers
and how it might be restarted (with collisions with the past made irrelevant).
This presumably does not require a cryptographic-strength solution since it is
only about preventing information leakage concerning stream identifiers. The
considerable energy then expended talking about the sort-of-cryptological
strength of the issued identifiers is puzzling.
Maybe it is more helpful to have clarity on the use case and context in which
the stream identifiers are issued, sustained, and not reused. Then talk about
the attack surface and what is meant to be too expensive if not impossible for
an adversary.
- Dennis
More information about the cryptography
mailing list