From: Mok-Kong Shen on 9 Aug 2010 01:54 Let C = E(K,P) denote a block encryption processing. I intend to apply authentication as follows (n=number of blocks): S = IV; for (i=0; i wrote:> Let C = E(K,P) denote a block encryption processing. I intend to apply > authentication as follows (n=number of blocks): > >    S = IV; > >    for (i=0; i    { C[i] = E(K,S[i]^P[i]); >      S[i] = E(K,S[i]^P[i]^C[i]); >    } > >    S[n-1] = authentication. > > Are there any security problems in this? Has this been done anywhere? I'm pretty sure you haven't written this correctly: Each iteration is independent from the previous. I'm pretty sure that once you fix it up, it is still vulnerable to existential forgeries. Scott From: Mok-Kong Shen on 9 Aug 2010 12:15 Scott Contini wrote:> Mok-Kong Shen wrote: >> Let C = E(K,P) denote a block encryption processing. I intend to apply >> authentication as follows (n=number of blocks): >> >> S = IV; >> >> for (i=0; i> { C[i] = E(K,S[i]^P[i]); >> S[i] = E(K,S[i]^P[i]^C[i]); >> } >> >> S[n-1] = authentication. >> >> Are there any security problems in this? Has this been done anywhere? > > I'm pretty sure you haven't written this correctly: > Each iteration is independent from the previous. Thank you very much for pointing out the blunder. It should be S = IV; for (i=0; i I'm pretty sure that once you fix it up, it is still > vulnerable to existential forgeries. My knowledge is very poor. Could you kindly help and tell a bit more about the possible vulnerabilities. Thanks in advance. M. K. Shen From: Scott Contini on 9 Aug 2010 17:40 On Aug 10, 2:15 am, Mok-Kong Shen wrote:> Scott Contini wrote: > > Mok-Kong Shen wrote: > >> Let C = E(K,P) denote a block encryption processing. I intend to apply > >> authentication as follows (n=number of blocks): > > >>     S = IV; > > >>     for (i=0; i >>     { C[i] = E(K,S[i]^P[i]); > >>       S[i] = E(K,S[i]^P[i]^C[i]); > >>     } > > >>     S[n-1] = authentication. > > >> Are there any security problems in this? Has this been done anywhere? > > > I'm pretty sure you haven't written this correctly: > > Each iteration is independent from the previous. > > Thank you very much for pointing out the blunder. It should be > >     S = IV; > >     for (i=0; i     { C[i] = E(K,S[i]^P[i]); >       S[i+1] = E(K,S[i]^P[i]^C[i]); >     } > >     S[n] = authentication. > > > I'm pretty sure that once you fix it up, it is still > > vulnerable to existential forgeries. > > My knowledge is very poor. Could you kindly help and tell > a bit more about the possible vulnerabilities. > > Thanks in advance. > > M. K. Shen It is trivially breakable. Two attacks: (i) the first block, and (ii) extension attacks. You should be able to figure out the rest. I hope. This is very basic stuff. Scott From: Mok-Kong Shen on 9 Aug 2010 17:51 Scott Contini wrote: > It is trivially breakable. Two attacks: (i) the first > block, and (ii) extension attacks. You should be able > to figure out the rest. I hope. This is very basic stuff. I have in the meantime also thought about a little bit myself. Would the following slight modification tighten up the matter? S = E(K,IV); for (i=0; i