# Re: Key-based cryptographic modes

*From*: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)*Date*: Fri, 22 Dec 2006 04:57:05 +0000 (UTC)

Jeff Dege wrote:

I've not seen one that mixed the prior block with the key - so that each

block was encrypted with a different key. And I can think of no

particular reason that this would not work.

Have these been discussed in the literature? Are there any particular

reasons why they're not used? Less secure? Harder to prove secure?

Fashion?

My guess would be a few reasons.

- Historical inertia.

- Such modes are only applicable to block ciphers where the key

length equals the block length, thereby reducing their generality.

- Many of the obvious ways I can think of doing this have security

problems, because they introduce the threat of related-key attacks.

- The existing schemes seem to be good enough.

Key-based chaining *is* viable for message authentication codes.

(For instance, set K[0] = K, K[i] = Encrypt(K[i-1], M[i]), where

Encrypt(k,x) denotes encryption of plaintext block x under key k;

for a n-block message M[1..n] chosen from a prefix-free message

space, use K[n] as your MAC.) I do not know why no one has proposed

MAC schemes based on chaining into the key variable. Maybe folks

are just happy enough with what they've already got that they don't

feel any need for anything different.

.

**References**:**Key-based cryptographic modes***From:*Jeff Dege

- Prev by Date:
**Re: Please explain in simple terms -- key collision attack** - Next by Date:
**Re: Key-based cryptographic modes** - Previous by thread:
**Key-based cryptographic modes** - Next by thread:
**Re: Key-based cryptographic modes** - Index(es):