Re: Decimal encryption

2008-08-28 Thread Hovav Shacham 

- Jonathan Katz [EMAIL PROTECTED] wrote:

 But he probably wants an encryption scheme, not a cipher.

Jon, I'm not sure I understand what you mean.

If I am reading his message correctly, the original poster seems
to be asking for a format-preserving encryption over a domain
with 10^40 elements.  Format-preserving, it seems to me, implies
[a family of keyed] functions that are one-to-one and
deterministic.  In other words, the best security we can hope for
is a PRP on that domain, and this is what B-R gives, starting
from a PRP over a somewhat larger domain.

In this setting, what is the difference between an encryption
scheme and a cipher?

 Also, correct me if I am wrong, but Black and Rogaway's
 approach is not efficient for large domains. But if you use
 their approach for small domains then you open yourself up to
 dictionary attacks.

I think the dependency depends on the amount by which the domain
of the constructed PRP is smaller than the domain of the starting
PRP.  A 133-bit B-R would indeed be inefficient to construct from
a 256-bit block cipher like Rijndael, and one would need a
different starting point; but these could be constructed using a
Feistel of appropriate size.

Is the dictionary attack problem any more severe than for any
other PRP over a small domain?  The best one can hope for is a
security guarantee for a number of queries approaching the size
of the domain -- or to ensure that in practical deployment access
to the encryption and decryption functionality is constrained.

Yours --
Hovav.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: [cryptography] 5x speedup for AES using SSE5?

2008-08-25 Thread Hovav Shacham 

On Aug 24, 2008, at 5:20 AM, Peter Gutmann wrote:

Speaking of CPU-specific optimisations, I've seen a few algorithm  
proposals
from the last few years that assume that an algorithm can be scaled  
linearly
in the number of CPU cores, treating a multicore CPU as some kind  
of SIMD
engine with all cores operating in lock-step, or at least engaging  
in some
kind of rendezvous every couple of cycles (for example the recently- 
discussed

MD6 uses a round of 16 steps, if I read the description correctly)


My impressions from Ron's talk were different.  For multicore  
systems, the tree structure of the hash allows parallelism at a much  
higher granularity.  For hardware implementation, the feedback- 
register structure of the round function means that 16 steps can be  
computed in parallel.  I didn't get the sense that Ron intends for  
the second kind of parallelism to be used in software implementations.


Hovav.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]