[86484] in cryptography@c2.net mail archive
Why CBC? What is wrong with n-bit CFB?
daemon@ATHENA.MIT.EDU (Travis H.)
Thu Apr 26 08:47:53 2007
Date: Wed, 25 Apr 2007 23:20:17 -0500
From: "Travis H." <travis+ml-cryptography@subspacefield.org>
To: Cryptography <cryptography@metzdowd.com>
Mail-Followup-To: Cryptography <cryptography@metzdowd.com>
--UKNXkkdQCYZ6W5l3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I've always wondered this about the lesser-used modes. What's special
about CBC?
With CFB in particular, I think 8-bit CFB is stupid (one full block
encryption per byte processed - rather computationally expensive), but
n-bit CFB seems just as useful as CBC, if not more so. Specifically,
I can start sendings bits of C_(i-1) =3D IV xor P_(i-1) as soon as I
feel like it, even before all of P_(i-1) is in, and it uses the same
number or less crypts than CBC. Futhermore, it can be used to encrypt
"in place" like CBC but without any special "ciphertext stealing" or
other processing. Of course I assume that integrity is handled by a
completely seperate mechanism that includes redundancy; anything less
is snake oil.
For that matter, error extension doesn't seem to be an issue to me in
most cases. Error handling should be done via a seperate layer that
adds redundancy to the ciphertext prior to transmission (and can do
error correction, not just detection). If any error is so bad that it
defeats this layer, I want to know about it (and will find out via yet
another layer, an integrity/authenticity layer); it could also be a
malicious attack, and unless there is bad sunspot or EMP activity the
seperation of duties allows me to distinguish between the two. The
exception I can see is if retransmission or delay is unacceptable and
it is better to get a garbled message than none at all. This may be
the case with human spies in occupied territory, or perhaps for
emergency messages to a deep space probe, or such. Still, this is the
Internet age and transmission errors are increasingly handled by the
lower layers. Is anyone actually doing crypto with plaintext that is
interpreted by humans (so they can detect and deal with garbles) over
radio any more? Not many among us here I suspect.
That having been said, I can't see much in favor of OFB over CTR mode.
--=20
Kill dash nine, and its no more CPU time, kill dash nine, and that
process is mine. -><- <URL:http://www.subspacefield.org/~travis/>
For a good time on my UBE blacklist, email john@subspacefield.org.
--UKNXkkdQCYZ6W5l3
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)
iQIVAwUBRjAogGQVZZEDJt9HAQLNRg/+LLVFXrwXqYbGXHmz8bsUK/mq05XRBF/L
vPCGFuWzBON/QjjrzuegF3GE0L5I1y9fjWfsTkuDpb9XLdJ5jK8jQeaLwRiohdsI
8XxBaBhR7BK+fOkR97KeE4Xdf8roKIPNpXqoVbBWuR9/8qXULKNC2CISldBWsg+l
PQ6Or9ecxtFdfmwEvlXAd06OJTSuuIE6m6sl9VGRWCKHKY38WI8eQzxmCtPZVl+H
TkHLUKkglIPf8VLTAxU58hfW8x/Nl86HYuVLe73WRmENo+ekDPgemdWSuBG9G5vU
SuuzDcqV074bMqP2DCb9CA7cNTXOm9RHO02URdJTh0Vqyf86e/MeL6SGh3yBa8kD
cLVpMDnp/htah2UlaLHgpD6ou4e3BKd0e+v3lR2qotrfSMnfeYLfWYZossvYL86q
0nZtsZySG9JjkYKxz12b3TbFRCCeEk6cZiekfqzR9ywvH5D3XZiFpzwN1x/A/nA/
rq/Kopi6MtL6rkWcBbbfUznL42KKJcMahyN1oNlG7UZ5fZkeoiqitupHAF+bzdJy
Kzt2KBdirhxCO8rGNxYoHZwZ1e6AhHUkZ3cbhpBQNffHynzfqHa4JTQM5d6rZSz6
9o8b8F5m4wFNJ+29cbKz3HcaRcr8qPmPBR74zW74zfWNXLgZcQrA0Hr+Q9/VhVao
GmINux/HUKc=
=BUkr
-----END PGP SIGNATURE-----
--UKNXkkdQCYZ6W5l3--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
