[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on CFB variant with c[i-N]

To: David Honig <[email protected]>, "'[email protected]'" <[email protected]>, "'[email protected]'" <[email protected]>
Subject: Re: Question on CFB variant with c[i-N]
From: Bill Stewart <[email protected]>
Date: Tue, 23 Dec 1997 20:07:14 -0800
In-Reply-To: <v03007802b0c484261702@[209.98.15.173]>
References: <[email protected]><c=US%a=_%p=Stortek%l=LSV-MSG06-971221014643Z-85371@lsv-bri dge.stortek.com>
Sender: [email protected]


>>>>>              cfb    Ciphertext feeback mode
>>>>>                     c[i] = f1(K, c[i-1]) ^ p[i]
>>>>>                     p[i] = f1(K, c[i-1]) ^ c[i]

>>Suppose instead of c[i-1] you use c[i-N] where N is say 10.

> Wouldn't the size of your IV have to grow as N grows?

Depends on your threat model; you could use the same IV for all c[i<1].
The main reason to do that sort of interleave is to simplify
parallelizing the hardware for speed while retaining
approximately the same security as regular CFB.

You might have some minor security gain because there's less
correlation between p[i] and p[i-N] than p[i-1],
so it's harder to guess things that might help,
but you might have a minor security loss because you're
only mushing together 1/N as much stuff, and you're
more likely to implement something incorrectly :-)


				Thanks! 
					Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

References:
- Question on CFB variant with c[i-N]
  - From: David Honig <[email protected]>
- Re: Question on CFB variant with c[i-N]
  - From: Bruce Schneier <[email protected]>

Prev by Date: Ancient Banking History
Next by Date: Re: Best Cypherpunk long gun (fwd)
Prev by thread: Re: Question on CFB variant with c[i-N]
Next by thread: Frank Olson
Index(es):
- Date
- Thread