[Cryptech Tech] Happier RSA timing numbers

Bernd Paysan bernd at net2o.de
Sun May 20 20:31:03 UTC 2018

Previous message (by thread): [Cryptech Tech] Happier RSA timing numbers
Next message (by thread): [Cryptech Tech] Ubuntu 18.04 breaks firmware builds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Samstag, 19. Mai 2018, 07:43:20 CEST schrieb Joachim Strömbergson:
> And of course, what one should use are AE-modes. OCB. CCM or CTR+CMAC,
> which is much cleaner.
> 
> OCB is fun. Too bad the license does not allow for open source HW
> implementation, just SW implementations.

One reason why it is so cumbersome with AES and AEAD is that AES makes 
changing the key an expensive operation.

If you use a block cipher like Threefish, where changing the key is a very 
simple operation (copy the key in and xor the 8 64 bit words, that's it), 
there are two very easy methods to do AEAD.  Both are derived from the SKEIN 
hash.

In SKEIN, you start with a known key (zero), and generate the following keys 
by xoring the plaintext and the cipher text of the previous block. Starting 
with an unknown, secret key doesn't help: This allows a known plaintext 
attacker to recover the complete key at any block of the stream (you just need 
to know one block of plaintext), and therefore is not secure to use for 
message encryption.

Remedy: in addition to plaintext and cipher text, xor with the initial or the 
previous key.

Pseudo code:

SKEIN:

K[0]=constant
C[i]=enc(K[i], P[i])
K[i+1]=C[i]^P[i]

AEAD Threefish (encryption phase):

K[0]=secret
C[i]=enc(K[i],P[i])
K[i+1]=C[i]^P[i]^K[i] or C[i]^P[i]^K[0]

Decrypt:

P[i]=dec(K[i],C[i])
K[i] as above

MAC=enc(K[last],constant) // 0 is ok as constant

In Associated Data phase, you do the same as in encryption phase, but throw 
away the generated cipher text — you only use that pass to update the Ki. So 
in decryption, you do the same here, you have the plain text at hand.

The ^K[i] version is my variant; I prefer key erasing ciphers, same reason as 
why we want ephemeral key exchange: PFS. Long lived sessions can't be 
retroactively decrypted if an attacker extracts your key in mid-session.

None of the AES AEAD ciphers are key erasing.

This mode can be done with any block cipher where the key size is equal the 
block size, but due to the per-block key change is expensive for AES.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o id: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20180520/a7885ea6/attachment.sig>

Previous message (by thread): [Cryptech Tech] Happier RSA timing numbers
Next message (by thread): [Cryptech Tech] Ubuntu 18.04 breaks firmware builds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list