[Cryptography] Question re: Initialization Vector for AES Counter Mode…

Jon Callas jon at callas.org
Thu Apr 27 12:53:54 EDT 2017 

> On Apr 27, 2017, at 12:14 AM, Jan Dušátko <jan at dusatko.org> wrote:
> 
> Dear,
> 
> Dne 27. 4. 2017 v 0:28 Jon Callas napsal(a):
>> Personally, I would recommend that you *not* use counter mode or anything resembling it for writing files. There's nothing wrong with CBC mode for your purposes. (Or CFB, for that matter, but I really don't want to digress down that path.)
> This is not true. There are bunch of modes based on CBC principle (PCBC, XCBC, HCBC and there are more than 20 others, more or less advantage) or CFB. The CBC and CFB found some issues and there are requirement to use something like MAC value, because there are simply no control for possible modification of ciphertext. From other point of view, CBC and CFB has relatively good properties and oposite of other modes from ad-hoc generation are quite safe. And, what is funny, although the CBC needs a MAC, can be used to create a MAC by it's properties (CCM mode is the Counter mode with CBC MAC)

Like I said, I didn't want to go down that path. The previous post was long enough as it was.

Nonetheless, yes, integrity checks are, in the abstract, always a good thing.

> I recommend do not use CBC mode, but please take a look on the EME2 mode. There are few advantages. First, EME2 has been standardized (but not used) for storage. Second, this is AEAD (Authenticated Encryption with Associated Data). Third - ABL (Arbitrary Block Lenght). And, you can easily modify it for encrypt files only. This mode allow to provide good safety about unauthorized modification, chain each value inside. It is much better than for example XEX/XTS mode also used for storage (disk encryption) - example bellow: 
> XTS_Key=K1||K2
> Tweak = Enc(K2, sector_number) ⊗ αblock_number
> Ciphertext = Enc(K1, Plaintext ⊕ Tweak) ⊕ Tweak
> 
> What could be important, EME2 can be paralellized for encryption and decryption. The sad part, if I count it well, require 2,5 encryption per block oposite of CBC/CFB/CTR (one encryption).

Definitely! I should have mentioned EME2. Before the patents were tossed away, my then-company licensed it, but we didn't do as much as we wanted because of performance. It's a different situation when you have AES instructions, except for some very high-performance situations.

The major advantage is that it's a wide-block mode, so you get something similar to authentication, as you say.

	Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170427/ba1bd4f6/attachment.html>

More information about the cryptography mailing list