[Cryptography] Availability of plaintext/ciphertext pairs (was Re: In the face of "cooperative" end-points, PFS doesn't help)

Jerry Leichter leichter at lrw.com
Tue Sep 10 18:36:38 EDT 2013

On Sep 10, 2013, at 5:49 PM, "Perry E. Metzger" <perry at piermont.com> wrote:
>> Phil Rogoway has a paper somewhere discussing the right way to
>> implement cryptographic modes and API's.
> It would be useful to get a URL for it.
>> In particular, he recommends changing the definition of CBC...to
>> E_0 = E(IV)  # Not transmitted
>> E_{i+1} = E(E_i XOR P_{i+1})
> You make no mention there of whether the key used to encrypt the IV
> is the same as that used for the plaintext.
As I recall the proposal, it was the same key.  (Generating a different one for this purpose is pointless - it would have to be random, in which case you might as well generate the IV randomly.)

> I presume if you need a lot of IVs (see protocols like IPsec), and have enough key material, a second key might be of value for that -- but I don't know what all the ins and outs are, and would prefer to read the literature...
I searched around but couldn't find it; the proposal apparently was not Rogoway's.  It apparently appears in NIST 800-38A (2001), with no citation.  In searching around, I came across a recent, unpublished paper by Rogoway:  http://www.cs.ucdavis.edu/~rogaway/papers/modes.pdf
That paper - which does detailed analyses of a large number of modes - indicates that more recent work has shown that this technique for choosing an IV is *not* secure (against a certain class of attacks) and recommends against using it.

I highly recommend that paper.  In fact, I highly recommend everything Rogoway has written.  We've been discussing authentication and session key exchange - he and Bellare wrote about the problem in 1993 http://cseweb.ucsd.edu/users/mihir/papers/eakd.pdf giving provably secure algorithms for the 2-party case, and two years later http://www.cs.ucdavis.edu/~rogaway/papers/3pkd.pdf extending the work to the 3-party case.
                                                        -- Jerry

More information about the cryptography mailing list