upvote

points

by adrian_b2 hours ago |
comments
upvoteby cyberax1 hours ago|
[-]
The problem is that AES needs a 128-bit block.

Imagine that you want to obfuscate your order numbers in the database so that customers can't infer the volume of business by checking the order number.

You can use UUIDs, but you also want to keep the numbers short so they can be dictated over the phone. You can use random IDs, but then you need to lock them in the database during the object creation otherwise you might get collisions.

Or perhaps you have a distributed system and want to allocate a bunch of IDs for each node in advance.

RC-5 with its small block size neatly solves this. You can have a strictly increasing database sequence, and then just give out each node a bunch of numbers ("from 100 to 120"), and nodes can then generate IDs based on them. And there can be no collisions with other nodes because symmetric ciphers are obviously bijective.

For these kinds of use-cases performance is not an issue.

reply
upvoteby tptacek1 hours ago|
parent|
[-]
Right, but balanced and unbalanced Feistel networks let you turn the 16-byte AES block into an arbitrarily small PRF.
reply
upvoteby cyberax57 minutes ago|
parent|
[-]
Well, yes. But at this point you're just making a new cipher with AES as the round function. And I think it should be at least as safe as the round function?

I have not checked lately, but is it actually the recommendation for format-preserving encryption?

reply
upvoteby tptacek48 minutes ago|
parent|
[-]
I don't know about "the" recommendation, but it's how NIST standardized it (FF1 and FF3, both Feistel networks) and in the NIST rubric these aren't "new ciphers"; they're "block cipher modes".

I'll say I'm more comfortable using a straightforward FPE block cipher mode with AES than I am repurposing a weaker lightweight cipher to take advantage of its 32-bit block size.

reply