[Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of "cooperative" end-points, PFS doesn't help)

Perry E. Metzger perry at piermont.com
Tue Sep 10 17:49:25 EDT 2013


On Tue, 10 Sep 2013 17:04:04 -0400 Jerry Leichter <leichter at lrw.com>
wrote:
> Phil Rogoway has a paper somewhere discussing the right way to
> implement cryptographic modes and API's.

It would be useful to get a URL for it.

> In particular, he recommends changing the definition of CBC from:
> 
> E_0 = IV     # Not transmitted
> E_{i+1} = E(E_i XOR P_{i+1})
> 
> to
> 
> E_0 = E(IV)  # Not transmitted
> E_{i+1} = E(E_i XOR P_{i+1})

You make no mention there of whether the key used to encrypt the IV
is the same as that used for the plaintext. I presume if you need a
lot of IVs (see protocols like IPsec), and have enough key material, a
second key might be of value for that -- but I don't know what all
the ins and outs are, and would prefer to read the literature...

Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list