Re: Countering chosen-plaintext attacks
From: AE (hidden_at_nospam.com)
Date: 03/09/04
- Next message: Arnold Reinhold: "Diceware now available in Spanish and Polish"
- Previous message: Peter Fairbrother: "Re: Use of Pseudo Random Generators for One Time Pad?"
- In reply to: Mok-Kong Shen: "Re: Countering chosen-plaintext attacks"
- Next in thread: Mok-Kong Shen: "Re: Countering chosen-plaintext attacks"
- Reply: Mok-Kong Shen: "Re: Countering chosen-plaintext attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 09 Mar 2004 20:11:56 +0100
Mok-Kong Shen wrote:
> AE wrote:
>> ...
>> Of course when using AES or Twofish the question occurs how severe the
>> danger is a chosen plaintext attack might be - if this is the worst
>> problem an implementation has it's by far the best system ever.
>>
>> Once much weaker ciphers are concerned I don't have a good feeling any
>> more.
>
> But one could discuss whether alternative, possibly cheaper,
> solutions could be found, couldn't one? Note that Pires
> seems to want to categorically negate that possibility.
>
>> ...
>> Surely - but you are nowhere describing whether S is used to change P :o)
> ...
> S is a chaning value, it is commonly used to xor
> ...
That's what I would have expected. Just good
>> ...
>> Using the four parts separately means to change from one cipher using
>> a keysize of 128 bit to four independent ciphers with keysizes of 32
>> bit each - which reduces effective keysize to 34 bit in best case.
>
>
> ...
> But the S goes as a whole into the 128-bit
> block cipher. So the contribution of the four chunks get
> well mixed in it and comes out as C to affect the next
> chaining value S (which is once again divided up into
> four parts). I agree it is a little bit poorer than the
> case where S is always treated as a whole of 128 bits.
Yes - _little_ bit - a brute-force-attack against all four takes only
2^34 encryptions - that's indeed slightly less than 2^128
> But I believe this compromise could be justified on
> economical grounds.
Till now I'm not convinced the whole construction could be justified ...
>> ...
>> Well the whole concept is to create a stream cipher, isn't it?
>
> Since I doubt of having properly understood the meaning of
> your question, I put below two different answers corresponding
> to my two different interpretations of your words. (Please
> pick the one this is appropriate.)
That's answer (A) :-)
> (A) I wouldn't consider that (my proposed, new) block chaining
> as a stream cipher. A stream cipher could also be used for
> that purpose (cf. Savard's post), but its work would be
> independent of the ciphertext output from the given block
> cipher, while the value S has also contribution from the
> ciphertext C. P and C are sort of interwoven in S and S
> as a chaining value effects the processing of P and hence
> again C. This is why the scheme could also protect against
> chosen-ciphertext attacks, as I said previously.
Well - usage of RC4 would require more time for key-setup but I would
expect it to be faster than your construction and there wouldn't be a
problem with error-propagation.
> ...
- Next message: Arnold Reinhold: "Diceware now available in Spanish and Polish"
- Previous message: Peter Fairbrother: "Re: Use of Pseudo Random Generators for One Time Pad?"
- In reply to: Mok-Kong Shen: "Re: Countering chosen-plaintext attacks"
- Next in thread: Mok-Kong Shen: "Re: Countering chosen-plaintext attacks"
- Reply: Mok-Kong Shen: "Re: Countering chosen-plaintext attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
