Re: Key-based cryptographic modes

Jeff Dege wrote:
I've not seen one that mixed the prior block with the key - so that each
block was encrypted with a different key. And I can think of no
particular reason that this would not work.

Have these been discussed in the literature? Are there any particular
reasons why they're not used? Less secure? Harder to prove secure?

My guess would be a few reasons.

- Historical inertia.

- Such modes are only applicable to block ciphers where the key
length equals the block length, thereby reducing their generality.

- Many of the obvious ways I can think of doing this have security
problems, because they introduce the threat of related-key attacks.

- The existing schemes seem to be good enough.

Key-based chaining *is* viable for message authentication codes.
(For instance, set K[0] = K, K[i] = Encrypt(K[i-1], M[i]), where
Encrypt(k,x) denotes encryption of plaintext block x under key k;
for a n-block message M[1..n] chosen from a prefix-free message
space, use K[n] as your MAC.) I do not know why no one has proposed
MAC schemes based on chaining into the key variable. Maybe folks
are just happy enough with what they've already got that they don't
feel any need for anything different.