Timeline for Some simple questions about tweakable ciphers
Current License: CC BY-SA 4.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 23, 2018 at 22:51 | comment | added | Future Security | @RedBook1 This poster seems to have the same misunderstanding I think you had. crypto.stackexchange.com/q/25898/58680 If you still are confused then give some thought to what question you want answered and post a new question. I will do my best to answer there. Maybe your next question is along the lines of "How does an Even-Mansour cipher work" or "What is a pseudorandom permutation". | |
| May 23, 2018 at 22:45 | comment | added | Future Security | @RedBook1 It seems part 6 definitely should have been a separate post. An operation that shuffles the order of elements is one type of permutation, but the $P$ in an EM cipher isn't that. This operation may be defined with a small permutation function σ, but it instead does output[σ[i]] = input[i] for bit numbers i in {0, 1, 2, ...} The $P$ in an EM cipher is a permutation that substitutes an n-bit input with an n-bit output where n is the number of bits in the plaintext block, ciphertext block, k1, and k2. | |
| May 23, 2018 at 17:31 | comment | added | Future Security | $P$ is a pseudorandom permutation (PRP). If you're a programmer, imagine creating an array p of 128 bit unsigned ints. The array is filled with numbers 0 through $2^{128}-1$. You use the Fisher-Yates shuffle algorithm on p. Evaluation of $P(x)$ corresponds pseudocode p[x]. In this sense a PRP is like an S-Box. It just isn't possible to store an array that big in real life, so you use an algorithm instead. (Hence the "pseudorandom" part.) The difference between $P$ and $E$ is that $P$ is a permutation known by everyone. $E$ (a block cipher) is a family of PRPs. $E_k$ is one of those PRPs. | |
| May 23, 2018 at 8:42 | comment | added | Red Book 1 | Well, that clears up my mistake in thinking $P$ was a bitwise permutation. But I am still not sure what it actually is. In $E = k_1 \oplus P(x \oplus k_2)$, could $P$ be both s-box and a bitwise permutation working together? Or just an s-box as I think you suggested. I am not sure what the limitations are on $P$. Clearly it cannot be a bitwise perm, but would you mind giving a couple of actual examples of what is might be and what it cannot be? It seems it is some function that operates on some input but does not need a key. | |
| May 22, 2018 at 16:35 | comment | added | Future Security | I would say DES-X should not be classified as tweakable because the purpose is to add security. DES-X is like the XEX mode for block ciphers. You can use XEX either for tweaking or key whitening. Using it for both at the same time is a bad idea. -- Also I think you should avoid actually using DES, DES-X, or XEX. And probably you should avoid using an EM cipher construct directly too. | |
| May 22, 2018 at 16:19 | comment | added | Future Security | @RedBook1 Now I see. I may have misinterpreted your two ideas of permutations. If you're thinking of a "bitwise permutation" as in a rearrangement of bits, then no, that's not what $P$ is and it's not secure. It's not the same type of P permutation as in SPN. (Although the part of the that describes how bits get swapped IS a permutation function on the set of bit indices.) If all P did was shuffle bits then you could recover the key with one or two plain/ciphertext pairs. The P in an EM cipher is more like a 128 bit S-Box than this 3rd (from my prospective, 2nd from yours) kind of permutation. | |
| May 22, 2018 at 7:43 | vote | accept | Red Book 1 | ||
| May 22, 2018 at 6:34 | comment | added | Red Book 1 | Just to be sure: In the Even-Mansour cipher, $P$ is indeed a random permutation on bits? And does not include substitutions or anything else? And DES-X is a tweakable cipher? | |
| May 22, 2018 at 5:13 | history | answered | Future Security | CC BY-SA 4.0 |