Jerry Leichter <leich...@lrw.com> writes: > The real problem is that "unpredictable" has no definition.
Rogaway provides the definition in the paragraph we are discussing... > Rogoway specifically says that if what you mean by "unpredictable" is > "random but biased" (very informally), then you lose some security in > proportion to the degree of bias: "A quantitative statement of such > results would 'give up' in the ind$ advantage an amount proportional > to the e(q, t) value defined above." That "e(q,t) value defined above" is the probability that the attacker can predict the IV after q samples given time t. That appears to be a very precise definition of "predictability", and the smaller it gets, the closer you get to random-IV security. But enough of this particular rat hole. > I actually have no problem with your rephrased statement. My concern > was the apparently flippant dismissal of all "academic" work as > "assuming a can opener". Fair enough; I apologize for my flippancy. Of course the assumption of a "strong block cipher" is justified by massive amounts of painstaking effort expended in attempts to crack them. Nonetheless, I think it would be wise to build in additional margin anywhere we can get it cheaply. > Do I wish we had a way to prove something secure without assumptions > beyond basic mathematics? Absolutely; everyone would love to see > that. But we have no idea how to do it. I doubt we will have provable complexity lower bounds for useful cryptographic algorithms until well after P vs. NP is resolved. That is, not soon. Until then, provable security is purely about reductions. There is nothing wrong with that. And as I said before, I believe we should worry greatly about theoretical attacks that invalidate those reductions, regardless of how "purely academic" they may seem to an engineer. > On the matter of a secret IV: It can't actually help much. Any suffix > of a CBC encryption (treated as a sequence of blocks, not bytes) is > itself a valid CBC encryption. Yes, obviously... which is why I wrote "I am particularly thinking of CTR mode and its relatives". It's a pity OCB mode is patented. - Nemo _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography