[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Counter Mode Security: Analysis and Recommendations
At 1:13 AM -0500 11/22/02, Uri Blumenthal wrote:
>Stephen Kent wrote:
>> Ted,
>> I concur with your analysis re the storage requirements for this
>> attack, and how daunting they seem. This strikes me as the sort of
>> attack that I would protect against if it cost almost nothing, but as
>> we see, it does have a cost,
>
>Stephen, I'd think that (a) it's worth to protect against this
>kind of attack, and (b) the modification should be not in adding
>key bits or extra rounds - but by adding *some* "salt" to the IV.
>
>Exactly how many bits, where and why - To Be Defined. There's
>work underway to provide a more quantative analysis (D.McGrew
>can comment on this part better.)
>
We agree that it would be preferable to not use a longer key and
incur the cost of extra rounds. I think Russ has pointed out that if
one uses a salt here, it need not be secret, just unpredictable to an
attacker. But, even this has a cost, since these bits are security
relevant and must be maintained inside the security boundary of the
implementation (e.g., relative to FIPS evaluation). So, the bottom
line question is whether an attack requiring this magnitude of
storage is sufficiently realistic that we wish to incur this sort of
cost to protect against it. It's a value judgement, and we are just
seeing differing perspectives expressed.
Steve