[Cryptography] Crypto best practices

Ron Garret ron at flownet.com
Sun Mar 19 15:57:12 EDT 2017


On Mar 19, 2017, at 6:09 AM, Jerry Leichter <leichter at lrw.com> wrote:

> The earliest paper I know of that discussed this topic is a real oldie that I don't think I'll be able to track down now by Phil Rogoway.  He talked about the right practical abstractions for modes of operations, and suggested that the end-user call CBC(K, IV, data) not use the IV directly, but instead first encrypt it with K.  Then the IV would not have to be unpredictable, just non-repeating for a given key.  (E.g., a simple sequence number for the session would be fine.)
> 
> Unfortunately, it later turned out that this way of generating an IV IS NOT SECURE.  I don't recall the attack, but I think it was actually pretty simple.

Given that the weakness in IVs is not unpredictability but in re-use, I don’t see how encrypting an IV buys you anything.  An encrypted repeating IV is still going to be a repeating IV, and since IVs are not secret, the encryption by itself buys you nothing.  To the contrary, if your cleartext IV is predictable you have just given your adversary an opening for a known-plaintext attack on K.

Why not just set IV= HASH(K, data)?  That’s just the Ed25519 ECDSA nonce trick.  Can anyone here think of a reason why that would not work equally well for IVs?

rg



More information about the cryptography mailing list