"Hal Finney" wrote:

So, you don't have a 133-bit block cipher lying around? No worries, I'll sell you one ;-). Actually that is easy too. Take a trustworthy 128-bit block cipher like AES. To encrypt, do:1. Encrypt the first 128 bits (ECB mode) 2. Encrypt the last 128 bits (also ECB mode).I didn't understand this at first, but I finally saw that the point is to do the encryptions in-place; step 1 replaces the first 128 bits of the data with the encryption, and similarly for step 2. This is equivalent to doing CBC mode with a fixed IV of 0, and ciphertext stealing for the final partial block of 5 bits.

`Yes, I guess it is... hadn't thought of it that way. But yes, I confirm`

`that I meant to do the encryptions in place.`

To decrypt, do decryptions in the reverse order, obviously. It's easy to see that this is a secure permutation if AES itself is, depending on your definition of secure; if you add a third step, to re-encrypt the first 128 bits, it is truly secure. (Without the third step, tweaking a bit in the first 5 bits will often leave the last 5 unchanged on decryption, which is clearly a distinguishing attack; the third encryption makes it an all-or-nothing transform.)I am not familiar with the security proof here, do you have a reference? Or is it an exercise for the student?

`It's a degenerate case of Rivest's All-or-nothing transform (which`

`applies to larger, multi-block blocks, if you know what I mean :-) ). I`

`believe he gave a security proof, some 6ish years ago. But I could be`

`confabulating.`

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]