[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IV sizes for AES candidates

In message <392A357CE6FFD111AC3E00A0C99848B002FE991C@hdsmsx31.hd.intel.com>, "W
alker, Jesse" writes:
>Maybe I'm just slow, but I don't follow your point about the known
>plaintext. Bellare, Killian, and Rogaway's proof of the security of counter
>and CBC modes starts with the assumption that ALL the encrypted data is
>chosen plaintext, not just known plaintext. It seems to me their theorem
>says if you don't trust your block cipher and key in counter mode, you
>shouldn't trust them to any greater extent in CBC mode, and you have
>plausible grounds to trust them even less. What am I missing? You seem to be
>implying there is a proof of some other theorem saying CBC mode is at least
>as secure as counter mode when the plaintext is only known and not chosen,
>or when used with "real" instead of ideal block ciphers, or ...?
>My belief is that Steve's reservations about counter mode are the sorts of
>concerns that a counter mode proposal has to address. I don't understand the
>problem you raise.

I haven't seen the proof, but a lot depends on the assumptions about 
the underlying block cipher.  In particular, one needs to know if the 
cipher is vulnerable to an attack that resembles differential 

CBC mode, even with chosen plaintexts, is quite strong against such 
attacks if cipher produces random-looking output from encryptions.  The 
reason is that this random block is XORed with the next block of chosen 
plaintext before encryption, thus destroying the benefit of the choice.
The exception, of course, is the first block, where the IV is XORed 
with your chosen plaintext.  If the IV is in some sense weak, there may 
be a threat -- again, if the underlying block cipher is weak under 
certain kinds of attacks.  See Biryokov and Kushilevitz's paper from 
CRYPTO '98 for more discussion -- it specifically mentions RFC 1829 as 
bad, and commends the current scheme for IV selection.

Counter mode is, as Ted pointed out, much more suspectible to these 
attacks.  But -- and it's an important "but" -- there is only a problem 
if the underlying cipher is weak.  None of the AES candidates are weak; 
even DES isn't weak in this sense.  But that's against today's variants 
of differential cryptanalysis -- and new ones seem to pop up regularly.

You will find find many prominent cryptographers who aren't worried 
about such attacks, and feel that counter mode is perfectly adequate.
They feel that the proper defense is and should be in the cipher design.  
You will find others who disagree.  In my experience, many of the latter,
though they don't wear trenchcoats and pulled-down hats themselves, 
tend to hang out with folks who do.  I don't know if this is 
significant or not.

Personally, I'm looking forward to the NIST workshop on modes of 
operation in October.  I'll certainly report back to this list on the 
sense of the meeting.

		--Steve Bellovin