Prev: Q: Kerchhoffs' principle
Next: Pi Computation Record
From: Daniel Otte on 4 Jan 2010 20:58
Hi all,
I have a small question which I could not satisfiable answer myself:
Is it secure to use the decryption algorithm of a secure cipher for encryption
and using the encryption algorithm for decryption?
As this may be dependent on the cipher choosen, I would prefer to talk about AES
(I'm only talking about symmetric ciphers, the asymmetric stuff is quite another
thing)

The reason for considering this use is simple:
1) most cipher are optimized for fast encryption, but data is often encrypted
only once but decrypted multiple times
2) in the case of AES the code for encryption is smaller than for decryption as
you need the forward S-box for the key-schedule and the reverse S-box for the
actual decryption while encrypting onl uses the forward S-box. (in my
application this 256 bytes really matter)

best regards,
Daniel Otte
From: Joseph Ashwood on 4 Jan 2010 21:28
"Daniel Otte" <daniel.otte(a)rub.de> wrote in message
news:7qfkv4F2hdU1(a)mid.dfncis.de...
> Hi all,
> I have a small question which I could not satisfiable answer myself:
> Is it secure to use the decryption algorithm of a secure cipher for
> encryption
> and using the encryption algorithm for decryption?
> As this may be dependent on the cipher choosen, I would prefer to talk
> about AES
> (I'm only talking about symmetric ciphers, the asymmetric stuff is quite
> another
> thing)

In the case of AES it is believed to be equivalent.

> The reason for considering this use is simple:
> 1) most cipher are optimized for fast encryption, but data is often
> encrypted
> only once but decrypted multiple times
> 2) in the case of AES the code for encryption is smaller than for
> decryption as
> you need the forward S-box for the key-schedule and the reverse S-box for
> the
> actual decryption while encrypting onl uses the forward S-box. (in my
> application this 256 bytes really matter)

Use CCM mode, you only need the encryption code, problem solved.
Joe

From: rossum on 5 Jan 2010 08:44
On Mon, 4 Jan 2010 18:28:49 -0800, "Joseph Ashwood" <ashwood(a)msn.com>
wrote:

>"Daniel Otte" <daniel.otte(a)rub.de> wrote in message
>news:7qfkv4F2hdU1(a)mid.dfncis.de...
>> Hi all,
>> I have a small question which I could not satisfiable answer myself:
>> Is it secure to use the decryption algorithm of a secure cipher for
>> encryption
>> and using the encryption algorithm for decryption?
>> As this may be dependent on the cipher choosen, I would prefer to talk
>> about AES
>> (I'm only talking about symmetric ciphers, the asymmetric stuff is quite
>> another
>> thing)
>
>In the case of AES it is believed to be equivalent.
>
>> The reason for considering this use is simple:
>> 1) most cipher are optimized for fast encryption, but data is often
>> encrypted
>> only once but decrypted multiple times
>> 2) in the case of AES the code for encryption is smaller than for
>> decryption as
>> you need the forward S-box for the key-schedule and the reverse S-box for
>> the
>> actual decryption while encrypting onl uses the forward S-box. (in my
>> application this 256 bytes really matter)
>
>Use CCM mode, you only need the encryption code, problem solved.
> Joe
Or plain CTR mode if you do not need the MAC included in CCM mode.
You would need to be very sure that a MAC was not needed though.

rossum

 | 
Pages: 1
Prev: Q: Kerchhoffs' principle
Next: Pi Computation Record