[Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of "cooperative" end-points, PFS doesn't help)

[Nemo]

Jerry Leichter <leichter at lrw.com> writes:

> The real problem is that "unpredictable" has no definition.

Rogaway provides the definition in the paragraph we are discussing...

> Rogoway specifically says that if what you mean by "unpredictable" is
> "random but biased" (very informally), then you lose some security in
> proportion to the degree of bias: "A quantitative statement of such
> results would 'give up' in the ind$ advantage an amount proportional
> to the e(q, t) value defined above."

That "e(q,t) value defined above" is the probability that the attacker
can predict the IV after q samples given time t. That appears to be a
very precise definition of "predictability", and the smaller it gets,
the closer you get to random-IV security.

But enough of this particular rat hole.

> I actually have no problem with your rephrased statement.  My concern
> was the apparently flippant dismissal of all "academic" work as
> "assuming a can opener".

Fair enough; I apologize for my flippancy. Of course the assumption of a
"strong block cipher" is justified by massive amounts of painstaking
effort expended in attempts to crack them.

Nonetheless, I think it would be wise to build in additional margin
anywhere we can get it cheaply.

> Do I wish we had a way to prove something secure without assumptions
> beyond basic mathematics?  Absolutely; everyone would love to see
> that.  But we have no idea how to do it.

I doubt we will have provable complexity lower bounds for useful
cryptographic algorithms until well after P vs. NP is resolved.  That
is, not soon.

Until then, provable security is purely about reductions. There is
nothing wrong with that. And as I said before, I believe we should worry
greatly about theoretical attacks that invalidate those reductions,
regardless of how "purely academic" they may seem to an engineer.

> On the matter of a secret IV: It can't actually help much.  Any suffix
> of a CBC encryption (treated as a sequence of blocks, not bytes) is
> itself a valid CBC encryption.

Yes, obviously... which is why I wrote "I am particularly thinking of
CTR mode and its relatives".

It's a pity OCB mode is patented.

 - Nemo