Re: [Cfrg] Encrypt in place guidance

Leo Perrin <leo.perrin@inria.fr> Wed, 01 April 2020 13:37 UTC

Return-Path: <leo.perrin@inria.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A069D3A0F4F for <cfrg@ietfa.amsl.com>; Wed, 1 Apr 2020 06:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8gLIrRy4gBb for <cfrg@ietfa.amsl.com>; Wed, 1 Apr 2020 06:37:22 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 395A63A0F26 for <cfrg@ietf.org>; Wed, 1 Apr 2020 06:37:13 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.72,331,1580770800"; d="scan'208";a="344595634"
X-MGA-submission: =?us-ascii?q?MDFjAMikit74Ee6eH1FTZQbU0JYZQB6sHjCxT3?= =?us-ascii?q?A3zk1pXyUIbCFP90TqwX7SWTtfY7BcQ2FeAuJnhy6p7YDZL7KIA5+Fns?= =?us-ascii?q?UA39ilpOmfveOrlUxhyYLSuG3T5OJuYmdsakBgB9+ImvIvmI+Fi4cgHB?= =?us-ascii?q?vMYkLN50fOQ5u3vLXkhYsx6g=3D=3D?=
Received: from zcs-store2.inria.fr ([128.93.142.29]) by mail3-relais-sop.national.inria.fr with ESMTP; 01 Apr 2020 15:36:32 +0200
Date: Wed, 1 Apr 2020 15:36:32 +0200 (CEST)
From: Leo Perrin <leo.perrin@inria.fr>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, cfrg <cfrg@ietf.org>
Message-ID: <2035303591.24133736.1585748191997.JavaMail.zimbra@inria.fr>
In-Reply-To: <96a4b21c-2ba2-ac2f-e84d-9a13a5c24d69@htt-consult.com>
References: <83571efb-a32f-6a59-a496-de56716f07da@htt-consult.com> <a16dcbe63aa745e482a3f435aa8e0470@blackberry.com> <f5e4c7a3-e039-ec7d-59b7-0c581d9022e6@htt-consult.com> <9ACD4ECA-CFBF-40DC-8CB8-BB7DAEFBB42D@ll.mit.edu> <d4383234-d452-dad8-52dc-dd35dbecbb8a@htt-consult.com> <4d64bcce-7f9e-9ec4-e73b-45e2c57d5de6@cs.tcd.ie> <1938299699.23565911.1585728427697.JavaMail.zimbra@inria.fr> <96a4b21c-2ba2-ac2f-e84d-9a13a5c24d69@htt-consult.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [86.247.178.125]
X-Mailer: Zimbra 8.7.11_GA_3800 (ZimbraWebClient - FF74 (Linux)/8.7.11_GA_3800)
Thread-Topic: Encrypt in place guidance
Thread-Index: 6uC8QK+0BRlpeZ9t2V9abBuI2EuwoA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XQTz-YFLejADQFu6iLCa7tRc_rs>
Subject: Re: [Cfrg] Encrypt in place guidance
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 13:37:25 -0000

> So I am looking for both a 64 bit and 96 bit block cipher.  I figured
> out that if there is no 96 bit, I can do this by first encrypting the
> 1st 64 bits and then the last 64 bits.  The middle 32bits are double
> encrypted, but I not seeing that as a problem. But then I am not a
> cryptographer, only a crypto-plumber.

I would advise you *not* to do this: this effectively creates a 96-bit block cipher with at least one significant flaw.

Suppose that your plaintext is (A,B,C), where each word is 32-bit long, and that you use a block cipher E_k operating on 64 bits. Then you would first obtain (W,X) = E_k(A,B), and then (Y,Z) = E_k(X,C), so that the encryption of (A,B,C) is (W,Y,Z). The problem with this approach is that W does not depend on C. A similar behaviour exists for decryption (C does not depend on W). As a consequence, this 96-bit block cipher does not provide full diffusion!

It is better to use a dedicated 96-bit block cipher. There are not many of them but they exist:
- BKSQ, from the AES designers (essentially a 96-bit AES);
- SEA,
- EPCBC.
The references for these are in our survey.

If you really need to turn a 64-bit block cipher into a 96-bit one, then you would need to do at least 3 iterations of the 64-bit cipher instead of 2 as you suggested:

(A, B, C) ---(E_k, Id)---> (W, X, C)
(W, X, C) ---(Id, E_k)---> (W, Y, Z)
(W, Y, Z) ---(E_k, Id)---> (T, U, Z)

Still: from a security stand-point, I would much prefer a dedicated 96-bit cipher if I were in your position.

Cheers,

/Léo