Is this a new mode?
Sandy Harris
too obvious to mention, but it's not in the FAQ & my copy of AC II
isn't to hand. (If whoever borrowed it reads this, I'd like it back!)
Most block ciphers expand the key to get a collection of round keys.
If the key schedule is strong, the round keys should be a very good
approximation to random & unrelated.
CBC mode XORs ciphertext from block n into plaintext n+1 before
encryption. Why not XOR it into the round keys instead? Wouldn't
this defeat both linear & differential cryptanalysis since both require
large numbers of plaintexts encrypted with the same key?
I think with reasonable assumptions about the randomness of the
key schedule output & the cipher output this can be shown not to
entail much risk. If r is random & k constant, then showing that
s = r XOR k is random is straightforward.
I'm thinking specifically of a modified Blowfish. After round R,
XOR half the output into plaintext R+1 whence it can be expected
to diffuse to affect all bits of ciphertext R+1. XOR the other half
into round key R mod 18.
Is this mode new? Is it useful?
jsa...@freenet.edmonton.ab.ca
: CBC mode XORs ciphertext from block n into plaintext n+1 before
: encryption. Why not XOR it into the round keys instead?
Well, if you're using a DES chip to perform DES, this isn't an available
option.
For a cipher like DES, if you XOR the ciphertext from the previous block
into every round key in the same way, you won't foil differential
cryptanalysis. The method will have to be modified a bit, to take that
extra step into account, but it will still be able to operate. After all,
you will have both a lot of known plaintexts, and, from the ciphertexts,
related internal keys which are XORed with known bits. Knowing that the
subkeys for one block are the same as for another block, except that they
are XORed with a known ciphertext block, is almost as good as knowing
they're exactly the same.
Designing a block cipher so that one could have a key that changes with
each block in an efficient manner, and yet which clearly could not serve
as a probe into the other part of the key that is static, is an
interesting question (and not a trivial one).
John Savard
Sandy Harris
>Sandy Harris (sandy....@sympatico.ca) wrote:
>: CBC mode XORs ciphertext from block n into plaintext n+1 before
>: encryption. Why not XOR it into the round keys instead?
>
>Well, if you're using a DES chip to perform DES, this isn't an available
>option.
>
>For a cipher like DES, if you XOR the ciphertext from the previous block
>into every round key in the same way, you won't foil differential
>cryptanalysis.
My suggestion was to XOR into only one or two round keys, with the
target round key changing from block to block.
> The method will have to be modified a bit, to take that
>extra step into account, but it will still be able to operate. After all,
>you will have both a lot of known plaintexts, and, from the ciphertexts,
>related internal keys which are XORed with known bits. Knowing that the
>subkeys for one block are the same as for another block, except that they
>are XORed with a known ciphertext block, is almost as good as knowing
>they're exactly the same.
Of course you could use addition instead of XOR. Just as fast & likely
harder to analyse if the cipher uses XOR.
>Designing a block cipher so that one could have a key that changes with
>each block in an efficient manner, and yet which clearly could not serve
>as a probe into the other part of the key that is static, is an
>interesting question (and not a trivial one).
Yes. Anyone got other suggestions on how to do it?
Medical Electronics Lab
> >Designing a block cipher so that one could have a key that changes with
> >each block in an efficient manner, and yet which clearly could not serve
> >as a probe into the other part of the key that is static, is an
> >interesting question (and not a trivial one).
>
> Yes. Anyone got other suggestions on how to do it?
I don't claim to understand the paper fully yet, but this sounds
like something which might work:
Provable Security for Block Ciphers by Decorrelation
Submitted.
In this paper we investigate a new way for protecting block ciphers against
classes of attacks (including differential and linear
cryptanalysis) which is based on the notion of decorrelation distance which
is fairly connected to Carter-Wegman's universal
hash functions paradigm. This defines a simple and friendly combinatorial
measurement which enables to quantify the security.
We show that we can mix provable protections and heuristic protections. We
finally propose two new block cipher families
we call COCONUT and PEANUT, which implement these ideas and achieve quite
reasonable performances for real-life
applications.
http://www.ens.fr/~vaudenay/pub.html#Vau98b
The basic idea seems to be that you build set of probabilities
associated with each round. By building a multidimensional map
of inputs->rounds->outputs you can get some probablistic guess
of what each round does based on previous inputs.
When you understand it, please explain it to me!
Patience, persistence, truth,
Dr. mike
Scott Nelson
>jsa...@freenet.edmonton.ab.ca wrote:
>>Designing a block cipher so that one could have a key that changes with
>>each block in an efficient manner, and yet which clearly could not serve
>>as a probe into the other part of the key that is static, is an
>>interesting question (and not a trivial one).
>
>Yes. Anyone got other suggestions on how to do it?
If your key is large enough, it's simple.
Take two-fish for example.
256 bits of key, 128 bit block.
XOR 128 bits of key with the previous cipher-text.
Bryan G. Olson; CMSC (G)
[...]
: Most block ciphers expand the key to get a collection of round keys.
: If the key schedule is strong, the round keys should be a very good
: approximation to random & unrelated.
Many ciphers don't use schedules with independent looking
subkeys. It's not clear there's a large advantage to the
lack of structure.
[...]
: I'm thinking specifically of a modified Blowfish. After round R,
: XOR half the output into plaintext R+1 whence it can be expected
: to diffuse to affect all bits of ciphertext R+1. XOR the other half
: into round key R mod 18.
One thing I picked up at AES is that there seems to be
general agreement that ciphers should be as strong against
chosen ciphertext as against chosen plaintext. Obviously
this scheme has chosen ciphertext flaws.
