Re: A question on indistinguishabilty definition
- From: mdw@xxxxxxxxxxxxxxxxxxxxxx (Mark Wooding)
- Date: 26 Sep 2006 12:29:35 +0100 (BST)
Sergei <silentser@xxxxxxxxx> wrote:
Actually, that might be it. And since IVs produced as MACs of
different plaintexts can be viewed as a pseudo-randomly generated
values, multiple messages IND-security of CBC mode should also imply
the "unique messages" IND-security which I need. Thank you!
I don't think a MAC is the right toy for the job. MACs:
(a) aren't necessarily deterministic (consider AXU-hash(msg) xor
PRF(counter) constructions);
(b) are permitted to leak message bits, which would be disastrous for
your encryption; and
(c) aren't pseudorandom, so might not suffice for security when used
as an IV.
What you want is a PRF. The PRF-compose-universal-hash construction I
offered in my other article in this thread is actually a PRF over the
domain of the hash, so this is acceptable. OMAC with a PRF, or HMAC
with a suitable hash function (ha-ha!) would also do.
-- [mdw]
.
- Follow-Ups:
- Re: A question on indistinguishabilty definition
- From: Sergei
- Re: A question on indistinguishabilty definition
- References:
- A question on indistinguishabilty definition
- From: Sergei
- Re: A question on indistinguishabilty definition
- From: David Wagner
- Re: A question on indistinguishabilty definition
- From: Sergei
- Re: A question on indistinguishabilty definition
- From: Mike Amling
- Re: A question on indistinguishabilty definition
- From: Sergei
- A question on indistinguishabilty definition
- Prev by Date: Re: The ID Chip You Don't Want in Your Passport
- Next by Date: Re: A question on indistinguishabilty definition
- Previous by thread: Re: A question on indistinguishabilty definition
- Next by thread: Re: A question on indistinguishabilty definition
- Index(es):
