[Cryptography] Crypto best practices

Kristian Gjøsteen kristian.gjosteen at ntnu.no
Sun Mar 19 18:04:58 EDT 2017 

19. mar. 2017 kl. 20.57 skrev Ron Garret <ron at flownet.com>:
> Given that the weakness in IVs is not unpredictability but in re-use, I don’t see how encrypting an IV buys you anything.

No. When you use CBC mode, the IV needs to be unpredictable, not just non-repeating. This is a real requirement, if you do not use an unpredictable IV, you can get attacks like for TLS.

Other modes (e.g. GCM) have weaker requirements (non-repeating) on IV than CBC mode.

What some people worry about is what happens when you reuse nonces, in which case CBC mode fails somewhat badly, but other modes (e.g. GCM) fail catastrophically.

This is all well-documented.

> An encrypted repeating IV is still going to be a repeating IV, and since IVs are not secret, the encryption by itself buys you nothing.

The encryption of the IV buys you non-predictability, which is exactly what you want. If TLS had done this, one attack would have been avoided.

>  To the contrary, if your cleartext IV is predictable you have just given your adversary an opening for a known-plaintext attack on K.

Modern ciphers (at least DES and newer, probably also older designs) are meant to resist chosen plaintext attacks, and by extension, known plaintext attacks. This is *obviously* not a worry.

> Why not just set IV= HASH(K, data)?  That’s just the Ed25519 ECDSA nonce trick.  Can anyone here think of a reason why that would not work equally well for IVs?

This fails trivially since it turns encryption into a deterministic process, which means that encrypting the same message twice results in the same ciphertext twice. For signatures, this is not a problem, since it is ok if a signature scheme is deterministic.

IV = HASH(K, data) is similar to how SIV works, by the way. You can easily turn SIV into a secure system by including a nonce among the associated data, as is explained by the SIV authors.

What practical people appear to worry about is that you need to process the entire message before you can begin producing ciphertext. This seems to be a requirement for misuse-resistant modes, and it is probably possible to prove a theorem to that effect. With AEAD modes such as GCM, you can begin producing ciphertext the moment you get the first bytes of the message, which is convenient in some settings, I am told. 

-- 
Kristian Gjøsteen

More information about the cryptography mailing list