Hey David,
On 2016-07-19 11:58, David McGrew wrote:
HI Atul,
On Jul 19, 2016, at 2:26 AM, Atul Luykx <atul.lu...@esat.kuleuven.be>
wrote:
What is especially cool about counter mode encryption is how its real
world security degrades more gracefully than CBC mode encryption. I
am not sure that the FSE paper did a good job of saying it in English
as opposed to math (except for the last sentence of Section 4), but
even though CTR may be just as distinguishable as CBC after some
amount of known plaintext is encrypted, counter mode in practice
gives
away much less information.
Just to be precise, no attack has been found which illustrates that
CTR mode's security degrades like CBC’s.
I either don’t understand the sentence, or I disagree with it. Both
CTR and CBC are only secure up to the birthday bound, and are
distinguishable at or beyond that bound.
Sounds good; I was just clarifying the possibility that CTR could be as
vulnerable as CBC beyond the birthday bound in practice, addressing the
following sentence:
counter mode in practice gives away much less information.
But you're right, I wasn't very clear.
Nevertheless, it might be possible to formalize your intuition.
Agreed, and what is needed is a measure of the expected amount of
information an attacker has about the (unknown) target plaintext,
which would be larger in the CBC case than the CTR case. This is
interesting, but of course, we should stick with the standard
definition of indistinguishability as our security criterion.
Hope this doesn’t sound like nit picking; I just want to make sure
that no one thinks I am suggesting that it is OK to use encryption
systems that are distinguishable.
best,
David
Atul
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
