On 2015-12-16 01:31, Watson Ladd wrote:
You don't understand the issue. The issue is PRP not colliding, whereas PRF can.
Oh, but I concur. This means that if you observe two same valued cipher text blocks, you know that the corresponding key stream blocks can't be identical, and deduce that the corresponding plain text blocks have to be different. Such observations consequently leak information about the plain text, in the rare and unlikely event they actually occur.
However, calling it an exploitable weakness is a bit of a stretch. AES-CBC is likely to loose confidentiality slightly faster, for typical plain texts.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
