[131803] in cryptography@c2.net mail archive
Re: Decimal encryption
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Aug 27 18:45:24 2008
Date: Wed, 27 Aug 2008 13:34:50 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Jonathan Katz <jkatz@cs.umd.edu>
Cc: cryptography@metzdowd.com
In-Reply-To: <Pine.GSO.4.64.0808271609460.1798@ringding.cs.umd.edu>
At Wed, 27 Aug 2008 16:10:51 -0400 (EDT),
Jonathan Katz wrote:
>=20
> On Wed, 27 Aug 2008, Eric Rescorla wrote:
>=20
> > At Wed, 27 Aug 2008 17:05:44 +0200,
> > There are a set of techniques that allow you to encrypt elements of
> > arbitrary sets back onto that set.
> >
> > The original paper on this is:
> > John Black and Phillip Rogaway. Ciphers with arbitrary ?nite domains. In
> > CT-RSA, pages 114?130, 2002.
>=20
> But he probably wants an encryption scheme, not a cipher.
Hmm... I'm not sure I recognize the difference between encryption
scheme and cipher. Can you elaborate?
> Also, correct me if I am wrong, but Black and Rogaway's approach is not=20
> efficient for large domains. But if you use their approach for small=20
> domains then you open yourself up to dictionary attacks.
I suppose it depends what you mean by "small" and "large".
A lot of the relevant values are things like SSNs, CCNs, etc.
which fall in the 10-20 digit category, where the Luby-Rackoff
approach is efficient. As I understand the situation, the
cycle following approach is efficient as long as the set
is reasonably close to the L-R block size.=20
As far as dictionary attacks go, for any small domain permutation
you have to worry about table construction attacks. The only=20
defense I know of is randomized encryption which defeats the
non-expansion requirement.
WRT to the security of the L-R construction, Spies claims that
I believe that Patarin's 2004 result [0] is relevant here, but
I'm not qualified to evaluate it. Anyway, the reference I provided
earlier [1] provides a summary of the claimed security properties
of L-R + Cycle Following.
-Ekr
[0] Jacques Patarin. Security of random feistel schemes with 5 or more roun=
ds.=20
In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in=20
Computer Science, pages 106?122. Springer, 2004.=20
[1] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/
ffsem/ffsem-spec.pdf
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
