Re: Pre-encrypt IV in CBC mode

Ben Pfaff wrote:
For the first block of plaintext, though, the IV takes the place
of the previous block of ciphertext. If the IV doesn't differ
much from the previous IV, and the actual plaintext block doesn't
differ much from the previous packet's, then the effective
plaintext won't differ much, either. This means that you have
pairs of ciphertext blocks combined with plaintext blocks that
differ in just a few bit positions. This can be a wedge for
assorted cryptanalytic attacks."

I love Bellovin's work dearly, but in this case I happen to think
this argument is weak. If the block cipher is any good, it shouldn't
matter whether its inputs are close or not.

The real problem with using a counter as the IV in CBC mode is such
a scheme is not IND-CPA secure.
.

Relevant Pages

  • A new type of attack - Anti Brute Force Attack
    ... With a block cipher, in general, a ciphertext block depends only on the key ... and the corresponding plaintext block. ... A brute force attack uses the decryption algorithm to map known ciphertext ...
    (sci.crypt)
  • Re: Countering chosen-plaintext attacks
    ... >> the opponent and further it is either transmitted encrypted ... > would be able to change the first plaintext block when already knowing ... > knows the previous ciphertext block. ... he can in CBC mode modify his chosen plaintext to suit his ...
    (sci.crypt)
  • Re: 3DES Freeware C-library available?!?
    ... I got the following response from Christophe: ... "In CBC mode you're supposed to XOR the current plaintext block with the ... With Cn nth ciphertext and Pn nth plaintext. ...
    (sci.crypt)
  • Re: ECB of DES
    ... With the ECB mode of DES, if there is an error in a block of the transmitted ... ciphertext, only the corresponding plaintext block is affected. ... That's because the receiver is again ...
    (sci.crypt)