Re: A Simple Encryption Mode that "Feels" Secure
From: John Savard (jsavard_at_excxn.aNOSPAMb.cdn.invalid)
Date: 11/01/04
- Next message: D. J. Bernstein: "Re: Who's familiar with random oracle model?"
- Previous message: John Savard: "Re: A Simple Encryption Mode that "Feels" Secure"
- In reply to: David Wagner: "Re: A Simple Encryption Mode that "Feels" Secure"
- Next in thread: David Wagner: "Re: A Simple Encryption Mode that "Feels" Secure"
- Reply: David Wagner: "Re: A Simple Encryption Mode that "Feels" Secure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 01 Nov 2004 17:59:29 GMT
On Mon, 1 Nov 2004 08:39:40 +0000 (UTC), daw@taverner.cs.berkeley.edu
(David Wagner) wrote, in part:
>My list was CCM, CWC, EAX, GCM. To be clear: The modes on my list are
>not patented (to the best of my knowledge).
CCM is the one that has been accepted as a standard, but which requires
two block cipher operations for every plaintext block, since it uses
CBC-MAC for confidentiality, and CTR mode for secrecy.
EAX has the same problem as CCM, and, in fact, is constructed on the
same principles.
G/CM is a counter mode but it involves a Galois Field multiplication for
each block. This one is just as good as the patented modes OCB, IACBC,
and XCBC as far as overhead is concerned, and, like OCB and IACBC, it
involves constructs that might be felt too complicated for a universal
standard - one which everyone would implement, even if they weren't
really convinced that it would be better than something simple, like CBC
mode.
But I see my understanding of CWC was flawed.
A counter is used that is composed of a number of fields, but that
counter is encrypted by a block cipher, and the full 128-bit result is
applied to a full 128 bits of the message. The hash function involves
dividing the message into 96 bit parts, performing a computation on
them, and then encrypting the result once. So CWC has no problems in
terms of overhead either. Its only flaw, like G/CM and the patented
modes noted is that it's a little complicated.
John Savard
http://home.ecn.ab.ca/~jsavard/index.html
- Next message: D. J. Bernstein: "Re: Who's familiar with random oracle model?"
- Previous message: John Savard: "Re: A Simple Encryption Mode that "Feels" Secure"
- In reply to: David Wagner: "Re: A Simple Encryption Mode that "Feels" Secure"
- Next in thread: David Wagner: "Re: A Simple Encryption Mode that "Feels" Secure"
- Reply: David Wagner: "Re: A Simple Encryption Mode that "Feels" Secure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
