Re: Countering chosen-plaintext attacks
From: Tom St Denis (tomstdenis_at_yahoo.com)
Date: 15 Mar 2004 18:45:20 -0800
Mok-Kong Shen <firstname.lastname@example.org> wrote in message news:<email@example.com>...
> DES could also be said to resist that attack in the same
> sense, couldn't it? Anyway was AES designed with 'specific'
> features/considerations to resist chosen-plaintext attack?
Um AES is provably resistant to differential and linear attacks. It
also seems to resist saturation, truncated differential and various
So I'd say it was designed with that in mind.
> Could you provide concrete references to clearly substantiate
> that point?
The last 20 years of Eurocrypt, Asiacrypt and Crypto conferences.
> If you could answer the questions in my follow-up to
> Malley that decribed my scheme, then I would accept your
> critque above to it. Otherwise you are just producing
> wind in my view.
> If CBC doesn't protect against that attack but my chaining
> mode does, isn't that fine??
CBC mode isn't meant to provide anything but replay protection. If
you want to prevent active attacks use a MAC and don't replay session
> Integrity check is a byproduct of item (1) of my original
> post and could be considered in its evaluation. Item (2),
> on the contrary, doesn't provide that check, unfortunately.
Ok, then (1) is Auth+Enc modes like OCB or EAX.
> You still haven't provided explanations why you call the
> modes of operations 'protocols'.
A protocol is just a set procedure or rules. E.g. it's protocol to
wear a tie in a fancy-dancy restaurant. It's protocol for CBC to XOR
the previous ciphertext in the current plaintext, etc...