Re: ECB+CTR Mode?

From: Tom St Denis (tomstdenis_at_iahu.ca)
Date: 08/11/03


Date: Mon, 11 Aug 2003 16:24:05 GMT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Wooding wrote:
| Tom St Denis <tomstdenis@iahu.ca> wrote:
|
|
|>Last I checked OBC [or what not]
|
|
| OCB, by Phillip Rogaway.
|
|
|>was the only mode to provide both security and authentication.
|
|
| Err... I presume you mean `secrecy' where you said `security'. Both
| secrecy and authenticity are security goals, and there are others. And
| you're wrong. Check out Jutla's IACBC and IAPM, and Gligor and
| Donescu's XECB and XCBC; and then see EAX (Bellare, Rogaway, and Wagner)
| and CWC (Kohno, Viega, and Whiting). All of these come with security
| proofs, and I have no reason to think they're invalid.

Oh look at me. I'm mark, I know what I'm talking about, oh
lad-y-dah!... [kiddin!]

Yeah, I dunno I'm just a big fan of simplicity, CTR+HMAC :-)

Unfortunately none of those "protocols" are a standard? [right?] so
adopting one may be troublesome.

|>Ironically the NIST standard "OMAC" only provides a MAC
|
|
| Your idea of irony is very odd. And it looks to me as if OMAC does what
| it says on the tin.

If I am not mistaken several of the modes you listed were offered to the
NIST submission process. I think standardizing a secrey+authentication
protocol would do more than standardizing one that doesn't.

|>[so you might as well use HMAC since it will allow you to use other
|>hashes with bigger digest sizes].
|
|
| Depends. Many applications will truncate MAC tags, because they need
| only be unpredictable in their entirety. A 128-bit tag is quite
| sufficient for most applications, and using the same 128-bit block
| cipher for both means that you don't have to assume the security of some
| hash function like SHA1.

If collision resistance is not a goal than MD4 would be ideally
suitable. Would it not?

Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/N8MfsP+tEsHHY0ARAtsCAJ9TxqGXGi7+cxBCXaFsSbFEkin4MwCcDAQB
MzGv+grLhE979MfHS7NOdbo=
=t5/q
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Windows XP Running Slow
    ... There will be 3 sections of interest- Applications, Security, and System. ... "SC Tom" wrote: ... (I have a fast cable internet provider) ... use Task Manager or Process Explorer ...
    (microsoft.public.windowsxp.general)
  • Re: Event 5038
    ... "SC Tom" wrote: ... Go to event viewer and open the security event log. ... Right click Security once more and choose "Save Filter to Custom View". ...
    (microsoft.public.windows.vista.performance_maintenance)
  • [Full-Disclosure] The "Drew Copley is a prick" Poll update (vote++)
    ... Hi Tom, Happy 4th July. ... we do love the summer holidays, each year more pre-pubescents emerge, ... "Provide Security - Making the Inetrnet a Secure Place of Business" ... doesn't your complete understanding of the law mean you should are MAKING ...
    (Full-Disclosure)
  • Re: Test for Quadratic Residues?
    ... Tom St Denis wrote: ... >> count in the modulus affect the security of El Gamal? ... > You can also test for QR by computing the Jacobi symbol. ... What's the other reason? ...
    (sci.crypt)
  • Re: ECB+CTR Mode?
    ... OCB, by Phillip Rogaway. ... I presume you mean `secrecy' where you said `security'. ... Many applications will truncate MAC tags, ...
    (sci.crypt)