More info in my AES128-CBC question

Alexander Klimov alserkli at inbox.ru
Thu Apr 26 06:04:25 EDT 2007


On Wed, 25 Apr 2007, Hagai Bar-El wrote:
> It seems as Aram uses a different IV for each message encrypted with
> CBC. I am not sure I see a requirement for randomness here. As far
> as I can tell, this IV can be a simple index number or something as
> predictable, as long as it does not repeat within the same key
> scope.

For CBC mode the IV should be random because it is added
directly to plaintext. For example, if one sends `010' with IV
`001' the result of the xor will be the same as if they
subsequently send `101' with IV `110' and thus an attacker will
be able to learn something about the plaintext. If the IV is
random then we expect a collision after 2^{n/2} messages, but if
IV has some structure (or if an attacker knows the next IV
before they insert their own plaintext to be encrypted) the
probability of collision may become too high.

For some other modes (e.g., CFB, OFB, or CTR) the IV only needs
to be fresh, since the IV is first processed by the cipher. But
even in this case it is a good idea to use random IVs to protect
against state roll-back attacks.

-- 
Regards,
ASK

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list