Would this mode of operation be safer?
up vote
1
down vote
favorite
Here the key stream is used as keys for the second level of block cipher encryption.
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
- stream cipher attack, because it isn't just simply XOR-d
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
- Am I correct in the above?
- Are there any more advantages to this architecture?
- Any further disadvantages?
Explanation: I modified the standard CTR mode by replacing the XOR with a full block cipher, which has the Keystream(i) values as keys for encrypting or decrypting the successive blocks of plaintext/ciphertext.
encryption modes-of-operation
edited 5 hours ago
Maarten Bodewes
52.4k676190
asked 5 hours ago
Balazs F
61
New contributor
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
1
down vote
favorite
Here the key stream is used as keys for the second level of block cipher encryption.
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
- stream cipher attack, because it isn't just simply XOR-d
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
- Am I correct in the above?
- Are there any more advantages to this architecture?
- Any further disadvantages?
Explanation: I modified the standard CTR mode by replacing the XOR with a full block cipher, which has the Keystream(i) values as keys for encrypting or decrypting the successive blocks of plaintext/ciphertext.
encryption modes-of-operation
edited 5 hours ago
Maarten Bodewes
52.4k676190
asked 5 hours ago
Balazs F
61
New contributor
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Malleability isn't something someone using authenticated encryption should be concerned about. Someone who isn't using authenticated encryption is someone you should be concerned about. (Use GCM (GMAC), HMAC, or Poly1305.)
– Future Security
3 hours ago
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Here the key stream is used as keys for the second level of block cipher encryption.
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
- stream cipher attack, because it isn't just simply XOR-d
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
- Am I correct in the above?
- Are there any more advantages to this architecture?
- Any further disadvantages?
Explanation: I modified the standard CTR mode by replacing the XOR with a full block cipher, which has the Keystream(i) values as keys for encrypting or decrypting the successive blocks of plaintext/ciphertext.
encryption modes-of-operation
edited 5 hours ago
Maarten Bodewes
52.4k676190
asked 5 hours ago
Balazs F
61
New contributor
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Here the key stream is used as keys for the second level of block cipher encryption.
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
- stream cipher attack, because it isn't just simply XOR-d
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
- Am I correct in the above?
- Are there any more advantages to this architecture?
- Any further disadvantages?
Explanation: I modified the standard CTR mode by replacing the XOR with a full block cipher, which has the Keystream(i) values as keys for encrypting or decrypting the successive blocks of plaintext/ciphertext.
encryption modes-of-operation
encryption modes-of-operation
edited 5 hours ago
Maarten Bodewes
52.4k676190
asked 5 hours ago
Balazs F
61
New contributor
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 5 hours ago
Maarten Bodewes
52.4k676190
asked 5 hours ago
Balazs F
61
New contributor
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 5 hours ago
Maarten Bodewes
52.4k676190
edited 5 hours ago
Maarten Bodewes
52.4k676190
edited 5 hours ago
Maarten Bodewes
52.4k676190
52.4k676190
asked 5 hours ago
Balazs F
61
New contributor
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 5 hours ago
Balazs F
61
asked 5 hours ago
Balazs F
61
61
New contributor
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Balazs F is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Malleability isn't something someone using authenticated encryption should be concerned about. Someone who isn't using authenticated encryption is someone you should be concerned about. (Use GCM (GMAC), HMAC, or Poly1305.)
– Future Security
3 hours ago
add a comment |
Malleability isn't something someone using authenticated encryption should be concerned about. Someone who isn't using authenticated encryption is someone you should be concerned about. (Use GCM (GMAC), HMAC, or Poly1305.)
– Future Security
3 hours ago
Malleability isn't something someone using authenticated encryption should be concerned about. Someone who isn't using authenticated encryption is someone you should be concerned about. (Use GCM (GMAC), HMAC, or Poly1305.)
– Future Security
3 hours ago
Malleability isn't something someone using authenticated encryption should be concerned about. Someone who isn't using authenticated encryption is someone you should be concerned about. (Use GCM (GMAC), HMAC, or Poly1305.)
– Future Security
3 hours ago
add a comment |
1 Answer
1
active
oldest
votes
up vote
4
down vote
No the mode would not be more secure (than what?).
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
That's not correct. As the input of a block cipher is always a full block, you would need to pad the plaintext. Therefore you would likely be vulnerable to padding oracle attacks; they are not avoided by the mode itself.
- stream cipher attack, because it isn't just simply XOR-d
Although you would not be vulnerable to a many-time-pad if the nonce is repeated, you would of course still leak information on each block of ciphertext that is identical, at the same location. That's slightly worse than e.g. CBC mode, where a change in plaintext would change all next ciphertext blocks if the IV is ever repeated.
