[131807] in cryptography@c2.net mail archive
Re: Decimal encryption
daemon@ATHENA.MIT.EDU (Greg Rose)
Wed Aug 27 18:47:50 2008
Date: Wed, 27 Aug 2008 14:27:00 -0700
From: Greg Rose <ggr@qualcomm.com>
To: Hal Finney <hal@finney.org>
CC: "pg@futureware.at" <pg@futureware.at>,
"cryptography@metzdowd.com"
<cryptography@metzdowd.com>
In-Reply-To: <20080827193645.716D814F6E1@finney.org>
"Hal Finney" wrote:
>> So, you don't have a 133-bit block cipher lying around? No worries, I'll
>> sell you one ;-). Actually that is easy too. Take a trustworthy 128-bit
>> block cipher like AES. To encrypt, do:
>>
>> 1. Encrypt the first 128 bits (ECB mode)
>> 2. Encrypt the last 128 bits (also ECB mode).
>
> I didn't understand this at first, but I finally saw that the point is to
> do the encryptions in-place; step 1 replaces the first 128 bits of the
> data with the encryption, and similarly for step 2. This is equivalent
> to doing CBC mode with a fixed IV of 0, and ciphertext stealing for the
> final partial block of 5 bits.
Yes, I guess it is... hadn't thought of it that way. But yes, I confirm
that I meant to do the encryptions in place.
>> To decrypt, do decryptions in the reverse order, obviously. It's easy to
>> see that this is a secure permutation if AES itself is, depending on
>> your definition of secure; if you add a third step, to re-encrypt the
>> first 128 bits, it is truly secure. (Without the third step, tweaking a
>> bit in the first 5 bits will often leave the last 5 unchanged on
>> decryption, which is clearly a distinguishing attack; the third
>> encryption makes it an all-or-nothing transform.)
>
> I am not familiar with the security proof here, do you have a reference?
> Or is it an exercise for the student?
It's a degenerate case of Rivest's All-or-nothing transform (which
applies to larger, multi-block blocks, if you know what I mean :-) ). I
believe he gave a security proof, some 6ish years ago. But I could be
confabulating.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
