HI Atul, > On Jul 19, 2016, at 2:26 AM, Atul Luykx <atul.lu...@esat.kuleuven.be> wrote: > >> What is especially cool about counter mode encryption is how its real >> world security degrades more gracefully than CBC mode encryption. I >> am not sure that the FSE paper did a good job of saying it in English >> as opposed to math (except for the last sentence of Section 4), but >> even though CTR may be just as distinguishable as CBC after some >> amount of known plaintext is encrypted, counter mode in practice gives >> away much less information. > > Just to be precise, no attack has been found which illustrates that CTR > mode's security degrades like CBC’s.
I either don’t understand the sentence, or I disagree with it. Both CTR and CBC are only secure up to the birthday bound, and are distinguishable at or beyond that bound. > Nevertheless, it might be possible to formalize your intuition. > Agreed, and what is needed is a measure of the expected amount of information an attacker has about the (unknown) target plaintext, which would be larger in the CBC case than the CTR case. This is interesting, but of course, we should stick with the standard definition of indistinguishability as our security criterion. Hope this doesn’t sound like nit picking; I just want to make sure that no one thinks I am suggesting that it is OK to use encryption systems that are distinguishable. best, David > Atul _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