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
It doesn't, it just changes on block of plaintext at the same block offset. You would still be malleable if you would change the entire plaintext by the way (imagine encrypting a single bit, 0 for false or 1 for true!). So you need to expand your ciphertext - usually with an authentication tag - to avoid malleability. This is not a description of an authenticated cipher.
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
Correct. And because you are using a lot of keys, you may run into trouble with regards on how the key space needs to be treated for a specific cipher. You would definitely worry about keys repeating simply due to the birthday paradox.
Are there any more advantages to this architecture?
Not that I see, it adds an additional round that introduces problems, while solving none; counter mode is already considered secure. With double the additional rounds + a key schedule per block it is rather expensive for what it tries to achieve.
Any further disadvantages?
I don't think we need more disadvantages, but I'll show some for learning purposes.
One disadvantage is that your key and block size need to be identical. So using e.g. AES-256 is not possible (even if it would be advisable because you may not want to use a cipher that is vulnerable against related key attacks, even if those are mostly theoretical in nature).
You would lose the pre-computation benefits of counter mode, where you can cache the key stream. You can still do that of course, but the last block encrypt / decrypt can only be performed once the plaintext is available.
answered 5 hours ago
Maarten Bodewes
52.4k676190
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Balazs F is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65909%2fwould-this-mode-of-operation-be-safer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
No the mode would not be more secure (than what?).
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
That's not correct. As the input of a block cipher is always a full block, you would need to pad the plaintext. Therefore you would likely be vulnerable to padding oracle attacks; they are not avoided by the mode itself.
- stream cipher attack, because it isn't just simply XOR-d
Although you would not be vulnerable to a many-time-pad if the nonce is repeated, you would of course still leak information on each block of ciphertext that is identical, at the same location. That's slightly worse than e.g. CBC mode, where a change in plaintext would change all next ciphertext blocks if the IV is ever repeated.
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
It doesn't, it just changes on block of plaintext at the same block offset. You would still be malleable if you would change the entire plaintext by the way (imagine encrypting a single bit, 0 for false or 1 for true!). So you need to expand your ciphertext - usually with an authentication tag - to avoid malleability. This is not a description of an authenticated cipher.
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
Correct. And because you are using a lot of keys, you may run into trouble with regards on how the key space needs to be treated for a specific cipher. You would definitely worry about keys repeating simply due to the birthday paradox.
Are there any more advantages to this architecture?
Not that I see, it adds an additional round that introduces problems, while solving none; counter mode is already considered secure. With double the additional rounds + a key schedule per block it is rather expensive for what it tries to achieve.
Any further disadvantages?
I don't think we need more disadvantages, but I'll show some for learning purposes.
One disadvantage is that your key and block size need to be identical. So using e.g. AES-256 is not possible (even if it would be advisable because you may not want to use a cipher that is vulnerable against related key attacks, even if those are mostly theoretical in nature).
You would lose the pre-computation benefits of counter mode, where you can cache the key stream. You can still do that of course, but the last block encrypt / decrypt can only be performed once the plaintext is available.
answered 5 hours ago
Maarten Bodewes
52.4k676190
add a comment |
up vote
4
down vote
No the mode would not be more secure (than what?).
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
That's not correct. As the input of a block cipher is always a full block, you would need to pad the plaintext. Therefore you would likely be vulnerable to padding oracle attacks; they are not avoided by the mode itself.
- stream cipher attack, because it isn't just simply XOR-d
Although you would not be vulnerable to a many-time-pad if the nonce is repeated, you would of course still leak information on each block of ciphertext that is identical, at the same location. That's slightly worse than e.g. CBC mode, where a change in plaintext would change all next ciphertext blocks if the IV is ever repeated.
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
It doesn't, it just changes on block of plaintext at the same block offset. You would still be malleable if you would change the entire plaintext by the way (imagine encrypting a single bit, 0 for false or 1 for true!). So you need to expand your ciphertext - usually with an authentication tag - to avoid malleability. This is not a description of an authenticated cipher.
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
Correct. And because you are using a lot of keys, you may run into trouble with regards on how the key space needs to be treated for a specific cipher. You would definitely worry about keys repeating simply due to the birthday paradox.
Are there any more advantages to this architecture?
Not that I see, it adds an additional round that introduces problems, while solving none; counter mode is already considered secure. With double the additional rounds + a key schedule per block it is rather expensive for what it tries to achieve.
Any further disadvantages?
I don't think we need more disadvantages, but I'll show some for learning purposes.
One disadvantage is that your key and block size need to be identical. So using e.g. AES-256 is not possible (even if it would be advisable because you may not want to use a cipher that is vulnerable against related key attacks, even if those are mostly theoretical in nature).
