[147056] in cryptography@c2.net mail archive
Re: [Cryptography] Availability of plaintext/ciphertext pairs (was
daemon@ATHENA.MIT.EDU (Nemo)
Wed Sep 11 19:45:45 2013
X-Original-To: cryptography@metzdowd.com
From: Nemo <nemo@self-evident.org>
To: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <8B802845-1835-4D05-A3C3-161F92190407@lrw.com> (Jerry Leichter's
message of "Wed, 11 Sep 2013 18:34:56 -0400")
Date: Wed, 11 Sep 2013 16:34:06 -0700
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Jerry Leichter <leichter@lrw.com> writes:
> The real problem is that "unpredictable" has no definition.
Rogaway provides the definition in the paragraph we are discussing...
> Rogoway specifically says that if what you mean by "unpredictable" is
> "random but biased" (very informally), then you lose some security in
> proportion to the degree of bias: "A quantitative statement of such
> results would 'give up' in the ind$ advantage an amount proportional
> to the e(q, t) value defined above."
That "e(q,t) value defined above" is the probability that the attacker
can predict the IV after q samples given time t. That appears to be a
very precise definition of "predictability", and the smaller it gets,
the closer you get to random-IV security.
But enough of this particular rat hole.
> I actually have no problem with your rephrased statement. My concern
> was the apparently flippant dismissal of all "academic" work as
> "assuming a can opener".
Fair enough; I apologize for my flippancy. Of course the assumption of a
"strong block cipher" is justified by massive amounts of painstaking
effort expended in attempts to crack them.
Nonetheless, I think it would be wise to build in additional margin
anywhere we can get it cheaply.
> Do I wish we had a way to prove something secure without assumptions
> beyond basic mathematics? Absolutely; everyone would love to see
> that. But we have no idea how to do it.
I doubt we will have provable complexity lower bounds for useful
cryptographic algorithms until well after P vs. NP is resolved. That
is, not soon.
Until then, provable security is purely about reductions. There is
nothing wrong with that. And as I said before, I believe we should worry
greatly about theoretical attacks that invalidate those reductions,
regardless of how "purely academic" they may seem to an engineer.
> On the matter of a secret IV: It can't actually help much. Any suffix
> of a CBC encryption (treated as a sequence of blocks, not bytes) is
> itself a valid CBC encryption.
Yes, obviously... which is why I wrote "I am particularly thinking of
CTR mode and its relatives".
It's a pity OCB mode is patented.
- Nemo
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
