Score:8

Crypto

Would an encryption-only block cipher be useful at all?

juhist

10/8/23, 7:30 PM

I recently implemented AES block cipher, encryption side only, to be used in QUIC parsing (QUIC uses GCM mode). There are other modes than GCM that use only encryption: for example CTR, OFB, and CFB.

When implementing the AES cipher encryption side, it occurred to me how everything is done there has to be reversible, so the bit-mixing operations you do can't be arbitrary, they have to be carefully constructed in such a manner that you can implement the decryption side.

Would it make any sense to design an irreversible block cipher where the encryption side wouldn't be reversible (and thus you can't implement decryption), to be used only in GCM, CTR, OFB, and CFB modes? Would it be less or more secure than reversible block ciphers?

I can imagine at least one benefit of such an irreversible block cipher: it could maybe mix bits more thoroughly than a reversible block cipher.

However, there might be some drawbacks too: if the cipher is irreversible, it's possible two different inputs with the same key could result in the same output. However, an attacker without possession of the key can't probably guess which inputs would result in the same output.

Would such a cipher make any sense at all? Are there such irreversible encryption-only block ciphers?

A stream cipher could be thought of as such an irreversible system, but you can't usually quickly decrypt a block in the middle of a long ciphertext without running the cipher from the start to that point if using a true stream cipher. However, with CTR and irreversible encryption-only block cipher, you could do such quick access.

1043

1 + 1

block-cipher

ctr

ofb

gcm

cfb

boatcoder

10/10/23, 1:42 PM

I think we call this hashing (from a use standpoint)

Score:11

Crypto

kelalaka

10/8/23, 7:58 PM

Would it make any sense to design an irreversible block cipher where the encryption side wouldn't be reversible (and thus you can't implement decryption),

Block cipher is a synonym for Pseudo Random Permutation (PRP) therefore a non-reversible block cipher is not a block cipher as we know it. It would be a Pseudo-Random Function (PRF).

Would it be less or more secure than reversible block ciphers?

While AES as a block cipher resisted attacks for more than 20 years, we have ChaCha20 as a PRF candidate using CTR mode which has resisted attacks since 2008. It is faster than AES in software and has zero cost of key schedule!

it's possible two different inputs with the same key could result in the same output.

Good luck with this collision: ChaCha20 has 512-bit output so you need $2^{256}$ random encryptions to see one with 50% probability (see birthday attack).

Would such a cipher make any sense at all? Are there such irreversible encryption-only block ciphers?

Yes; ChaCha20 is the best candidate to show that this makes sense. And any PRF can be used in CTR mode for encryption;

Is SHA-256 secure as a CTR block cipher?

However, with CTR and irreversible encryption-only block cipher, you could to such a quick access.

Well, yes and no. In this age, we don't advise using Ind-CPA security where the classical modes can only achieve this. To go beyond one needs authenticated encryption such as AES-GCM and ChaCha20-Poly1305. To have authentication one needs a tag, and before the tag verification one should not decrypt and use any part of the ciphertext. If there is a tag error, HALT!

(Title) Would an encryption-only block cipher be useful at all?

As we see, it is no longer a block cipher. There are some benefits;

No padding oracles if CTR mode or similar is used.
There may be no need for a key schedule as in ChaCha.
No need for a separate decryption circuit; that makes it easy to securely implement and audit.
Using a PRP in CTR mode has a long message distinguisher that restricts the number of encryption blocks due to the PRP-PRF switching lemma. We don't have that with PRFs.

+ 4

Marc Ilunga

10/8/23, 9:28 PM

Much of “Permutation based cryptography” relies on having an efficient forward direction and not caring too much about the “reverse” direction. Though it is still not impossible, we can conceive permutation based schemes where we don't really need to compute the reverse.

kelalaka

10/8/23, 9:39 PM

Permutation-based cryptography is still in the PRP domain whether they have efficient reverse or not. Having hard or not calculated the inverse doesn't matter, they are PRP.

juhist

10/9/23, 7:54 AM

Oh, I didn't know that they are called PRF and that ChaCha20 is actually such a PRF. I thought ChaCha20 was a traditional stream cipher with no possibility of random access. Seems I was wrong.

fgrieu

10/9/23, 1:54 PM

This answer is about block ciphers that for (most) fixed key are not a bijection because it's expected there exists colliding inputs. There's another kind we might consider: block ciphers that for a known fixed key are a bijection, efficiently computable in the forward (encryption) direction, but not in the other direction. That later kind is hard to construct for moderately large input. See [this](https://crypto.stackexchange.com/q/14338/555).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Would an encryption-only block cipher be useful at all?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.