Question w.r.t. AES-CBC IV

Greg Rose ggr at qualcomm.com
Fri Jul 9 14:02:33 EDT 2010


Unfortunately I can't remember the author, but there was a paper  
showing that an encrypted counter was secure to use as IVs for CBC  
mode. So encrypting a shorter random IV should also be secure.

Greg.

On 2010 Jun 2, at 9:36 , Ralph Holz wrote:

> Dear all,
>
> A colleague dropped in yesterday and confronted me with the following.
>
> He wanted to scrape off some additional bits when using AES-CBC  
> because
> the messages in his concept are very short (a few hundred bit). So he
> was thinking about a variant of AES-CBC, where he uses just 32  
> (random)
> bits as a source for the IV. These are encrypted with AES and then  
> used
> as the actual IV to feed into the CBC. As a result, he does not need  
> to
> send a 128 bit IV to the receiver but just the 32 bit.
>
> His argument was that AES basically is used as an expansion function  
> for
> the IV here, with the added benefit of encryption. On the whole, this
> should not weaken AES-CBC. Although he was not sure if it actually  
> would
> strengthen it.
>
> While I am prepared to buy this argument (I am not a  
> cryptographer...),
> I still felt that the argument might not be complete. After all, 32  
> bits
> don't provide much randomness, and I wasn't sure if this, overall,  
> would
> not lead to more structure in the ciphercode - which might in turn  
> give
> an attacker more clues with respect to the key.
>
> Are there any opinions on this?
>
> Regards,
> Ralph
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list