Score:1

Two-way encryption algorithms similar to bcrypt

za flag

I'm in need of an algorithm that can perform a very specific task: take a short string, encrypt it using an algorithm which can be scaled to keep up with Moore's Law/has a proof-of-work factor/is unusually slow, and then, later, decrypt it at the same time cost.

The use case is a list of email addresses being stored for a mailing list by a security-conscious client, to be decrypted one at a time for each email; the goal is to make brute-forcing as time-consuming as possible. I've looked into some of the likely candidates (AES-256, mcrypt, twofish, scrypt), but it's unclear which would be best suited.

kelalaka avatar
in flag
Go for AES-256-GCM or xChaCha20-Poly1305.
poncho avatar
my flag
"decrypt it at the same time cost"; do you mean "the same time cost as encryption"? Or, do you mean "at a time cost which is the same independent of the encryption cost factor"?
poncho avatar
my flag
@kelalaka: how does AES-GCM or ChaCha have a "proof of work" factor?
kelalaka avatar
in flag
@poncho I don't think that the OP really wants slow encryption, rather `the goal is to make brute-forcing as time-consuming as possible.` 256-bit encryption is enough with a good password and a PBKDF. AES-GCM or ChaCha doesn't have proof of work factor and they don't need, too.
kelalaka avatar
in flag
Note that, [scrypt is a password-based key derivation function created by Colin Percival,](https://en.wikipedia.org/wiki/Scrypt). Do you actually want a slow PBKDF and a fast encryption that is secure enough bruteforce?
kr flag
*bcrypt* is hashing algorithm, not encryption algorithm.
kelalaka avatar
in flag
You can [edit](https://crypto.stackexchange.com/posts/95643/edit) your question to clarify, and you can comment under your question and answers for that without any reputation limit.
Maarten Bodewes avatar
in flag
Please everybody, focus on the (auto?-) increasing work factor. Personally, I would probably opt for a PBKDF such as one of the Argon2, PBKDF2 or bcrypt configs and then increase the iteration count each year or so, and use the resulting key to wrap the actual fully random encryption key. I know that that is manual, but algorithms / algorithm output by themselves don't have a time component. As kelalaka mentioned, if your password / key size has enough randomness then you don't need to worry about the KDF at all, so there's that.
ph flag
I'm not sold on the necessity of adding a work factor to brute-forcing a 256-bit key space. I think the threat model hasn't been fully thought out.
cn flag
Tbh, I also think the threat model here is not clear. Make brute force harder for whom? Someone with no keys? -> kinda useless. Someone with the stored keys and the encrypted valuese? That attacker doesn't care about that work factor. The fact someone mentions Moore's law as scaling factor for brute force indicates, we are not talking about usual minimum assumptions in cryptography, e.g. "before the heat death of the universe" or similar.
Maarten Bodewes avatar
in flag
I'd always use asymmetric encryption for something like this. You can always encrypt with a public key. The private key can be kept more secure, and possibly be protected by a password or stored on a smart card or something.
Score:0
ru flag

For what you hope to do, the choice of block cipher is probably not as important as the mode of operation. What you need is a mode of operation where both encryption and decryption are non-parallelisable and then to iterate a number of times that is troublesome, but not infeasible.

My recommendation is to use Output Feedback (OFB) mode. Generate a unique Initial Value; feed this into the (e.g.) AES block cipher; then feed the output back into the cipher and repeat, say, $2^{35}$ times depending on exactly how much time you want to require of the client. Then XOR future outputs onto the e-mail address. The encryption/decryption time will decrease with Moore's law, but there is no benefit in buying more hardware.

Now, after decrypting once, the client could simply save off the last output value prior to XORing, but equally they could save off the address once decrypted.

Another option would be to use Propagating Cipher-Block Chaining (PCBC) mode, but this would involve the generation of as many unguessable inputs as the number of iterations which feels unnecessary.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.