[Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of "cooperative" end-points, PFS doesn't help)

[Nemo]

Jerry Leichter <leichter at lrw.com> writes:

> The older literature requires that the IV be "unpredictable" (an
> ill-defined term), but in fact if you want any kind of security proofs
> for CBC, it must actually be random.

Wrong, according to the Rogaway paper you cited.  Pull up
http://www.cs.ucdavis.edu/~rogaway/papers/modes.pdf and read the last
paragraph of section I.6 (pages 20-21).  Excerpt:

    We concur, without trying to formally show theorems, that all of the
    SP 800-38A modes that are secure as probabilistic encryption schemes
    -- namely, CBC, CFB, and OFB -- will remain secure if the IV is not
    perfectly random, but only unguessable.

Thank you for the reference, by the way; it is an excellent paper.

>> Back to CBC mode and secret IVs. I do not think we will too find much
>> guidance from the academic side on this, because they tend to "assume
>> a can opener"... Er, I mean a "secure block cipher"... And given that
>> assumption, all of the usual modes are provably secure with cleartext
>> IVs.

> Incorrect on multiple levels.  See the paper I mentioned in my
> response to Perry.

If you are going to call me wrong in a public forum, please have the
courtesy to be specific. My statement was, in fact, correct in every
detail.

To rephrase:

Security proofs for block cipher modes never depend on keeping the IV
confidential from the attacker. Standard practice (e.g. TLS, SSH) is to
send it in the clear, and this is fine as far as "provable security" is
concerned.

Rogaway's paper does point out, among other things, that naive handling
of the IV can break the security proofs; e.g., for the scheme you
described earlier in this thread and incorrectly attributed to Rogaway.

My point is that if the IV can be kept confidential cheaply, why not? (I
am particularly thinking of CTR mode and its relatives.)

 - Nemo