Re: Blockcipher >256 bit (for hardware implementation)
- From: Mike Amling <spamonly@xxxxxxxxxxx>
- Date: 24 Jan 2007 14:31:40 EST
Kristian Gjøsteen wrote:
Luc The Perverse <sll_noSpamlicious_z_XXX_m@xxxxxxxxxx> wrote:"Mike Amling" <spamonly@xxxxxxxxxxx> wrote in message news:ep62ts$a4@xxxxxxxxxxxxxxxxxxxxxxxxxxTwo iterations of Rijndael with block size 192 bits, with code-stealing to get the block size down to 320.I was about to make several uneducated responses - instead, could someone explain what code stealing is?
You'll find it if you search for "ciphertext stealing".
Yes, that's what I meant. The mind is the first thing to go.
It is problematic in that if the first 192 bits of two plaintexts are
identical, that would make the first 320-192 = 128 bits equal. So this
leaks more information about the plaintext than one 320-bit block cipher
does. I don't know if the OP cares about that, though.
The ciphertext stealing is just intended to cobble up a new effective block size. It's not a substitute for a proper mode and a proper IV. Your condition "if the first 192 bits of two plaintexts are identical" applies just as well to a plain old 128-bit block size encryption performed without a proper mode and IV. (The OP's idea that somehow a 256-bit message and its 64-bit MAC should be encrypted by the application of a cipher to a single 320-bit block is dubious.)
In any event, the OP could consider Phelix, which has been around--as Helix/Phelix--since 2003, has a built-in MAC of configurable length, and, AFAIK, is suitable for implementation in hardware.
Perhaps if you do three passes:
c1 = Rijndael(k,m[1..192])
c2 = Rijndael(k,c1[129..192] || m[193..256] || 0^64)
c3 = Rijndael(k,c1[1..128] || c2[1..128])
c = c3 || c2[129..256]
Depending on the number of ciphertexts you are creating, 64 bits of
overlap may not be enough (if you can get a collision in the overlap
part of c1, the tail of the ciphertext would be identical), it could be
better to use a 256-bit block size.
But the cost of this is may be fast approaching the cost of a generic
construction for a wide-block block cipher.
--Mike Amling
.
- Follow-Ups:
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Kristian Gjøsteen
- Re: Blockcipher >256 bit (for hardware implementation)
- References:
- Blockcipher >256 bit (for hardware implementation)
- From: jetmarc
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Mike Amling
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Luc The Perverse
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Kristian Gjøsteen
- Blockcipher >256 bit (for hardware implementation)
- Prev by Date: Re: Encrpytion software
- Next by Date: Re: Ask any human to choice a number between 0 - 0xFFFFFFFF
- Previous by thread: Re: Blockcipher >256 bit (for hardware implementation)
- Next by thread: Re: Blockcipher >256 bit (for hardware implementation)
- Index(es):
Relevant Pages
|
