[Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of "cooperative" end-points, PFS doesn't help)

Jerry Leichter leichter at lrw.com
Tue Sep 10 23:29:44 EDT 2013


On Sep 10, 2013, at 10:57 PM, ianG wrote:
> In a protocol I wrote with Zooko's help, we generate a random IV0 which is shared in the key exchange.
> 
> http://www.webfunds.org/guide/sdp/sdp1.html
> 
> Then, we also move the padding from the end to the beginning, fill it with a non-repeating length-determined value, and expand it to a size of 16-31 bytes.  This creates what is in effect an IV1 or second transmitted IV.
> 
> http://www.webfunds.org/guide/sdp/pad.html
You should probably look at the Rogoway paper I found after Perry pushed me to give a reference.  Yes, CBC with a true random IV is secure, though the security guarantee you can get if you don't also do authentication is rather weak.  The additional padding almost certainly doesn't help or hurt.  (I won't say that any more strongly because I haven't look at the proofs.)

                                                        -- Jerry



More information about the cryptography mailing list