Re: Blockcipher >256 bit (for hardware implementation)
- From: Mike Amling <spamonly@xxxxxxxxxxx>
- Date: 24 Jan 2007 16:29:05 EST
Kristian Gjøsteen wrote:
Mike Amling <spamonly@xxxxxxxxxxx> wrote:The OP's idea that somehow a 256-bit message and its 64-bit MAC should be encrypted by the application of a cipher to a single 320-bit block is dubious.
Actually, I think it is perfectly sound. In fact, there's no need
for a MAC. If you have a 320 bit block cipher (f,g) and a 256 bit
message, I encrypt it as
c = f(k, m || 0^64) .
Do decrypt, I compute
m'||t = g(k, c)
and check that t = 0^64.
If the block cipher is secure (looks like a random permutation), the
forgery probability should be about 2^{-64}.
With no IV, the messages and ciphertexts have a one-to-one mapping, which, as with ECB, allows observers to distinguish repeated messages. Or do the OP's 256-bit messages contain a timestamp or counter? An IV also makes defending against replay attack easier.
--Mike Amling
.
- Follow-Ups:
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Kristian Gjøsteen
- Re: Blockcipher >256 bit (for hardware implementation)
- References:
- Blockcipher >256 bit (for hardware implementation)
- From: jetmarc
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Luc The Perverse
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Kristian Gjøsteen
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Mike Amling
- Re: Blockcipher >256 bit (for hardware implementation)
- From: Kristian Gjøsteen
- Blockcipher >256 bit (for hardware implementation)
- Prev by Date: for vanya: highly appreciated nntp server - uj div radgu - (1/1)
- Next by Date: Small exponent Pohlig Hellman
- Previous by thread: Re: Blockcipher >256 bit (for hardware implementation)
- Next by thread: Re: Blockcipher >256 bit (for hardware implementation)
- Index(es):
Relevant Pages
|
