[Cryptech Tech] Happier RSA timing numbers
Bernd Paysan
bernd at net2o.de
Sun May 20 20:31:03 UTC 2018
Am Samstag, 19. Mai 2018, 07:43:20 CEST schrieb Joachim Strömbergson:
> And of course, what one should use are AE-modes. OCB. CCM or CTR+CMAC,
> which is much cleaner.
>
> OCB is fun. Too bad the license does not allow for open source HW
> implementation, just SW implementations.
One reason why it is so cumbersome with AES and AEAD is that AES makes
changing the key an expensive operation.
If you use a block cipher like Threefish, where changing the key is a very
simple operation (copy the key in and xor the 8 64 bit words, that's it),
there are two very easy methods to do AEAD. Both are derived from the SKEIN
hash.
In SKEIN, you start with a known key (zero), and generate the following keys
by xoring the plaintext and the cipher text of the previous block. Starting
with an unknown, secret key doesn't help: This allows a known plaintext
attacker to recover the complete key at any block of the stream (you just need
to know one block of plaintext), and therefore is not secure to use for
message encryption.
Remedy: in addition to plaintext and cipher text, xor with the initial or the
previous key.
Pseudo code:
SKEIN:
K[0]=constant
C[i]=enc(K[i], P[i])
K[i+1]=C[i]^P[i]
AEAD Threefish (encryption phase):
K[0]=secret
C[i]=enc(K[i],P[i])
K[i+1]=C[i]^P[i]^K[i] or C[i]^P[i]^K[0]
Decrypt:
P[i]=dec(K[i],C[i])
K[i] as above
MAC=enc(K[last],constant) // 0 is ok as constant
In Associated Data phase, you do the same as in encryption phase, but throw
away the generated cipher text — you only use that pass to update the Ki. So
in decryption, you do the same here, you have the plain text at hand.
The ^K[i] version is my variant; I prefer key erasing ciphers, same reason as
why we want ephemeral key exchange: PFS. Long lived sessions can't be
retroactively decrypted if an attacker extracts your key in mid-session.
None of the AES AEAD ciphers are key erasing.
This mode can be done with any block cipher where the key size is equal the
block size, but due to the per-block key change is expensive for AES.
--
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o id: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20180520/a7885ea6/attachment.sig>
More information about the Tech
mailing list