Re: Cipher Structure which is Key Dependent

From: Jim Steuert (pjsteuert@rcn.com)
Date: 04/13/03 

From: Jim Steuert <pjsteuert@rcn.com>
Date: Sat, 12 Apr 2003 18:26:55 -0400

Hello David,
  Your points are well-taken. However, if one starts
with, say, SHA-1, with it's 80 rounds, and then
"intersperses" additional (and provably non-weakening)
structures, then why isn't that a good way to mix
in the key dependence?
  I surmise the issue is one of horse-before-the-carrot.
We need a "proven design" to start with. Which means
a lot of experience, analysis, and cryptanalysis
to get to that state.
  But why can't we "strengthen". say, sha-1. Isn't that
the methodology (strenghtening) used in OAEP, AONT,
or in pre-whitening, or in interating hash functions?

Or do you want a mathematical justification for the
additional structures, not just more of the same.
But iterating hash functions or feistel rounds is
a well-established methodology. What about "interspersing"
as contrasted with "iterating"?

I do believe that this is a valid question. I guess the
issue is, what structures, when interspersed, add value
to a cipher or hash. Isn't that the essence of design?
I suppose this is more engineering than science, though.

  -Jim Steuert

On Sat, 12 Apr 2003 21:10:11 +0000 (UTC), David Wagner
<daw@mozart.cs.berkeley.edu> wrote:

> Using a key-dependent structure in your cipher is an old idea, but it's
> probably not a very good one. The problem is that some structures will
> be
> much weaker than other ones, and as a result some keys will be much
> weaker
> than others. For most general-purpose applications, you really want to
> have a key space where all keys are of uniform difficulty to break.
>
> In addition, ciphers with key-dependent structure are often harder
> to analyze. If your cipher has just one possible structure, then
> cryptanalysts can focus on that structure and gain confidence that the
> structure is secure. However, if your cipher has thousands of possible
> structures, it is often difficult to analyze any of them (let alone all
> of them) to the level needed to gain much confidence in their security.
>
> For these reasons, though ciphers with key-dependent structure have been
> proposed before, they've never been successful, and I don't think the
> idea is a good one.
> 

-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Relevant Pages

  • Re: SHA-1 Variants
    ... You said yourself SHA-1 is secure. ... > to a hash or cipher without invalidating it's cryptanalysis. ... Well differential trails through the design depend on the function ... to less than 40 rounds to ...
    (sci.crypt)
  • Re: Generation of range permutations?
    ... > I've located and simplified a code fragment that seems to do what I ... This code's purpose is to make a permutation on range. ... cipher operating on N bits of plaintext/ciphertext. ... The cipher iterates thru a number (ROUNDS) of rounds. ...
    (sci.crypt)
  • Re: Weakness of Feistel ciphers
    ... I am talking about computationally limited algorithmic information theory. ... The simplest algorithm implementing the cipher is more ... rounds to make the attack complexity high enough. ... if this is for some product or something use proper crypto. ...
    (sci.crypt)
  • Re: F-functions for Feistel block ciphers
    ... In other words, these two rounds are applied in one direction only, 16 ... times during the execution of the cipher. ... mixing operations (a bit like whitening in a Feistel block cipher). ... tmp = f; ...
    (sci.crypt)
  • Re: Posting encryption UserRPL illegal?
    ... I guess I'll have to go back to my slower programs. ... When a cryptosystem works by repeating "rounds" ... as one after another "attack on somewhat reduced-round ... the single "symmetric cipher" used in some basic PGP versions) ...
    (comp.sys.hp48)