Shai wrote: > The plaintext is randomized, but this still leaves malleability > issues as described (for example) in the annex of the standard.
Just so I am clear: by standard to you mean "the draft text for the P1619 standards proposal" or do you mean some other adopted standard? If you mean some other standard, which one? > Discussing when these issues pose real problems and what can be > done to counter such problems would be valuable (both to the group > and potentially to your customers). Claiming that the plaintext. > is not randomized is just a false statement which is not valuable. > to anyone. If I understand the point at issue here, the question involves changing a bit in the ciphertext, decrypting and comparing the result to the original plaintext. Correct me if I am wrong. If I am wrong then please pardon the rest of this message: I would not use the word "randomized" without having first tested such a claim. The decrypted plaintext would be scrambled certainly, but in a completely deterministic fashion. One might be able to claim that the change is a pseudo-random transform of some unknown quality. I would be happy to perform the detailed statistical analysis of, say 10^9 bits produced by: xor( plaintext_block, decrypt( xor( 1<<x, encrypt( plaintext_block ))) ) where: plaintext_block is a single cipher block filled with data from a cryptographically sound random number generator where: 0 <= x < bits_in_the_cipher_block, also selected by a cryptographically sound random number generator NOTE: Or something similar to the above (suggestions welcome). applying some 179,000 tests of 15 different types of tests of the billion bit test based on the NIST 800-22 test suite: http://www.lavarnd.org/what/billion_bit.html It would take a few days. I would be happy to do such a test and share the results if there was of interest. We would need to specify the block encryption algorithm and how the keys should be selected (say by a cryptographically sound random number generator?). chongo (Landon Curt Noll) /\oo/\