Lon Willett

2004-06-17 20:03:03 UTC

I'm hoping some of you crypto gurus can help me: I have some questions

about Ross Anderson's paper "The Dancing Bear - A New Way of Composing

Ciphers" <http://www.cl.cam.ac.uk/ftp/users/rja14/grizzle.pdf>.

I am wondering about the significance of the parameters used in his

definition of a "grizzle":

G_N(M) = Pi(N,M,c(N,M))

where M is the message (plain text), N is a "random nonce", c() is a

checksum, and Pi is a fixed pseudo-random permutation.

First, it seems to me that the "random nonce" (i.e. N) is really a

misnomer. It clearly must be kept secret, and contain sufficient

entropy to be "unguessable", in order for the Jakobsson-Stern-Yung

construction to be secure. This is more "key-like" than "nonce-like",

so perhaps a name like "grizzle key" would be more appropriate. Or

have I misunderstood?

Next, I am unclear on the significance of the "checksum" (i.e. c()).

Its purpose would seem to be solely to provide message integrity. If

so, then it should be a cryptographic checksum of sufficient length

for one's security purposes (e.g. SHA-1 truncated to 80 bits). Or is

there some other significance buried in the proofs?

Finally, it seems then that a grizzle is (more or less) just an

encryption of a message with a random key, which includes the key

modified in a cipher-text dependent fashion. So it could be

implemented somewhat more straightforwardly as:

C = E(K,M),

G_K(M) = (H(C) xor K) || C

where

E(K,M) is the authenticated encryption of message M using key K,

K is a random key of the correct size,

H(C) is a cryptographic checksum of C of the appropriate size,

and "||" is concatenation.

e.g.

E(K,M) is AES-256 encryption of M with key K using EAX mode with

empty header and empty nonce and a 128 bit tag,

H is SHA-256,

K is a randomly chosen 256 bit value.

Or, again, is there something that I don't understand? What does

Anderson's construction accomplish that this doesn't? Is this at

least close to the same (meaning that it might need tweaking to get

the proofs to work out, but roughly does the same thing)?

Thanks.

Lon Willett

about Ross Anderson's paper "The Dancing Bear - A New Way of Composing

Ciphers" <http://www.cl.cam.ac.uk/ftp/users/rja14/grizzle.pdf>.

I am wondering about the significance of the parameters used in his

definition of a "grizzle":

G_N(M) = Pi(N,M,c(N,M))

where M is the message (plain text), N is a "random nonce", c() is a

checksum, and Pi is a fixed pseudo-random permutation.

First, it seems to me that the "random nonce" (i.e. N) is really a

misnomer. It clearly must be kept secret, and contain sufficient

entropy to be "unguessable", in order for the Jakobsson-Stern-Yung

construction to be secure. This is more "key-like" than "nonce-like",

so perhaps a name like "grizzle key" would be more appropriate. Or

have I misunderstood?

Next, I am unclear on the significance of the "checksum" (i.e. c()).

Its purpose would seem to be solely to provide message integrity. If

so, then it should be a cryptographic checksum of sufficient length

for one's security purposes (e.g. SHA-1 truncated to 80 bits). Or is

there some other significance buried in the proofs?

Finally, it seems then that a grizzle is (more or less) just an

encryption of a message with a random key, which includes the key

modified in a cipher-text dependent fashion. So it could be

implemented somewhat more straightforwardly as:

C = E(K,M),

G_K(M) = (H(C) xor K) || C

where

E(K,M) is the authenticated encryption of message M using key K,

K is a random key of the correct size,

H(C) is a cryptographic checksum of C of the appropriate size,

and "||" is concatenation.

e.g.

E(K,M) is AES-256 encryption of M with key K using EAX mode with

empty header and empty nonce and a 128 bit tag,

H is SHA-256,

K is a randomly chosen 256 bit value.

Or, again, is there something that I don't understand? What does

Anderson's construction accomplish that this doesn't? Is this at

least close to the same (meaning that it might need tweaking to get

the proofs to work out, but roughly does the same thing)?

Thanks.

Lon Willett