Search Mailing List Archives
[liberationtech] [cryptography] New Anonymity Network for Short Messages
eugen at leitl.org
Wed Jun 12 07:58:46 PDT 2013
----- Forwarded message from Wasa <wasabee18 at gmail.com> -----
Date: Wed, 12 Jun 2013 15:32:02 +0100
From: Wasa <wasabee18 at gmail.com>
To: cryptography at randombit.net
Subject: Re: [cryptography] [liberationtech] New Anonymity Network for Short Messages
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
On 12/06/13 07:27, Eugen Leitl wrote:
> Additionally to this, CTR allows bit-level maleability of the cleartext:
> a bit flipped in a CTR cipherstream translates into a bit flipped in
> the cleartext.
all encryption modes usually provide confidentiality BUT NOT
integrity. They have been designed to be CPA secure; not CCA secure.
That's why u usually use a MAC along with it... it has nothing to do
The mode that provides both is CGM
> In fact, if there are regions of known cleartext (such as zeroes) the
> adversary can do things like encode the originating IP in the cleartext
> simply by XORing it into the cipherstream.
in CBC if u select the IV incorrectly u also leak info. CBC is only
CPA secure IFF the IVs are unpredictable.
> This property can cause problems if you perform any operations before
> checking the MAC (like evaluating a weak CRC to decide to forward the
> message or not).
This is also irrelevant. it's got nothing to do with CTR or other
modes of encryption; this is all about how u perform authenticated
encryption: u should do encrypt-then-mac rather than something else.
if u want simple primitives to work with; u can have a look at
http://nacl.cr.yp.to/ : implemented by cryptographers.
cryptography mailing list
cryptography at randombit.net
----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
More information about the liberationtech