[liberationtech] [cryptography] CTR mode fragility vs feedback modes (Re: New Anonymity Network for Short Messages)
Eugen Leitl
eugen at leitl.org
Wed Jun 12 08:34:15 PDT 2013
----- Forwarded message from Adam Back <adam at cypherspace.org> -----
Date: Wed, 12 Jun 2013 17:27:34 +0200
From: Adam Back <adam at cypherspace.org>
To: Wasa <wasabee18 at gmail.com>
Cc: cryptography at randombit.net
Subject: [cryptography] CTR mode fragility vs feedback modes (Re: New Anonymity Network for Short Messages)
User-Agent: Mutt/1.5.21 (2010-09-15)
On Wed, Jun 12, 2013 at 03:32:02PM +0100, Wasa wrote:
> in CBC if u select the IV incorrectly u also leak info. CBC is only
> CPA secure IFF the IVs are unpredictable.
While that is true for CBC, CBC and other feedback modes are still less
fragile than for the counter modes: CTR, CCM or GCM.
If you reuse an IV in CBC it falls back to ECB, which is not great but its
in most cases better than leaking plaintext xors!
Also another fun issue with CBC is if the IVs are computed rather than
stored, or anyway non-repeating but not random (eg time, counter types of
things) the IVs differences can cancel with the plaintext differences. For
example, in experiments some years ago I found around 3% of data on
encrypted disk encrypted with CBC using IV equal to sector number canceled
with sector first block contents (for first plaintext block in sector only
obviously).
Adam
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
More information about the liberationtech
mailing list