Re: Key-based cryptographic modes



Jeff Dege wrote:
I've not seen one that mixed the prior block with the key - so that each
block was encrypted with a different key. And I can think of no
particular reason that this would not work.

Have these been discussed in the literature? Are there any particular
reasons why they're not used? Less secure? Harder to prove secure?
Fashion?

My guess would be a few reasons.

- Historical inertia.

- Such modes are only applicable to block ciphers where the key
length equals the block length, thereby reducing their generality.

- Many of the obvious ways I can think of doing this have security
problems, because they introduce the threat of related-key attacks.

- The existing schemes seem to be good enough.

Key-based chaining *is* viable for message authentication codes.
(For instance, set K[0] = K, K[i] = Encrypt(K[i-1], M[i]), where
Encrypt(k,x) denotes encryption of plaintext block x under key k;
for a n-block message M[1..n] chosen from a prefix-free message
space, use K[n] as your MAC.) I do not know why no one has proposed
MAC schemes based on chaining into the key variable. Maybe folks
are just happy enough with what they've already got that they don't
feel any need for anything different.
.



Relevant Pages

  • Re: TrueCrypt 4.0 Out
    ... >> They just have a different paradigm for writing software than most of ... The product stands on its own as one of the best disk encryption ... There are other products that will encrypt the entire disk including ... Most of the reasons are technically-based. ...
    (sci.crypt)
  • REPOST: Re: TrueCrypt 4.0 Out
    ... The product stands on its own as one of the best disk encryption ... There are other products that will encrypt the entire disk including ... TrueCrypt product is a decent and trustworthy piece of software. ... Most of the reasons are technically-based. ...
    (sci.crypt)
  • Re: swsusp performance problems in 2.6.15-rc3-mm1
    ... >>> or accessing ordinary files, should not be implemented in the kernel. ... >> suspend2 regarding encryption beyond that. ... But so does doing it from userspace - you then have to make the pages ... There were two reasons for adding this - first removing the ...
    (Linux-Kernel)
  • Re: Encryption removal
    ... normally warrant encryption for a couple of reasons: ... don't even bother with a password, and as encryption is transparent it ... run into the theft vulnerability problem. ... the encryption method is account-dependent. ...
    (microsoft.public.windowsxp.general)
  • Re: Disk/Partition level encryption.
    ... There are reasons why you look 10min longer and realize that someone ... IV generation is messy stuff with FS encryption. ... - if you store the IV, that will mean negative compression on the disk. ... Let's look at 512 byte file system block with AES. ...
    (sci.crypt)