[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question on CFB variant with c[i-N]




>David Honig <[email protected]> wrote:
>At 06:46 PM 12/20/97 -0700, Johnson, Michael P (Mike) wrote:
>>>
>>>
>>>>>              cfb    Ciphertext feeback mode
>>>>>                     c[i] = f1(K, c[i-1]) ^ p[i]
>>>>>                     p[i] = f1(K, c[i-1]) ^ c[i]
>>>
>>
>>
>>Suppose instead of c[i-1] you use c[i-N] where N is say 10. 
>>How would you prove that this has no security implications?
>>That 10-way interleaved cfb streams are security-equivalent to
>>a single cfb stream interleaved with the immediately previous block?

That would make it harder to get the process started, since you would
need 10 initialization vector blocks instead of 1, so it would bloat
your messages more.

How about this mode:
    c[i] = e(K1, e(k2, c[i-1]) ^ p[i-1]) ^ p[i]
    p[i] = e(K1, e(k2, c[i-1]) ^ p[i-1]) ^ p[i]

The feedback possibilities are literally endless. The analysis of the
effects on security, speed, error propagation, etc., are left as an
exercise for the reader. <grin>

Some standard modes have been well analyzed and accepted. They also are
built into specialized cracking hardware. Offering and using multiple
modes and multiple algorithms raises the cost of building specialized
cracking hardware.