Search Mailing List Archives
[liberationtech] New Anonymity Network for Short Messages
mikeperry at torproject.org
Tue Jun 11 14:38:40 PDT 2013
> Comments inline...
> On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy <sean.a.cassidy at gmail.com>wrote:
> > > - Any specific reason you picked CTR?
> > CTR is widely recommended. Cryptography Engineering specifically
> > recommends it.
I was puzzled by this recommendation. CTR has several bad propeties that
can surprise you, and have bitten Tor as well.
> The reason I ask is that this makes your IV-generation more critical than,
> say, CBC, XTS, or other modes. If you have an IV collision, you'll leak
> some message bits.
Additionally to this, CTR allows bit-level maleability of the cleartext:
a bit flipped in a CTR cipherstream translates into a bit flipped in
In fact, if there are regions of known cleartext (such as zeroes) the
adversary can do things like encode the originating IP in the cleartext
simply by XORing it into the cipherstream.
This property can cause problems if you perform any operations before
checking the MAC (like evaluating a weak CRC to decide to forward the
message or not).
CBC on the other hand causes a single ciphertext bitflip to scramble a
block of cleartext (16 or 32 bytes for 128bit vs 256bit) in an
unpredictable and key-dependent way.
More information about the liberationtech