[Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of "cooperative" end-points, PFS doesn't help)
Perry E. Metzger
perry at piermont.com
Tue Sep 10 17:49:25 EDT 2013
On Tue, 10 Sep 2013 17:04:04 -0400 Jerry Leichter <leichter at lrw.com>
wrote:
> Phil Rogoway has a paper somewhere discussing the right way to
> implement cryptographic modes and API's.
It would be useful to get a URL for it.
> In particular, he recommends changing the definition of CBC from:
>
> E_0 = IV # Not transmitted
> E_{i+1} = E(E_i XOR P_{i+1})
>
> to
>
> E_0 = E(IV) # Not transmitted
> E_{i+1} = E(E_i XOR P_{i+1})
You make no mention there of whether the key used to encrypt the IV
is the same as that used for the plaintext. I presume if you need a
lot of IVs (see protocols like IPsec), and have enough key material, a
second key might be of value for that -- but I don't know what all
the ins and outs are, and would prefer to read the literature...
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list