You would lose the pre-computation benefits of counter mode, where you can cache the key stream. You can still do that of course, but the last block encrypt / decrypt can only be performed once the plaintext is available.
answered 5 hours ago
Maarten Bodewes
52.4k676190
add a comment |
up vote
4
down vote
up vote
4
down vote
No the mode would not be more secure (than what?).
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
That's not correct. As the input of a block cipher is always a full block, you would need to pad the plaintext. Therefore you would likely be vulnerable to padding oracle attacks; they are not avoided by the mode itself.
- stream cipher attack, because it isn't just simply XOR-d
Although you would not be vulnerable to a many-time-pad if the nonce is repeated, you would of course still leak information on each block of ciphertext that is identical, at the same location. That's slightly worse than e.g. CBC mode, where a change in plaintext would change all next ciphertext blocks if the IV is ever repeated.
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
It doesn't, it just changes on block of plaintext at the same block offset. You would still be malleable if you would change the entire plaintext by the way (imagine encrypting a single bit, 0 for false or 1 for true!). So you need to expand your ciphertext - usually with an authentication tag - to avoid malleability. This is not a description of an authenticated cipher.
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
Correct. And because you are using a lot of keys, you may run into trouble with regards on how the key space needs to be treated for a specific cipher. You would definitely worry about keys repeating simply due to the birthday paradox.
Are there any more advantages to this architecture?
Not that I see, it adds an additional round that introduces problems, while solving none; counter mode is already considered secure. With double the additional rounds + a key schedule per block it is rather expensive for what it tries to achieve.
Any further disadvantages?
I don't think we need more disadvantages, but I'll show some for learning purposes.
One disadvantage is that your key and block size need to be identical. So using e.g. AES-256 is not possible (even if it would be advisable because you may not want to use a cipher that is vulnerable against related key attacks, even if those are mostly theoretical in nature).
You would lose the pre-computation benefits of counter mode, where you can cache the key stream. You can still do that of course, but the last block encrypt / decrypt can only be performed once the plaintext is available.
answered 5 hours ago
Maarten Bodewes
52.4k676190
No the mode would not be more secure (than what?).
I guess this is not vulnerable to:
- padding oracle attack because it is basically counter mode
That's not correct. As the input of a block cipher is always a full block, you would need to pad the plaintext. Therefore you would likely be vulnerable to padding oracle attacks; they are not avoided by the mode itself.
- stream cipher attack, because it isn't just simply XOR-d
Although you would not be vulnerable to a many-time-pad if the nonce is repeated, you would of course still leak information on each block of ciphertext that is identical, at the same location. That's slightly worse than e.g. CBC mode, where a change in plaintext would change all next ciphertext blocks if the IV is ever repeated.
- malleability, because XOR-ing something on the ciphertext changes the entire plaintext
It doesn't, it just changes on block of plaintext at the same block offset. You would still be malleable if you would change the entire plaintext by the way (imagine encrypting a single bit, 0 for false or 1 for true!). So you need to expand your ciphertext - usually with an authentication tag - to avoid malleability. This is not a description of an authenticated cipher.
A significant disadvantage is that it needs a new key expansion for every element of the keystream.
Correct. And because you are using a lot of keys, you may run into trouble with regards on how the key space needs to be treated for a specific cipher. You would definitely worry about keys repeating simply due to the birthday paradox.
Are there any more advantages to this architecture?
Not that I see, it adds an additional round that introduces problems, while solving none; counter mode is already considered secure. With double the additional rounds + a key schedule per block it is rather expensive for what it tries to achieve.
Any further disadvantages?
I don't think we need more disadvantages, but I'll show some for learning purposes.
One disadvantage is that your key and block size need to be identical. So using e.g. AES-256 is not possible (even if it would be advisable because you may not want to use a cipher that is vulnerable against related key attacks, even if those are mostly theoretical in nature).
You would lose the pre-computation benefits of counter mode, where you can cache the key stream. You can still do that of course, but the last block encrypt / decrypt can only be performed once the plaintext is available.
answered 5 hours ago
Maarten Bodewes
52.4k676190
edited 4 hours ago
answered 5 hours ago
Maarten Bodewes
52.4k676190
answered 5 hours ago
Maarten Bodewes
52.4k676190
answered 5 hours ago
Maarten Bodewes
52.4k676190
52.4k676190
add a comment |
add a comment |
Balazs F is a new contributor. Be nice, and check out our Code of Conduct.
Balazs F is a new contributor. Be nice, and check out our Code of Conduct.
Balazs F is a new contributor. Be nice, and check out our Code of Conduct.
Balazs F is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65909%2fwould-this-mode-of-operation-be-safer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Malleability isn't something someone using authenticated encryption should be concerned about. Someone who isn't using authenticated encryption is someone you should be concerned about. (Use GCM (GMAC), HMAC, or Poly1305.)
– Future Security
3 hours ago