On Jul 9, 2010, at 1:55 12PM, Jonathan Katz wrote:

> CTR mode seems a better choice here. Without getting too technical, security 
> of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC 
> mode requires IVs to be random.
> In either case, a problem with a short IV (no matter what you do) is the 
> possibility of IVs repeating. If you are picking 32-bit IVs at random, you 
> expect a repeat after only (roughly) 2^16 encryptions (which is not very 
> many).

Unless I misunderstand your point, I think that in the real world there's a 
very real difference in the insecurity of CBC vs CTR if the IV selection is 
faulty.  With CBC, there is semantic insecurity, in that one can tell if two 
messages have a common prefix if the IV is the same.  Furthermore, if the IV is 
predictable to the adversary under certain circumstances some plaintext can be 

With CTR, however, there are very devastating two-message attacks if the IVs 
are the same; all that's necessary is some decent knowledge of some probable 

                --Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to