CTR mode seems a better choice here. Without getting too technical, security of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC mode requires IVs to be random.

In either case, a problem with a short IV (no matter what you do) is the possibility of IVs repeating. If you are picking 32-bit IVs at random, you expect a repeat after only (roughly) 2^16 encryptions (which is not very many).

On Wed, 2 Jun 2010, Ralph Holz wrote:

Dear all,

A colleague dropped in yesterday and confronted me with the following.

He wanted to scrape off some additional bits when using AES-CBC because
the messages in his concept are very short (a few hundred bit). So he
was thinking about a variant of AES-CBC, where he uses just 32 (random)
bits as a source for the IV. These are encrypted with AES and then used
as the actual IV to feed into the CBC. As a result, he does not need to
send a 128 bit IV to the receiver but just the 32 bit.

His argument was that AES basically is used as an expansion function for
the IV here, with the added benefit of encryption. On the whole, this
should not weaken AES-CBC. Although he was not sure if it actually would
strengthen it.

While I am prepared to buy this argument (I am not a cryptographer...),
I still felt that the argument might not be complete. After all, 32 bits
don't provide much randomness, and I wasn't sure if this, overall, would
not lead to more structure in the ciphercode - which might in turn give
an attacker more clues with respect to the key.

Are there any opinions on this?

Regards,
Ralph

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to