[Cryptography] Shortening block cipher length...

Dennis E. Hamilton dennis.hamilton at acm.org
Tue Mar 30 11:06:35 EDT 2021


From:  Phillip Hallam-Baker
[ . ]

 > This is not a one shot affair. The idea is that there will be a large 
number of streams created and in the typical case, we certainly expect that if 
we allow 32 bits for the stream ID, we are expecting to generate up to 2^32 
identifiers.

> So this really needs to be a full permutation. There is no space outside the 
> identifier. No tweaks, no nonces.

[ ... ]
You keep saying "full permutation" and I think you mean isomorphism since 
collisions on stream identifiers are not acceptable.  There needs to be some 
clarity on exactly what is "permuted" that is the basis for stream identifiers 
and how it might be restarted (with collisions with the past made irrelevant).

This presumably does not require a cryptographic-strength solution since it is 
only about preventing information leakage concerning stream identifiers.  The 
considerable energy then expended talking about the sort-of-cryptological 
strength of the issued identifiers is puzzling.

Maybe it is more helpful to have clarity on the use case and context in which 
the stream identifiers are issued, sustained, and not reused.  Then talk about 
the attack surface and what is meant to be too expensive if not impossible for 
an adversary.

 - Dennis








More information about the cryptography mailing list