# Re: Cipher advice

David Wagner <daw@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

AES in CTR mode doesn't provide integrity or message authentication,
so it wouldn't be enough on its own.

.... but would be OK instead of CBC mode, if you also made sure of the
integrity of the ciphertext. However, CBC mode is a bit more
forgiving' of implementation errors: if you reuse an IV, for example,
then CBC mode will leak a block or so, probably, while CTR mode will
fail catastrophically.

That said, properly implemented, CTR mode is /less/ likely to leak than
CBC (see Ferguson and Schneier's Practical Cryptography'). Also, since
you'll presumably need a sequence number in your packets anyway, to
protect against replay attacks, you can, if you're careful, reuse that
to form your CTR-mode IVs. Suppose that you know that you won't produce
more than 2^64 messages in a session, and each one will be at most 2^64
blocks long. (These are not, I think you'll find, particularly onerous
limitations.) Then, for message number q, you can use I64(q) || 0^64 as
the IV, where I64 formats a number as a 64-bit string in some
unambiguous way.

The reuse-the-IV trick doesn't work for CBC mode as it is: CBC mode is
weak if an attacker can predict the IV you'll use for the next message.
However, if you use AES_K(I128(q)) then you'll be OK -- because he
doesn't know the key, he won't be able to predict the IV.

(Hmm. Stream of consciousness musings...

I think that applying an AXU hash is sufficient to be able to use nonces
rather than random IVs for CBC mode. That is, let H_k(.) be an AXU
hash, E_K(.) be a block cipher; choose K and k at random. To encrypt a
message x_0, ... with nonce n, compute y_0 = E_K(x_0 XOR H_k(n)), and
y_i = E_K(x_i XOR y_{i-1}) for i > 0 as usual.

Certainly, if an adversary wants to choose IVs and plaintexts to
collide, then he needs H(n) XOR x = H(n') XOR x', which an AXU hash will
resist.

Hmm, but that's not good enough, because it's sufficient for him to find
n such that H(n) XOR x = z for some known z, and I can't get a better
bound than \sqrt{\epsilon} for this, for an \epsilon-AXU hash.
Fortunately, for the specific hash H_k(n) = k n in GF(q), we know that
H(.) is 1/q-AXU, and the guessing game is won with probability 2/q.

I should go away and think about this some more. Maybe it's too late
and I'm utterly wrong.)

-- [mdw]
.

## Relevant Pages

• Re: Hash of item as IV for CBC mode?
... encrypting that item using a block cipher in CBC mode? ... You can encrypt h||m using CBC mode with a fixed zero IV, ... I had realized that "hash as IV" was fundamentally broken before I ...
(sci.crypt)
• Re: Question about MAC algorithms
... >> hash and then simply encrypting the hash? ... I'm guessing that a lot of cryptographic systems will have AES or some other ... I'm not sure I agree about the use of CBC mode here. ...
(sci.crypt)
• Re: Linux encrypted block devices
... > Someone is forgetting how CBC mode works. ... CCC0 = MC xor SC xor T ... with SATA software RAID anyhow, so I can pay the price. ... Looking at LRW, Clemens also has a patch for it, busy guy! ...
(sci.crypt)
• Re: thoughts about CBC mode
... First of all, CBC mode is ... for block ciphers, not stream ciphers. ... C = E(Pi xor Ci-1, ...
(sci.crypt)