Re: Braided ciphers
From: AE (hidden@nospam.com)
Date: 02/12/03
- Next message: Peter Fairbrother: "Re: Paralleling Euler's criterion?"
- Previous message: Bob Mathews: "Re: Meganet strikes back"
- In reply to: David Soroko: "Re: Braided ciphers"
- Next in thread: Mok-Kong Shen: "Re: Braided ciphers"
- Reply: Mok-Kong Shen: "Re: Braided ciphers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: AE <hidden@nospam.com> Date: Wed, 12 Feb 2003 21:21:39 +0100
David Soroko wrote:
> I do not see the similarity between the braiding cheme and
> the Geffe generator except for the fact that the if-then-else
> logic is applied in both cases.
>
> The demonstartion of Geffe's insecurity is based on the fact
> that LFSRs are used. One can guess the initial state of A
> or B and then verify the guess by using the 75% - 50% rule.
>
> I agree to look at the case were there are only two block ciphers.
> Let's be even more explicit, let's say that A=AES and B=Twofish
> (I am trying to get away from LFSR example).
>
> Can you be more specific as to what it means for A and/or B to be weak
> in this context?
>
> David Soroko
In this special context it means that it is possible to determine the
key using the 75% - 50% rule. This might either be due to the fact that
the key is too short and it can be guessed or it can be that special
statistical properties of the output allow to determine the key from
this speacial property.
The point is simply: What happens if I'm able to determine the key and
that way to get the output sequence?
And the answer in this special context is the one I gave before: In that
special case your construction is not able to protect the plaintext
sufficiently.
Simple XORing of the three bitstreams is provably as strong as the
strongest of the three ciphers.
Your construction would be more interesting if the output bits of the
two block ciphers would be written in a buffer and you would keep the
output of each generator in the buffer until needed - similar to a
stop-and-go-generator.
This way the controlling stream cipher would protect the output sequence
of the block ciphers from statistical analysis.
And you would need fewer encryptions - only one control-bit and one bit
from one of the block ciphers per output bit instead of one control-bit
and two output bits of the block ciphers.
A completely different question is the purpose of the construction:
I don't think the strength of a modern block cipher is the problem in
any security system - security systems are broken due to flaws in
protocols, programming errors (most times causing buffer overflows) and
the faulty assumption the user would take care for his password and not
write it on a post-it and stick it on the upper right corner of his
screen or give it to strangers on the phone when being asked for it.
AE
- Next message: Peter Fairbrother: "Re: Paralleling Euler's criterion?"
- Previous message: Bob Mathews: "Re: Meganet strikes back"
- In reply to: David Soroko: "Re: Braided ciphers"
- Next in thread: Mok-Kong Shen: "Re: Braided ciphers"
- Reply: Mok-Kong Shen: "Re: Braided ciphers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
