Re: David's authenticated encryption mode.
- From: "Tom St Denis" <tomstdenis@xxxxxxxxx>
- Date: 29 Aug 2006 16:13:37 -0700
David Gothberg wrote:
Tom St Denis wrote:
It looks nice, but my concern is that an attacker can learn the
intermediate values of H[0], H[1], etc before the final output. Will
that affect the security of the MAC?
Tom
Thanks for thinking it looks nice. And yes, that the attacker can guess
some of the intermediate hashes probably is the main concern. I am no
cryptanalyst, but as far as I understand it should not be a problem for
several reasons:
Look at it a bit more carefully.
The key for the last encrypt is actually
Key xor 2 xor m1 xor E(m1) xor H0 xor Key xor 3
The keys cancel out and we know 2 xor 3 xor m1 xor H0 [since we know m1
and H0] So the unknown bit of the key for the last encrypt is merely
E(m1). I still think it's a bad idea to know the intermediate values of
the chained MAC.
Also the key xors outside the encrypt don't contribute anything since
they cancel out.
H0 = E_{key xor H-1}(m0) xor m0
H1 = E_{key xor H0}(m1) xor m1
etc...
Should be enough, at least for a hash.
Aside from all this keep in mind you are invoking the key schedule for
every block. Few ciphers are efficient in that model.
Tom
.
- References:
- David's authenticated encryption mode.
- From: David Gothberg
- Re: David's authenticated encryption mode.
- From: Tom St Denis
- Re: David's authenticated encryption mode.
- From: David Gothberg
- David's authenticated encryption mode.
- Prev by Date: Re: xtea vc++ code
- Next by Date: Re: xtea vc++ code
- Previous by thread: Re: David's authenticated encryption mode.
- Next by thread: Re: David's authenticated encryption mode.
- Index(es):
Relevant Pages
|
|
