[Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of "cooperative" end-points, PFS doesn't help)
Nemo
nemo at self-evident.org
Wed Sep 11 19:34:06 EDT 2013
Jerry Leichter <leichter at lrw.com> writes:
> The real problem is that "unpredictable" has no definition.
Rogaway provides the definition in the paragraph we are discussing...
> Rogoway specifically says that if what you mean by "unpredictable" is
> "random but biased" (very informally), then you lose some security in
> proportion to the degree of bias: "A quantitative statement of such
> results would 'give up' in the ind$ advantage an amount proportional
> to the e(q, t) value defined above."
That "e(q,t) value defined above" is the probability that the attacker
can predict the IV after q samples given time t. That appears to be a
very precise definition of "predictability", and the smaller it gets,
the closer you get to random-IV security.
But enough of this particular rat hole.
> I actually have no problem with your rephrased statement. My concern
> was the apparently flippant dismissal of all "academic" work as
> "assuming a can opener".
Fair enough; I apologize for my flippancy. Of course the assumption of a
"strong block cipher" is justified by massive amounts of painstaking
effort expended in attempts to crack them.
Nonetheless, I think it would be wise to build in additional margin
anywhere we can get it cheaply.
> Do I wish we had a way to prove something secure without assumptions
> beyond basic mathematics? Absolutely; everyone would love to see
> that. But we have no idea how to do it.
I doubt we will have provable complexity lower bounds for useful
cryptographic algorithms until well after P vs. NP is resolved. That
is, not soon.
Until then, provable security is purely about reductions. There is
nothing wrong with that. And as I said before, I believe we should worry
greatly about theoretical attacks that invalidate those reductions,
regardless of how "purely academic" they may seem to an engineer.
> On the matter of a secret IV: It can't actually help much. Any suffix
> of a CBC encryption (treated as a sequence of blocks, not bytes) is
> itself a valid CBC encryption.
Yes, obviously... which is why I wrote "I am particularly thinking of
CTR mode and its relatives".
It's a pity OCB mode is patented.
- Nemo
More information about the cryptography
mailing list