Re: paper comment

[dmolnar <dmolnar@hcs.harvard.edu>]

On Tue, 7 May 2002, George Danezis wrote:

> I am not sure where the reply is but I am happy to repeat it here. The
> attack on BEAR as presented on the paper you mention is really an attack
> on the key schedule. Ross divided the key into 2 parts and used one in the
> first round and the other in the third round. It is obvious that one only
> needs to know half the key to decrypt most of the message. By using the
> same key in both 1st and 3rd the problem is resolved.

From this and Roger's other comment, I gather this means you're
specifying a variant of BEAR instead of what was in the original paper?
Now that I look again, I do see that using the same key in 1st and 3rd
rounds is mentioned in passing. I would suggest making a slightly bigger
deal about this up front.

> An additional property (the one we are really after) is:
> - Modifying the ciphertext, without knowing the key will result in all the
> plaintext to be random after decryption. (Random from the point of view
> that there is no correlation between the change and any bit in the
> output).

OK. This sounds like a stronger property than AONT alone, but maybe it is
not. An AONT guarantees that you learn nothing about the original
plaintext if you don't have all the correct ciphertext bits.

-David