Question on CFB variant with c[i-N]
Bill Stewart
bill.stewart at pobox.com
Tue Dec 23 21:32:28 PST 1997
>>>>> cfb Ciphertext feeback mode
>>>>> c[i] = f1(K, c[i-1]) ^ p[i]
>>>>> p[i] = f1(K, c[i-1]) ^ c[i]
>>Suppose instead of c[i-1] you use c[i-N] where N is say 10.
> Wouldn't the size of your IV have to grow as N grows?
Depends on your threat model; you could use the same IV for all c[i<1].
The main reason to do that sort of interleave is to simplify
parallelizing the hardware for speed while retaining
approximately the same security as regular CFB.
You might have some minor security gain because there's less
correlation between p[i] and p[i-N] than p[i-1],
so it's harder to guess things that might help,
but you might have a minor security loss because you're
only mushing together 1/N as much stuff, and you're
more likely to implement something incorrectly :-)
Thanks!
Bill
Bill Stewart, bill.stewart at pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
More information about the cypherpunks-legacy
mailing list