----- Forwarded message from Adam Back <[email protected]> ----- Date: Wed, 12 Jun 2013 17:27:34 +0200 From: Adam Back <[email protected]> To: Wasa <[email protected]> Cc: [email protected] Subject: [cryptography] CTR mode fragility vs feedback modes (Re: New Anonymity Network for Short Messages) User-Agent: Mutt/1.5.21 (2010-09-15)
On Wed, Jun 12, 2013 at 03:32:02PM +0100, Wasa wrote: > in CBC if u select the IV incorrectly u also leak info. CBC is only > CPA secure IFF the IVs are unpredictable. While that is true for CBC, CBC and other feedback modes are still less fragile than for the counter modes: CTR, CCM or GCM. If you reuse an IV in CBC it falls back to ECB, which is not great but its in most cases better than leaking plaintext xors! Also another fun issue with CBC is if the IVs are computed rather than stored, or anyway non-repeating but not random (eg time, counter types of things) the IVs differences can cancel with the plaintext differences. For example, in experiments some years ago I found around 3% of data on encrypted disk encrypted with CBC using IV equal to sector number canceled with sector first block contents (for first plaintext block in sector only obviously). Adam _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
