David Wagner wrote:
>
> Marc Mutz wrote:
> >> There are some who believe that "not unique" IVs (across multiple
> >> filesystems) facilitates some methods of cryptanalysis.
> >
> >Do you have a paper reference?
>
<snip>
> (However, it does get one
> thing wrong: it claims that it's ok to use a serial number for your
> IV. This is not correct, and I can give a reference for this latter,
> subtler point, if you like.)
>
Yes, please. Is it the paper by P. Rogaway, cited in the paper on
Counter mode, submitted to NIST's "Modes of Operation" workshop?
> >As CTR mode _requires_ unique IVs (CBC does not),
>
> Sorry, that turns out not to be the case. Both CBC and CTR mode
> require unique IV's (for security).
>
My copy of A.C. says: "While the IV should be unique for each message
encrypted with the same key, it is not an absolute requirement."
On the other hand, Counter mode trivially _requires_ different IVs
because if two IVs are the same under the same key, the bitstream that
CTR mode generates will be identical. Not good.
> >the upper half of the
> >IV could be initialized from the key
>
> It's a bad idea to include key material in your IV. (Kerberos did
> it, and there were some attacks as a result.) I recommend against it.
<snip>
The IV would not contain any key material. If you have a cipher with a
128 bit key and you need 64 bits of IV, you simply request 192 bits of
"key", use the lower third for the IV and the upper third as the key.
-- Marc Mutz <Marc@Mutz.com> http://EncryptionHOWTO.sourceforge.net/ University of Bielefeld, Dep. of Mathematics / Dep. of PhysicsPGP-keyID's: 0xd46ce9ab (RSA), 0x7ae55b9e (DSS/DH)
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Oct 23 2000 - 21:00:08 EST