[EMAIL PROTECTED] wrote:
[...] If you could prove that this dependence is of complexity
comparable to an LRW operation, we were done. -Laszlo
Understanding what is meant by "complexity comparable to an LRW operation"
is pretty much what I'm seeking.
Don said:
> (PS - Where do I get a copy of the manual of standard notation so
> that I can write these equations with "normal" speak?)
Well, there isn't really "normal" speak here. A notion of security is
considered "standard" after it had been around for a while and people
feel that they know what is means. More often than not there is a good
correlation between "mathematically clean" notions and ones that turn out
to be useful against practical attacks (but there is no 1-1 correspondence).
The "tweakable cipher" notion was proposed some 4-5 years ago and discussed
quite extensively since then. What is says is that this construct should
look as if we are using a block cipher such that different tweaks values
employ different keys. The mathematical definition essentially says that
there is no feasible algorithm that can distinguish the two cases.
I would like to come up with a similar mathematical definition for the
ciphertext-stealing construction.
Colin Sinclair wrote:
>>>The ciphertext-stealing construction above clearly does no have this
>>>property (since C_I does not depend on P_{I+1}).
>
> Why should it? All the earlier C_n blocks in the sector only have
> a dependency on their corresponding plaintext block P_n, and nothing else.
> So why should the requirement for C_I be any different.
Colin, the point is to understand what security is offered before we can
start asking if it is sufficient or not. For LRW this is simple (enough).
For the extended mode it gets a bit more tricky.
-- Shai
