Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New Anonymity Network for Short Messages

Mike Perry mikeperry at torproject.org
Tue Jun 11 14:38:40 PDT 2013


Steve Weis:
> Comments inline...
> 
> On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy <sean.a.cassidy at gmail.com>wrote:
> 
> > > - Any specific reason you picked CTR?
> > CTR is widely recommended. Cryptography Engineering specifically
> > recommends it.

I was puzzled by this recommendation. CTR has several bad propeties that
can surprise you, and have bitten Tor as well.
 
> The reason I ask is that this makes your IV-generation more critical than,
> say, CBC, XTS, or other modes. If you have an IV collision, you'll leak
> some message bits.

Additionally to this, CTR allows bit-level maleability of the cleartext:
a bit flipped in a CTR cipherstream translates into a bit flipped in
the cleartext.

In fact, if there are regions of known cleartext (such as zeroes) the
adversary can do things like encode the originating IP in the cleartext
simply by XORing it into the cipherstream.

This property can cause problems if you perform any operations before
checking the MAC (like evaluating a weak CRC to decide to forward the
message or not).

CBC on the other hand causes a single ciphertext bitflip to scramble a
block of cleartext (16 or 32 bytes for 128bit vs 256bit) in an
unpredictable and key-dependent way.


-- 
Mike Perry


More information about the liberationtech mailing list