# Re: Universal re-encryption

From: Simon Johnson (Ckwop_at_hotmail.com)
Date: 10/21/03

```Date: Tue, 21 Oct 2003 08:29:30 +0000 (UTC)

```

Peter Fairbrother wrote:
> Suppose a message, already CBC encrypted with random IV to prevent known
> plaintext attacks, of b blocks. We then exponentiate each block of the
> encrypted message to a secret exponent, modulo a Sophie-Germain large prime
> slightly less than our block size.
>
> If we wish we can then reencrypt by exponentiating again with another secret
> exponent, and change the ciphertext to be unrecognisable as a modified
> version of the same (encrypted) plaintext (ignoring for the moment that the
> number of blocks is constant). We don't have to know the original exponent
> used to do the re-encryption.

I understand the construction but i have: "What's the purpose of the
exponentiation?" Is it just to strengthen the a cipher? If so, there are
other ways to strengthen the cipher that aren't as slow as
exponentiation, like adding more rounds to the underlying block cipher?.

We design cryptographic primitives, such as ciphers, with either of both
of these purposes in mind:

1. To demonstrate a new concept (further the field)
2. To use it in the field as part of a wider cryptosystem.

The question I ask (and it's not meant to be an insult - everyone who
ever makes a toy cipher is guilty of this - me included) is which of the
two purposes does yours fulfill.

If you choose '1' then it's not a new design and has already been
studied. If you choose '2' then there are more efficient encryption
solutions available.

If you're worried that AES is weak then you're looking at your threat
model the wrong way. Let's say there's an attack on AES requiring 6
known plain-texts and 2^68 work. It's highly unlikely that the
encryption is the weakest link and that means an attacker probably wont
attack the encryption - they'll install a key logger or install a covert
might even bribe your employees.. indeed, in some cases the cost of
attacking the encryption might be greater than the purchase price of the
company.

My point is that encryption is only a very small part of a much wider
system and if the rest of your system is weak.. then you're buggered.

Simon.

```--
To bypass the mail filter type Jafi98 someone in the subject line.
```

## Relevant Pages

• Re: Countering chosen-plaintext attacks
... > One can defend against a chosen plaintext attack against DES by using ... > cipher, without making the scenario of a chosen plaintext submitted to ... > the full encryption method impossible. ... > the chosen-plaintext scenario. ...
(sci.crypt)
• Re: My little something...
... encryption time is not a negligible cost. ... most unlikely attack is not a good use of your time, and may, as always, give ... a false sense of security. ... MITM attack would only be possible if I used SAME CIPHER twice. ...
(sci.crypt)
• Re: Weak keys in CDX-2
... because I'm working on an attack. ... >> variable block cipher. ... >> usually create problems such as managing reverse diffusion. ... the encryption is done in a circular direction, ...
(sci.crypt)
• Re: [PATCH] Delete cryptoloop
... >> chosen plain text attack. ... > It assures against key revovery through chosen plain text attacks. ... > before, the purpose of this attack is not to break encryption, but to prove ... > special properties - independent of cipher or key size. ...
(Linux-Kernel)
• RE: AES-256 encryption
... but brute-force attack against the cyphertext won't ... if the password used for encryption is a week password (like ... Need to secure your web apps NOW? ... buy it or download a solution FREE today! ...
(Pen-Test)