Re: Keybased cryptographic modes
 From: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)
 Date: Fri, 22 Dec 2006 04:57:05 +0000 (UTC)
Jeff Dege wrote:
I've not seen one that mixed the prior block with the key  so that each
block was encrypted with a different key. And I can think of no
particular reason that this would not work.
Have these been discussed in the literature? Are there any particular
reasons why they're not used? Less secure? Harder to prove secure?
Fashion?
My guess would be a few reasons.
 Historical inertia.
 Such modes are only applicable to block ciphers where the key
length equals the block length, thereby reducing their generality.
 Many of the obvious ways I can think of doing this have security
problems, because they introduce the threat of relatedkey attacks.
 The existing schemes seem to be good enough.
Keybased chaining *is* viable for message authentication codes.
(For instance, set K[0] = K, K[i] = Encrypt(K[i1], M[i]), where
Encrypt(k,x) denotes encryption of plaintext block x under key k;
for a nblock message M[1..n] chosen from a prefixfree message
space, use K[n] as your MAC.) I do not know why no one has proposed
MAC schemes based on chaining into the key variable. Maybe folks
are just happy enough with what they've already got that they don't
feel any need for anything different.
.
 References:
 Keybased cryptographic modes
 From: Jeff Dege
 Keybased cryptographic modes
 Prev by Date: Re: Please explain in simple terms  key collision attack
 Next by Date: Re: Keybased cryptographic modes
 Previous by thread: Keybased cryptographic modes
 Next by thread: Re: Keybased cryptographic modes
 Index(es):
Relevant Pages
