[146984] in cryptography@c2.net mail archive
Re: [Cryptography] Availability of plaintext/ciphertext pairs (was
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Sep 10 17:49:37 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 10 Sep 2013 17:49:25 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <2DD6444F-5B2C-4B93-A4C1-91CD40FC7FA6@lrw.com>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Tue, 10 Sep 2013 17:04:04 -0400 Jerry Leichter <leichter@lrw.com>
wrote:
> Phil Rogoway has a paper somewhere discussing the right way to
> implement cryptographic modes and API's.
It would be useful to get a URL for it.
> In particular, he recommends changing the definition of CBC from:
>
> E_0 = IV # Not transmitted
> E_{i+1} = E(E_i XOR P_{i+1})
>
> to
>
> E_0 = E(IV) # Not transmitted
> E_{i+1} = E(E_i XOR P_{i+1})
You make no mention there of whether the key used to encrypt the IV
is the same as that used for the plaintext. I presume if you need a
lot of IVs (see protocols like IPsec), and have enough key material, a
second key might be of value for that -- but I don't know what all
the ins and outs are, and would prefer to read the literature...
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography