Re: Append IV to ciphertext?

From: Michael Amling (nospam_at_nospam.com)
Date: 07/29/04

• Next message: Michael Amling: "Re: Encrypting with pi (wase: "All random number generators eventually exhibit periodicity"?????)"
• Previous message: Michael Amling: "Re: Encrypting with pi (wase: "All random number generators eventually exhibit periodicity"?????)"
• In reply to: CJ: "Append IV to ciphertext?"
• Next in thread: David Wagner: "Re: Append IV to ciphertext?"
• Reply: David Wagner: "Re: Append IV to ciphertext?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Jul 2004 14:17:08 GMT

CJ wrote:

> When encrypting multiple plaintexts in 3DES CBC mode with the same
> key, the first blocks of the ciphertexts are always identical if the
> first blocks of the plaintexts are identical. So obviously I need to
> use an IV.
>
> But storing an IV for each plaintext is impractical for me. What I
> thought of doing was appending the IV to the ciphertext, so that the
> receiver can just strip off the IV from the end and then decrypt and
> xor as usual to get the plaintext.
>
> Is this more secure than having ciphertexts with identical first
> blocks?

   Yes. Someone here can tell you whether a CBC IV needs to be random or
whether it can just be a sequence number.
   I do recall it's not safe to allow an attacker to choose your CBC IV
(unlike, say, OCB, where you can allow an attacker to choose the IV, as
long as it doesn't duplicate any other OCB IV you use with the same key).

--Mike Amling

• Next message: Michael Amling: "Re: Encrypting with pi (wase: "All random number generators eventually exhibit periodicity"?????)"
• Previous message: Michael Amling: "Re: Encrypting with pi (wase: "All random number generators eventually exhibit periodicity"?????)"
• In reply to: CJ: "Append IV to ciphertext?"
• Next in thread: David Wagner: "Re: Append IV to ciphertext?"
• Reply: David Wagner: "Re: Append IV to ciphertext?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Append IV to ciphertext? ... the first blocks of the ciphertexts are always identical if the ... > first blocks of the plaintexts are identical. ... > But storing an IV for each plaintext is impractical for me. ... So instead of storing the IV at the start of the message you propose to save ... (sci.crypt) Broken. (was Re: Break This) ... The plaintext appears to be the number 31415820 (presumably a bad ... respective ciphertexts. ... constant in the algorithm. ... I haven't actually spent much time thinking about a decryption ... (sci.crypt) Re: Semantically secure bitwise-XOR malleable cipher? ... ciphertexts of multiplications of a single unknown plaintext. ... Paillier can also provide ciphertexts of additions of a pair of unknown ... N is a semantically secure encryption of a+b. ... (sci.crypt) Re: ANNOUNCE: "jscryptor: client-side web page encryption" using JavaScript ... may have an information leakage (where sending the same plaintext twice is ... different ciphertexts with the same plaintext and key seems ... between iv vs nonce? ... (sci.crypt) Re: Semantically secure bitwise-XOR malleable cipher? ... ciphertexts of multiplications of a single unknown plaintext. ... Paillier can also provide ciphertexts of additions of a pair of unknown ... N is a semantically secure encryption of a+b. ... (sci.crypt)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint