Suppose I encrypt a bytestream using ChaCha20, and then encrypt the resulting ciphertext using AES in ECB mode. How secure is the combination?
Asked
Active
Viewed 231 times
4
-
That is called XE mode, it has good provable security properties – Richie Frame Apr 08 '16 at 01:27
-
@RichieFrame how much stronger than ChaCha20 or AES-CTR seperately? – Demi Apr 08 '16 at 02:16
-
Strong enough that any block cipher modes I have designed in the last few years are either XE or XEX type. You get the parallelization of both modes, but eliminate their weaknesses. You can drop ChaCha to 8 rounds, and use AES-128 for additional performance – Richie Frame Apr 08 '16 at 09:05
-
@RichieFrame Could we (or preferably, you) answer this by pointing out some kind of paper that explaints or mentions the security properties of XE mode? – Maarten Bodewes Apr 08 '16 at 10:16
-
@MaartenBodewes I looked for the reference I was expecting, but only found the one relating to OCB mode. The reference I was expecting was much earlier – Richie Frame Apr 08 '16 at 10:31
-
@RichieFrame and still get 256 bit security with a large margin? – Demi Apr 09 '16 at 02:12
-
@Demetri If it wouldn't then it would be considered broken. The security would probably not be degraded to a practical amount, but that's not required for theoretical attacks. – Maarten Bodewes Apr 09 '16 at 15:07
-
Related: https://crypto.stackexchange.com/questions/2963/is-ecb-mode-secure-if-plaintexts-guaranteed-to-be-unique – forest Jan 13 '19 at 11:06