I think you could say CTR mode is fragile against counter reuse exposing
plaintext pair XORs, but CBC is also somewhat fragile against IV reuse,
forming an ECB code book around the set of same IV messages.
CBC itself has other issues eg using non-repeating (but non-random) IVs, for
example using sector number as IV in a file system, I have seen that
introduces a few % of first ciphertext block (per sector) where in practice
using real OS/app disk data the IV cancels with the plaintext. ie IV1 xor
P1 == IV2 xor P2 (and consequently C1 == C2 as C1 = E(IV1 xor P1)) which
tells you the plaintext difference given the IVs are known. ie structured
IV cancels with structured plaintext.
Adam
On Thu, Dec 27, 2012 at 06:35:27PM +0000, Ben Laurie wrote:
On Thu, Dec 27, 2012 at 9:18 AM, Russell Leidich <pke...@gmail.com> wrote:
there are plenty of Googleable papers showing the Counter Mode is weak
relative to (conventional) cipher-block-chaining (CBC) AES.
Really? For example?
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
