Question w.r.t. AES-CBC IV

[Jonathan Katz]

CTR mode seems a better choice here. Without getting too technical, 
security of CTR mode holds as long as the IVs used are "fresh" whereas 
security of CBC mode requires IVs to be random.

In either case, a problem with a short IV (no matter what you do) is the 
possibility of IVs repeating. If you are picking 32-bit IVs at random, you 
expect a repeat after only (roughly) 2^16 encryptions (which is not very 
many).

On Wed, 2 Jun 2010, Ralph Holz wrote:

> Dear all,
>
> A colleague dropped in yesterday and confronted me with the following.
>
> He wanted to scrape off some additional bits when using AES-CBC because
> the messages in his concept are very short (a few hundred bit). So he
> was thinking about a variant of AES-CBC, where he uses just 32 (random)
> bits as a source for the IV. These are encrypted with AES and then used
> as the actual IV to feed into the CBC. As a result, he does not need to
> send a 128 bit IV to the receiver but just the 32 bit.
>
> His argument was that AES basically is used as an expansion function for
> the IV here, with the added benefit of encryption. On the whole, this
> should not weaken AES-CBC. Although he was not sure if it actually would
> strengthen it.
>
> While I am prepared to buy this argument (I am not a cryptographer...),
> I still felt that the argument might not be complete. After all, 32 bits
> don't provide much randomness, and I wasn't sure if this, overall, would
> not lead to more structure in the ciphercode - which might in turn give
> an attacker more clues with respect to the key.
>
> Are there any opinions on this?
>
> Regards,
> Ralph
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com