Re: [Cfrg] Encrypt in place guidance

[Robert Moskowitz <rgm-sec@htt-consult.com>]

On 4/1/20 9:36 AM, Leo Perrin wrote:
>> So I am looking for both a 64 bit and 96 bit block cipher.  I figured
>> out that if there is no 96 bit, I can do this by first encrypting the
>> 1st 64 bits and then the last 64 bits.  The middle 32bits are double
>> encrypted, but I not seeing that as a problem. But then I am not a
>> cryptographer, only a crypto-plumber.
> I would advise you *not* to do this: this effectively creates a 96-bit block cipher with at least one significant flaw.

This is why I know to ask on this list.

> Suppose that your plaintext is (A,B,C), where each word is 32-bit long, and that you use a block cipher E_k operating on 64 bits. Then you would first obtain (W,X) = E_k(A,B), and then (Y,Z) = E_k(X,C), so that the encryption of (A,B,C) is (W,Y,Z). The problem with this approach is that W does not depend on C. A similar behaviour exists for decryption (C does not depend on W). As a consequence, this 96-bit block cipher does not provide full diffusion!

Ah.

> It is better to use a dedicated 96-bit block cipher. There are not many of them but they exist:
> - BKSQ, from the AES designers (essentially a 96-bit AES);
> - SEA,
> - EPCBC.
> The references for these are in our survey.

Good.  Thanks for the pointers.

> If you really need to turn a 64-bit block cipher into a 96-bit one, then you would need to do at least 3 iterations of the 64-bit cipher instead of 2 as you suggested:
>
> (A, B, C) ---(E_k, Id)---> (W, X, C)
> (W, X, C) ---(Id, E_k)---> (W, Y, Z)
> (W, Y, Z) ---(E_k, Id)---> (T, U, Z)
>
> Still: from a security stand-point, I would much prefer a dedicated 96-bit cipher if I were in your position.

I would also prefer a real 96 bit cipher than tricking a 64 bit to do 
the job, but it is good to know the proper construct.

Thanks

Bob

> Cheers,
>
> /Léo
>
>