Re: Counter Mode Security: Analysis and Recommendations

[Stephen Kent <kent@bbn.com>]

At 1:13 AM -0500 11/22/02, Uri Blumenthal wrote:
>Stephen Kent wrote:
>>  Ted,
>>  I concur with your analysis re the storage requirements for this
>>  attack, and how daunting they seem. This strikes me as the sort of
>>  attack that I would protect against if it cost almost nothing, but as
>>  we see, it does have a cost,
>
>Stephen, I'd think that (a) it's worth to protect against this
>kind of attack, and (b) the modification should be not in adding
>key bits or extra rounds -  but by adding *some* "salt" to the IV.
>
>Exactly how many bits, where and why - To Be Defined. There's
>work underway to provide a more quantative analysis (D.McGrew
>can comment on this part better.)
>

We agree that it would be preferable to not use a longer key and 
incur the cost of extra rounds. I think Russ has pointed out that if 
one uses a salt here, it need not be secret, just unpredictable to an 
attacker. But, even this has a cost, since these bits are security 
relevant and must be maintained inside the security boundary of the 
implementation (e.g., relative to FIPS evaluation).  So, the bottom 
line question is whether an attack requiring this magnitude of 
storage is sufficiently realistic that we wish to incur this sort of 
cost to protect against it.  It's a value judgement, and we are just 
seeing differing perspectives expressed.

Steve