Re: [Cfrg] Encrypt in place guidance

[Leo Perrin <leo.perrin@inria.fr>]

> So I am looking for both a 64 bit and 96 bit block cipher.  I figured
> out that if there is no 96 bit, I can do this by first encrypting the
> 1st 64 bits and then the last 64 bits.  The middle 32bits are double
> encrypted, but I not seeing that as a problem. But then I am not a
> cryptographer, only a crypto-plumber.

I would advise you *not* to do this: this effectively creates a 96-bit block cipher with at least one significant flaw.

Suppose that your plaintext is (A,B,C), where each word is 32-bit long, and that you use a block cipher E_k operating on 64 bits. Then you would first obtain (W,X) = E_k(A,B), and then (Y,Z) = E_k(X,C), so that the encryption of (A,B,C) is (W,Y,Z). The problem with this approach is that W does not depend on C. A similar behaviour exists for decryption (C does not depend on W). As a consequence, this 96-bit block cipher does not provide full diffusion!

It is better to use a dedicated 96-bit block cipher. There are not many of them but they exist:
- BKSQ, from the AES designers (essentially a 96-bit AES);
- SEA,
- EPCBC.
The references for these are in our survey.

If you really need to turn a 64-bit block cipher into a 96-bit one, then you would need to do at least 3 iterations of the 64-bit cipher instead of 2 as you suggested:

(A, B, C) ---(E_k, Id)---> (W, X, C)
(W, X, C) ---(Id, E_k)---> (W, Y, Z)
(W, Y, Z) ---(E_k, Id)---> (T, U, Z)

Still: from a security stand-point, I would much prefer a dedicated 96-bit cipher if I were in your position.

Cheers,

/Léo