Am Samstag, 19. Mai 2018, 07:43:20 CEST schrieb Joachim Strömbergson: > And of course, what one should use are AE-modes. OCB. CCM or CTR+CMAC, > which is much cleaner. > > OCB is fun. Too bad the license does not allow for open source HW > implementation, just SW implementations.
One reason why it is so cumbersome with AES and AEAD is that AES makes changing the key an expensive operation. If you use a block cipher like Threefish, where changing the key is a very simple operation (copy the key in and xor the 8 64 bit words, that's it), there are two very easy methods to do AEAD. Both are derived from the SKEIN hash. In SKEIN, you start with a known key (zero), and generate the following keys by xoring the plaintext and the cipher text of the previous block. Starting with an unknown, secret key doesn't help: This allows a known plaintext attacker to recover the complete key at any block of the stream (you just need to know one block of plaintext), and therefore is not secure to use for message encryption. Remedy: in addition to plaintext and cipher text, xor with the initial or the previous key. Pseudo code: SKEIN: K[0]=constant C[i]=enc(K[i], P[i]) K[i+1]=C[i]^P[i] AEAD Threefish (encryption phase): K[0]=secret C[i]=enc(K[i],P[i]) K[i+1]=C[i]^P[i]^K[i] or C[i]^P[i]^K[0] Decrypt: P[i]=dec(K[i],C[i]) K[i] as above MAC=enc(K[last],constant) // 0 is ok as constant In Associated Data phase, you do the same as in encryption phase, but throw away the generated cipher text — you only use that pass to update the Ki. So in decryption, you do the same here, you have the plain text at hand. The ^K[i] version is my variant; I prefer key erasing ciphers, same reason as why we want ephemeral key exchange: PFS. Long lived sessions can't be retroactively decrypted if an attacker extracts your key in mid-session. None of the AES AEAD ciphers are key erasing. This mode can be done with any block cipher where the key size is equal the block size, but due to the per-block key change is expensive for AES. -- Bernd Paysan "If you want it done right, you have to do it yourself" net2o id: kQusJzA;7*?t=uy@X}1GWr!+0qqp_Cn176t4(dQ* http://bernd-paysan.de/
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
