Newsgroups: sci.crypt
Path: msuinfo!caen!sdd.hp.com!network.ucsd.edu!qualcom.qualcomm.com!qualcom.qualcomm.com!karn
From: karn@qualcom.qualcomm.com (Phil Karn)
Subject: MD-crypt (was Re: Khufu and Khafre)
Message-ID: <1992Feb29.024020.17352@qualcomm.com>
Sender: news@qualcomm.com
Nntp-Posting-Host: qualcom.qualcomm.com
Reply-To: karn@chicago.qualcomm.com
Organization: Qualcomm, Inc
References: <1992Feb13.231223.8159@cs.aukuni.ac.nz> <1992Feb14.034519.15459@qualcomm.com> <GAFTER.92Feb27182115@sun131.mri.com>
Date: Sat, 29 Feb 1992 02:40:20 GMT
Lines: 78

In article <GAFTER.92Feb27182115@sun131.mri.com>, gafter@mri.com (Neal Gafter) writes:
|> The design should also be subject to some formalism as well.  The
|> quoted paper shows how to go from an assumed secure hash function to a
|> proven secure encryption algorithm.

I agree that some formalism would be useful. But I'll be the first to
admit that I lack the skills to do rigorous formal proofs in this
area.  So some help would be most welcome.

|> This `special case' (chosen plaintext attack) is the usual attack to
|> consider when reasoning about the strength of a cryptosystem.  If (for
|> practical reasons) there is some weaker notion of security that you're
|> striving for, can you define it?

I think I can. If I can show that the basic algorithm, WHEN USED AS
DIRECTED IN A COMPLETE SYSTEM, precludes the opportunity for an
attacker to exercise a chosen plaintext attack, wouldn't that be
sufficient?

I might be able to do this by explicitly specifying that the two-round
MD-5-based algorithm be used only in cipher block chaining mode, and
only when it is properly seeded by a time of day parameter that is
never repeated.  This might thwart any chosen-plaintext attacks
because the same plaintext would never encrypt into the same
ciphertext twice.

|>  Can you then prove this notion of
|> security relative to the assumed strength of the hash function?  The
|> quoted paper proves the strongest common sense of cryptosystem
|> security using four rounds of hashing and shows that two rounds is
|> insufficient.  I think you're on the way to proving some weaker notion
|> using two rounds, but you haven't done it quite yet.

I understand why it's a good idea to be as conservative as possible
when you set about to prove that your basic transformation is secure,
whether or not you believe an actual enemy will have the opportunity
to apply the attacks you're considering.

But you still have to make *some* assumptions.  For example, a chosen-
plaintext attack assumes that although your enemy has access to the
input and output ports of your secret-key cipher and can encrypt as
much test data as he likes, the cipher itself is a black box to him --
the attacker cannot get inside the box and directly read out the key
or the internal data paths. If you can't assume this, then you might
as well give up. No secret-key algorithm could *ever* be secure under
such conditions.

So yes, you've made it quite clear to me that if my "black box"
consists only of the basic element of my cipher (two Feistel rounds
with MD5 as the nonlinear function), then it is not resistant to
chosen-plaintext attack.  In fact, someone with external access to my
"black box" could decrypt any ciphertext that had been encrypted with
the same key, even though it's computationally infeasible to obtain
the keys themselves.

But suppose I now expand my "black box" to include the time seeding
and cipher block chaining mechanisms. It's no longer an electronic
code book that always produces the same 32 bytes of ciphertext given
the same 32 bytes of plaintext and 128 bytes of key.  Now it encrypts
a varying length plaintext message to a (somewhat larger) ciphertext
message, and even if repeatedly encrypt the same plaintext with the
same key I will never get the same ciphertext twice (well, it's not
very likely until I do it on the order of 2^64 times).

I might well be able to prove this new system is secure even though
the individual components are not, just as 16-round DES is fairly
secure despite the fact that individual rounds of DES are trivially
breakable.

You may well want to quibble with my practicality of my assumptions
(how can I guarantee that the clock is monotonic, etc, how do I know
that someone won't abuse the cipher, etc) but these should be separate
issues from whether the cipher as specified is secure.

Comments?

Phil

