Re: A question on indistinguishabilty definition


Mark Wooding wrote:
Sergei <silentser@xxxxxxxxx> wrote:

Actually, that might be it. And since IVs produced as MACs of
different plaintexts can be viewed as a pseudo-randomly generated
values, multiple messages IND-security of CBC mode should also imply
the "unique messages" IND-security which I need. Thank you!

I don't think a MAC is the right toy for the job. MACs:

(a) aren't necessarily deterministic (consider AXU-hash(msg) xor
PRF(counter) constructions);

(b) are permitted to leak message bits, which would be disastrous for
your encryption; and

(c) aren't pseudorandom, so might not suffice for security when used
as an IV.

What you want is a PRF. The PRF-compose-universal-hash construction I
offered in my other article in this thread is actually a PRF over the
domain of the hash, so this is acceptable. OMAC with a PRF, or HMAC
with a suitable hash function (ha-ha!) would also do.

-- [mdw]

Yes, exactly. I was thinking about PRF when writing MAC. Have to
recheck the definition of MAC :) Thank you for the correction.

Sergei

.