Re: Authenticating encrypted messages?
From: Mok-Kong Shen (mok-kong.shen_at_t-online.de)
Date: 11/27/04
- Next message: Mok-Kong Shen: "Re: Authenticating encrypted messages?"
- Previous message: sammy: "Re: AES: Conference and Details?"
- In reply to: Francois Grieu: "Re: Authenticating encrypted messages?"
- Next in thread: Mok-Kong Shen: "Re: Authenticating encrypted messages?"
- Reply: Mok-Kong Shen: "Re: Authenticating encrypted messages?"
- Reply: Francois Grieu: "Re: Authenticating encrypted messages?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Nov 2004 14:27:38 +0100
Francois Grieu wrote:
[snip]
> And wait, the whole scheme is insecure in the general case:
> changing Cj for any j<n is not detected. Root issue is that
> Pj = DEC(C{j+1}) XOR Xj
> X{j+1} = Xj XOR Pj XOR C{j+1}
> implies
> X{j+1} = DEC(C{j+1}) XOR C{j+1}
> therefore any change in the ciphertext cancels out and leaves
> what follows in the decryption unchanged.
While in an earlier response to this I returned to an idea of
mine in another previous thread, namely incorporating non-linear
combination of P and C blocks into the chaining value X (use
of data-dependent rotations seems to be an efficient prospective),
it occurs to me that the problem of cancelling above wouldn't
exist, if one uses modular addition in place of XOR. For one
has then (mod 2^n, n being the block size):
Pj = DEC(C{j+1}) + Xj
X{j+1} = Xj + Pj + C{j+1}
X{j+1} = 2*Xj + DEC(C{j+1}) + C{j+1}
Now, if C{j+1} is changed to C{j+1}', DEC(C{j+1}') + C{j+1}'
is extremely unlikely to equal to DEC(C{j+1}) + C{j+1} for
a good block cipher, so that X{j+1} would get changed and
hence, by the last equation above, X(j+k) (k>1) would also
get changed, i.e. there is error propagation.
Is this argumentation o.k. in your opinion?
In my follow-up to Gregory Rose, I wrote "using the modular
sum (or xor) of all preceding ciphertext and plaintext blocks
as the chaining value of the current block". This "(or xor)"
is evidently wrong, as you have shown. In doing the modular
sum, I think one could just as well (as a compromise for
gaining a bit efficiency) do a word-wise summing instead of
treating entire blocks (consisting of several words) as whole
numbers. (Of course, one could, if one desires, additionally
employ data-dependent rotations of words so as to render the
relationship among the X's more complicated.)
M. K. Shen
- Next message: Mok-Kong Shen: "Re: Authenticating encrypted messages?"
- Previous message: sammy: "Re: AES: Conference and Details?"
- In reply to: Francois Grieu: "Re: Authenticating encrypted messages?"
- Next in thread: Mok-Kong Shen: "Re: Authenticating encrypted messages?"
- Reply: Mok-Kong Shen: "Re: Authenticating encrypted messages?"
- Reply: Francois Grieu: "Re: Authenticating encrypted messages?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
