Re: Pitfalls in CFB mode?
- From: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)
- Date: Sun, 18 Jun 2006 18:27:52 +0000 (UTC)
Kristian Gjøsteen wrote:
Couldn't you just shorten the shift register by an appropriate amount?
Sure, but you don't dare shorten it too much. If you shorten it so that
only n bits of ciphertext enter the shift register (and the remaining
128-n bits are constant), then thanks to the birthday paradox, the
resulting scheme will only be secure for encrypting up to around 2^{n/2}
blocks of plaintext. The first time there is any repeat in those n-bit
values, the subsequent block will be encrypted with the equivalent of
the two-time pad, which isn't good. For instance, if you use AES but
with the shift register shortened to n=64 bits, then you'll only be
secure for encrypting up to a few billion blocks of data.
.
- Follow-Ups:
- Re: Pitfalls in CFB mode?
- From: Kristian Gjøsteen
- Re: Pitfalls in CFB mode?
- References:
- Pitfalls in CFB mode?
- From: John Hadstate
- Re: Pitfalls in CFB mode?
- From: Kristian Gjøsteen
- Pitfalls in CFB mode?
- Prev by Date: Re: Pick a pin
- Next by Date: Re: Chaum-van Heijst-Pfitzmann hash function
- Previous by thread: Re: Pitfalls in CFB mode?
- Next by thread: Re: Pitfalls in CFB mode?
- Index(es):
Relevant Pages
|