--Bryan
Paul Crowley
> Designing a block cipher so that one could have a key that changes with
> each block in an efficient manner, and yet which clearly could not serve
> as a probe into the other part of the key that is static, is an
> interesting question (and not a trivial one).
I think designing a block cipher to take a rapidly-changeable
"variant" field as well as a scheduled key, such that the key defines
a numbered family of pseudorandom permutations, would be a useful
thing for a variety of applications. It's something I've had to think
about in designing for disk block encryption; in this case, the
variant field is the block number. However, adding a variant field to
a cipher with a normal block size would be much harder because there's
much less time to schedule it.
--
__
\/ o\ pa...@hedonism.demon.co.uk Edinburgh fetish club Permission \ /
/\__/ Paul Crowley Nov 8 http://www.hedonism.demon.co.uk/permission /~\
Paonet Software, Inc.
Sandy Harris wrote in message ...
>(As usual?), I've been thinking about something that seems almost
>too obvious to mention, but it's not in the FAQ & my copy of AC II
>isn't to hand. (If whoever borrowed it reads this, I'd like it back!)
>
>If the key schedule is strong, the round keys should be a very good
>approximation to random & unrelated.
>
>this defeat both linear & differential cryptanalysis since both require
>large numbers of plaintexts encrypted with the same key?
>
>I think with reasonable assumptions about the randomness of the
>key schedule output & the cipher output this can be shown not to
>entail much risk. If r is random & k constant, then showing that
>s = r XOR k is random is straightforward.
>
>XOR half the output into plaintext R+1 whence it can be expected
>to diffuse to affect all bits of ciphertext R+1. XOR the other half
>into round key R mod 18.
>
I do not believe that this mode would defeat linear & differential
cryptanalysis because the convergence model (running probabilities of
different keys) would compensate for the XORing material. The
XORing material would be known.
I think you brought up an excellent point though. If the key schedule of
all the ciphertext blocks are different and there is no information leakage
on the different states of the key schedules then I believe linear &
differential cryptanalysis can be defeated.
A block cipher called LFP utilizes "Object Keys". This encryption cipher
utilizes a different key and key schedule and different non-linear
characteristics (S-boxes) for each plaintext block. The Object Key is
composed of a static user key and methods that modify the key based on
seeding from a random session key. The method provides a different key
schedule and S-boxes for the block cipher for each plaintext block. The
use of a different key schedule and S-boxes for each block gives the
cipher dynamic characteristics. The Object Key utilizes diffusion and
confusion methods in generating the new block keys.
I believe that the Object Key technique defeats linear & differential
cryptanalysis.
Sandy Harris
>A block cipher called LFP utilizes "Object Keys". This encryption cipher
>utilizes a different key and key schedule and different non-linear
>characteristics (S-boxes) for each plaintext block. The Object Key is
>composed of a static user key and methods that modify the key based on
>seeding from a random session key. The method provides a different key
>schedule and S-boxes for the block cipher for each plaintext block. The
>use of a different key schedule and S-boxes for each block gives the
>cipher dynamic characteristics. The Object Key utilizes diffusion and
>confusion methods in generating the new block keys.
>
>I believe that the Object Key technique defeats linear & differential
>cryptanalysis.
Can you give details, or a pointer to them?
Lou
A block cipher called LFP utilizes "Object Keys". This encryption cipher
bryan...@uptronics.com
> I think you brought up an excellent point though. If the key schedule of
> all the ciphertext blocks are different and there is no information leakage
> on the different states of the key schedules then I believe linear &
> differential cryptanalysis can be defeated.
Uh, sure. But they can be defeated without those awkward
properties as well.
> A block cipher called LFP utilizes "Object Keys".
I looked it up, and I'd recommend the designers read Bruce
Schneier's "Memo to the Amateur Cipher Designer".
--Bryan
-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Lou
bryan...@uptronics.com wrote in message
<70v3gd$3q$1...@nnrp1.dejanews.com>...
But how can you prove that they're defeated? Statistical data analysis and
entropy calculations for use in studying correlations of plaintext,
ciphertext
and static key schedules are complex and powerful tools.
The designers are aware of the memo.
Thanks
Lou
Lou
Sandy Harris wrote in message
>>utilizes a different key and key schedule and different non-linear
>>characteristics (S-boxes) for each plaintext block. The Object Key is
>>composed of a static user key and methods that modify the key based on
>>seeding from a random session key. The method provides a different key
>>schedule and S-boxes for the block cipher for each plaintext block. The
>>use of a different key schedule and S-boxes for each block gives the
>>cipher dynamic characteristics. The Object Key utilizes diffusion and
>>confusion methods in generating the new block keys.
>>
>>I believe that the Object Key technique defeats linear & differential
>>cryptanalysis.
>
The details are available at www.paonet.com
Bryan G. Olson; CMSC (G)
: bryan.olson wrote:
: >Lou wrote:
: >> [...] then I believe linear &
: >> differential cryptanalysis can be defeated.
: >Uh, sure. But they can be defeated without those awkward
: >properties as well.
: But how can you prove that they're defeated?
With the maximal probabilities of differentials and linear
characteristics, or with decorrelation. Impossible
differentials are a cool twist, but they're also measurable,
and also defeated by decorrelation.
: Statistical data analysis and
: entropy calculations for use in studying correlations of plaintext,
: ciphertext
: and static key schedules are complex and powerful tools.
I'm not sure what you mean by "entropy calculations for
use in studying correlations". Obviously given the
ciphertext and key schedule, the entropy of the plaintext
is 0. Can you demonstrate using these to break a cipher?
Anyway, the LFP guys clearly don't understand the methods.
Ordinary CBC mode with unique IVs defeats differential on
any plausible cipher.
--Bryan