[147012] in cryptography@c2.net mail archive
Re: [Cryptography] Availability of plaintext/ciphertext pairs (was
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Wed Sep 11 13:06:14 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <522FDC36.7020207@iang.org>
Date: Tue, 10 Sep 2013 23:29:44 -0400
To: ianG <iang@iang.org>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 10, 2013, at 10:57 PM, ianG wrote:
> In a protocol I wrote with Zooko's help, we generate a random IV0 which is shared in the key exchange.
>
> http://www.webfunds.org/guide/sdp/sdp1.html
>
> Then, we also move the padding from the end to the beginning, fill it with a non-repeating length-determined value, and expand it to a size of 16-31 bytes. This creates what is in effect an IV1 or second transmitted IV.
>
> http://www.webfunds.org/guide/sdp/pad.html
You should probably look at the Rogoway paper I found after Perry pushed me to give a reference. Yes, CBC with a true random IV is secure, though the security guarantee you can get if you don't also do authentication is rather weak. The additional padding almost certainly doesn't help or hurt. (I won't say that any more strongly because I haven't look at the proofs.)
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography