Re: [Cfrg] Encrypt in place guidance

Leo Perrin <> Wed, 01 April 2020 13:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A069D3A0F4F for <>; Wed, 1 Apr 2020 06:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y8gLIrRy4gBb for <>; Wed, 1 Apr 2020 06:37:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 395A63A0F26 for <>; Wed, 1 Apr 2020 06:37:13 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.72,331,1580770800"; d="scan'208";a="344595634"
X-MGA-submission: =?us-ascii?q?MDFjAMikit74Ee6eH1FTZQbU0JYZQB6sHjCxT3?= =?us-ascii?q?A3zk1pXyUIbCFP90TqwX7SWTtfY7BcQ2FeAuJnhy6p7YDZL7KIA5+Fns?= =?us-ascii?q?UA39ilpOmfveOrlUxhyYLSuG3T5OJuYmdsakBgB9+ImvIvmI+Fi4cgHB?= =?us-ascii?q?vMYkLN50fOQ5u3vLXkhYsx6g=3D=3D?=
Received: from ([]) by with ESMTP; 01 Apr 2020 15:36:32 +0200
Date: Wed, 1 Apr 2020 15:36:32 +0200 (CEST)
From: Leo Perrin <>
To: Robert Moskowitz <>
Cc: Stephen Farrell <>, cfrg <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: []
X-Mailer: Zimbra 8.7.11_GA_3800 (ZimbraWebClient - FF74 (Linux)/8.7.11_GA_3800)
Thread-Topic: Encrypt in place guidance
Thread-Index: 6uC8QK+0BRlpeZ9t2V9abBuI2EuwoA==
Archived-At: <>
Subject: Re: [Cfrg] Encrypt in place guidance
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Apr 2020 13:37:25 -0000

> So I am looking for both a 64 bit and 96 bit block cipher.  I figured
> out that if there is no 96 bit, I can do this by first encrypting the
> 1st 64 bits and then the last 64 bits.  The middle 32bits are double
> encrypted, but I not seeing that as a problem. But then I am not a
> cryptographer, only a crypto-plumber.

I would advise you *not* to do this: this effectively creates a 96-bit block cipher with at least one significant flaw.

Suppose that your plaintext is (A,B,C), where each word is 32-bit long, and that you use a block cipher E_k operating on 64 bits. Then you would first obtain (W,X) = E_k(A,B), and then (Y,Z) = E_k(X,C), so that the encryption of (A,B,C) is (W,Y,Z). The problem with this approach is that W does not depend on C. A similar behaviour exists for decryption (C does not depend on W). As a consequence, this 96-bit block cipher does not provide full diffusion!

It is better to use a dedicated 96-bit block cipher. There are not many of them but they exist:
- BKSQ, from the AES designers (essentially a 96-bit AES);
- SEA,
The references for these are in our survey.

If you really need to turn a 64-bit block cipher into a 96-bit one, then you would need to do at least 3 iterations of the 64-bit cipher instead of 2 as you suggested:

(A, B, C) ---(E_k, Id)---> (W, X, C)
(W, X, C) ---(Id, E_k)---> (W, Y, Z)
(W, Y, Z) ---(E_k, Id)---> (T, U, Z)

Still: from a security stand-point, I would much prefer a dedicated 96-bit cipher if I were in your position.