Using a kind of running accumulation of ciphertext as chainingvalue of encryption
in [Cryptography]
|
Prev: What do I need to know to design a cryptosystem?
Next: Using a kind of running accumulation of ciphertext as chaining value of encryption
From: Mok-Kong Shen on 13 Mar 2010 07:23 [Addendum] To my knowledge, CBC MAC is one of the authentication methods that is in standard use today. There may be tiny variations desirable when the last plaintext block is not full. But this could evidently be taken over for use in our scheme as well. I like to restate the improvements in my humber view of our scheme over the well-known encryption with CBC MAC: (1) it uses one key instead of two. (2) the chaining values in the proper processing of the plaintext to generate ciphertext is unknown to the analyst (in the case of using CBC MAC, the chaining values are the ciphertext blocks, which are available to the analyst). In a comment appearing in another thread, the question of efficiency has been raised. For our scheme, exactly like using CBC MAC, needs two invocations of the block cipher for each block of plaintext, once in the pass to obtain the MAC, and once in the proper encryption pass. Certainly, science has inevitably been constantly making progress, so that there are alternative schemes now that are much more efficient in respect of computing. It may be remarked however, that as long as CBC MAC is not yet outdated in use, there seems to be no reason why one shouldn't better use our scheme instead. (This barring availability of comments and critiques from the experts on our scheme, of course.) In this connection I like to point out that our scheme is actually developed out of a previous proposal of mine using nonlinear combination in accumulating ciphertext blocks at the level of words (for efficiency) to obtain chaining values. Denoting Z(X,Y) = X*Y + X + Y mod 2^32 (wordwise for e.g. the four words of an 128-bit block), that scheme runs as follows: H_(-1) = IV; C_(-1) = 0; (definition) for (i=0; i<n; i++) { H_i = Z( H_(i-1), C_(i-1) ); C_i = E( K, H_i ^ P_i ); } MAC = H_n = Z( H_(n-1), C_(n-1) ); This evidently works much faster. However, it could be criticized for "lack" of proof of security. Since my humble knowledge is insufficient to defend against such critiques, I decided to present the scheme in the original post of this thread, even though I personally think that the more efficient scheme above seems to be not too bad at all. (BTW, for comments and critiques on it I should certainly be very grateful.) Finally, I like also to mention that variations to the above include Z(X,Y) = X*Y ^ X + Y mod 2^32 and H_i = Z( H_(i-1), P_(i-1) ^ C_(i-1) ) and mutual bit rotations of X and Y. For more on the theme nonlinear combination, see the recent thread initiated by me: "Nonlinear combinaton of streams". Thanks, M. K. Shen ------------------------------------------------------------------------- [OT, personal note:] I am unfortunately forced by recurrent personal insults to use kill-file. That is, I would not read, not to say answer, posts of some who have the mean habit of frequently abuse this sci-group that way. Anyone who doesn't like my posts for whatever reasons is strongly advised to put me in his kill-files as well. It may be remarked that this group is for free discussions and is not a "course" in an education institution (school etc.). Thus nobody has the "right" to take on the position of a "teacher". It is all very well that one attempts to help others to learn during discussions. However, if unfortunately his "pupil" turns out to be too "stipid" in his view ("unbelehrbar" in German, I don't know a good English translation), then he should stop such attempts after at most a couple of "failed" trials (and even better not starting "teaching" in the first place, if he has seen that others have failed before him in such attempts). In any case, a good teacher (whose study includes courses on pedagogical psychology) avoids using words that work insulting to the feeling of the recipient. Therefore, I conclude that a few persons in this group, who frequently "want" to "teach" others but employing sacarstic or even very bad words are in fact not ones that "genuinely" want to help others but ones actually having some "non-outspoken" personal intentions in pretending to be "good-minded" persons helping others, while practically wasting the bandwidth of the group (i.e. spamming). I like to stress: This group is a free group for scientific discussions and for scientific discussions "alone", not for "anything" that is "personal". For personal matters, one should use e-mail, in order not to waste the time of thousands of third persons who have to read the nonsense stuff as well!!! |