Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: Wide-block Encryption Alternative

To: "Williams, Jim" <Jim.Williams@EMULEX.COM>
Subject: Re: Wide-block Encryption Alternative
From: james Hughes <james_hughes@stortek.com>
Date: Sat, 28 Feb 2004 15:46:08 -0500
Cc: james hughes <jphughes@mac.com>, stds-P1619@majordomo.ieee.org
In-Reply-To: <3356669BBE90C448AD4645C843E2BF28020C83B0@xbl.ma.emulex.com>
References: <3356669BBE90C448AD4645C843E2BF28020C83B0@xbl.ma.emulex.com>
Sender: owner-stds-p1619@majordomo.ieee.org

You certainly are not out of order.

We have already discussed, what I hope you don't mind me calling MEM 
for large blocks.

At first blush, the current state of the art, this type of construction 
has never been formally presented as secure. Look at the references in 
both Shai and Clements proposals. I am not suggesting that your 
proposal is insecure, I am suggesting that if your proposal is secure, 
it is a significant step forward in the cryptographic community in 
general. For instance, read the attack on Shai and Rogaway first 
proposal. Very subtle and devastating.

Minor edit, on the diagram on page 5, K3, P3 and K3 and P3 are combined 
to create H3. I believe that this is incorrect.

The "cascade" of this mode does not seem complete. Clement's proposal 
(R=1) is similar MEM for a single block. in general you PP_x = 
f(K,P_{n-1},P_n). And on the reverse, C_x = f(K,CC_{x-1},CC_x). This in 
itself is a very limited diffusion. While you will (I am sure) argue 
that since PP_1 is unknown to the attacker, this is not of use. Well 
this is only partially true....

The major method I would choose to attack this is as a chosen plaintext 
attack. That is, can the attacker manipulate the plaintext and be able 
to manipulate the ciphertext in such a way that he can gain an 
understanding of K_x. If he can, then the mixing function fails.

The way I would attacking this is by manipulating P_1 and P_32 in such 
a way that I can determin relationships between K_1 and K_32 and then 
unraveling the rest. Since you are proposing this, I would think that 
you may have thought about this and already have an answer?

I am interested in your answer.

As a matter of process, this is an OK first step, but the procedure I 
would suggest (but the committee could override me) is that we would 
like to only standardize things that have been peer reviewed first, to 
get around WiFi problem where, after the fact they showed it to 
cryptographers that said "I would not have done it that way, but I 
don't see any problems" but there were problems later.

To get this peer reviewed in the Crypto community you need to write a 
serious paper and there are several members on the committee that can 
help you write this, and if it still survives, get it submitted to 
conferences.

Hope this helps.

I am attaching your .ppt ziped so that it gets into the archive.

Thanks

jim

On Feb 27, 2004, at 5:19 PM, Williams, Jim wrote:

>
> Being new to this effort, I am not sure what has already been 
> discussed and
> or decided.
> So I hope this discussion is not out of order.
>
> I have attached a brief description of an alternative wide block
> encryption algorithm.  I am certainly far from recommending or 
> proposing
> this, but would be quite interested in any discussion of pros and cons.
>
> Best case, this alternative is less costly to implement at a given
> performance
> level, and easier to prove secure.  Worst case, it is totally broken.  
> And
> there
> is much room in between.
>
>  - Jim
>
>
>  <<blockEncryption.ppt>>
>
>

blockEncryption.ppt.zip

References:
- Wide-block Encryption Alternative
  - From: Williams, Jim

Prev by Date: RE: Wide-block Encryption Alternative
Next by Date: Re: Wide-block Encryption Alternative
Prev by thread: Re: Wide-block Encryption Alternative
Next by thread: Re: Wide-block Encryption Alternative
Index(es):
- Date
- Thread