-----BEGIN PGP SIGNED MESSAGE-----
David Wagner wrote:
> History shows that it is extremely easy to propose schemes for
> encryption-with-integrity that are plausible-looking yet nonetheless
> entirely broken. At this point, I don't think I would trust very much
> a proposal without a proof.
>
For example, the chaining scheme used by Kerberos?
Never-the-less, engineers traditionally propose incremental
improvements, standing as it were on the shoulders of giants....
> And I think it would be fair to say that CBCS falls into the camp of
> plausible but unproven proposals. (Correct me if I'm wrong!)
Well, had you attended the particular conferences, you'd have heard
the rationale. And the design notes in the documents describe the
specifics. I'm not a crypto-mathematician, and I make no claim as
to the sufficiency of proofs. You did review one of the early drafts
of CBCS.
In the other case, enhancing XEX-CBC, you provided a major amount
of improved text regarding Replay Protection in an earlier part of
the same paper, and agreed to be a named co-author. Presumably, had
a proof been available at the time, you would have pointed to it....
However, as is often the case, later scholars have verified both
schemes (for their own purposes)!
====
CBCS has several security notes, summarized here:
1) the authentication/integrity function is separately keyed, rather
than from the encryption function.
2) the IV feeds the CBCS function, which then feeds the encryption
function, to generate unpredictable initial values for the first
cipher block.
3) the IV is intended to be unique over the lifetime of the cipher
session-key(s).
4) the IV incorporating the ESP Security Parameters Index (SPI)
and the anti-replay ESP Sequence Number (SN) together
can provide both uniqueness and mutual protection
between the first block and the ESP header.
5) prevent linear cryptanalysis by incorporating a non-linear
rotation function. This is specific to my choice for the
authentication/integrity function, namely the combination of
addition (sum) with a variable rotation.
As CBCS was based on earlier schemes that XOR a key and/or
previous ciphertext block with the next plaintext and/or ciphertext
block, CBCS has the simple unstated assumption that the output
of the cipher is uniformly distributed and unpredictable. That is,
it probably is secure only when used with a robust cipher. I should
have explicitly stated that -- I merely referenced it in other papers.
Since then, somebody else has written a formal proof for the
generic class of g(x) functions in the same or similar construction
as CBCS. He presented at IETF last year. I'm sorry, I've never read
the paper. I was incensed that he claimed a patent on his particular
variant of the idea.
====
XEX-CBC "whitening" in draft-simpson-ipsec-enhancement has a very
simple stated security limitation: "It is insecure without combination
with a robust cipher." The only reason that DES-XEX3-CBC wasn't
adopted as the default cipher by IETF in 1995 was that there was no
formal proof of its security.
Likewise, the substitution of a PRNG, or one-way hash function as a
PRNG, for the fixed secret(s) in XEX2 or XEX3, depends on the
security of the underlying cipher.
Since then, as referenced in my later XEX3-CBC Transform papers,
Rogaway did an analysis of the security in 1996.
====
The upshot of this exercise is that we have proposals developed in
open fora that are patent free. We don't need to rely on patented
variants.
While I am thankful that later analysts have more rigorous proofs of
security, I don't believe that the proofs are patentable.
Moreover, I think that we should discourage scholars holding back on
design publication in order to secure patent rights -- especially in
the "information age", publish early and often!
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
iQCVAwUBOj4x/Nm/qMj6R+sxAQHQwAP/Rz4IqjupVkvr89tQukyYBWVh3w4YQriv
LGfFaOkweWJgDUeugxTRvfVhuxe61C9KKdJYTo5N+9wt/mVdxqJ14n/CT4sxwAek
gE9iaRx1QlXLpQQSz1QOF/i3IRih6LDQRRrl4QGFWbpI3bV5i2kAl8E7NzDBz7+J
i44awIe4m+c=
=9kr9
-----END PGP SIGNATURE-----
