[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IV sizes for AES candidates
In message <392A357CE6FFD111AC3E00A0C99848B002FE991C@hdsmsx31.hd.intel.com>, "W
alker, Jesse" writes:
>Maybe I'm just slow, but I don't follow your point about the known
>plaintext. Bellare, Killian, and Rogaway's proof of the security of counter
>and CBC modes starts with the assumption that ALL the encrypted data is
>chosen plaintext, not just known plaintext. It seems to me their theorem
>says if you don't trust your block cipher and key in counter mode, you
>shouldn't trust them to any greater extent in CBC mode, and you have
>plausible grounds to trust them even less. What am I missing? You seem to be
>implying there is a proof of some other theorem saying CBC mode is at least
>as secure as counter mode when the plaintext is only known and not chosen,
>or when used with "real" instead of ideal block ciphers, or ...?
>My belief is that Steve's reservations about counter mode are the sorts of
>concerns that a counter mode proposal has to address. I don't understand the
>problem you raise.
I haven't seen the proof, but a lot depends on the assumptions about
the underlying block cipher. In particular, one needs to know if the
cipher is vulnerable to an attack that resembles differential
CBC mode, even with chosen plaintexts, is quite strong against such
attacks if cipher produces random-looking output from encryptions. The
reason is that this random block is XORed with the next block of chosen
plaintext before encryption, thus destroying the benefit of the choice.
The exception, of course, is the first block, where the IV is XORed
with your chosen plaintext. If the IV is in some sense weak, there may
be a threat -- again, if the underlying block cipher is weak under
certain kinds of attacks. See Biryokov and Kushilevitz's paper from
CRYPTO '98 for more discussion -- it specifically mentions RFC 1829 as
bad, and commends the current scheme for IV selection.
Counter mode is, as Ted pointed out, much more suspectible to these
attacks. But -- and it's an important "but" -- there is only a problem
if the underlying cipher is weak. None of the AES candidates are weak;
even DES isn't weak in this sense. But that's against today's variants
of differential cryptanalysis -- and new ones seem to pop up regularly.
You will find find many prominent cryptographers who aren't worried
about such attacks, and feel that counter mode is perfectly adequate.
They feel that the proper defense is and should be in the cipher design.
You will find others who disagree. In my experience, many of the latter,
though they don't wear trenchcoats and pulled-down hats themselves,
tend to hang out with folks who do. I don't know if this is
significant or not.
Personally, I'm looking forward to the NIST workshop on modes of
operation in October. I'll certainly report back to this list on the
sense of the meeting.