Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [cryptography] CTR mode fragility vs feedback modes (Re: New Anonymity Network for Short Messages)

Eugen Leitl eugen at
Wed Jun 12 08:34:15 PDT 2013

----- Forwarded message from Adam Back <adam at> -----

Date: Wed, 12 Jun 2013 17:27:34 +0200
From: Adam Back <adam at>
To: Wasa <wasabee18 at>
Cc: cryptography at
Subject: [cryptography] CTR mode fragility vs feedback modes (Re: New Anonymity Network for Short Messages)
User-Agent: Mutt/1.5.21 (2010-09-15)

On Wed, Jun 12, 2013 at 03:32:02PM +0100, Wasa wrote:
> in CBC if u select the IV incorrectly u also leak info. CBC is only
> CPA secure IFF the IVs are unpredictable.

While that is true for CBC, CBC and other feedback modes are still less
fragile than for the counter modes: CTR, CCM or GCM.

If you reuse an IV in CBC it falls back to ECB, which is not great but its
in most cases better than leaking plaintext xors!

Also another fun issue with CBC is if the IVs are computed rather than
stored, or anyway non-repeating but not random (eg time, counter types of
things) the IVs differences can cancel with the plaintext differences.  For
example, in experiments some years ago I found around 3% of data on
encrypted disk encrypted with CBC using IV equal to sector number canceled
with sector first block contents (for first plaintext block in sector only

cryptography mailing list
cryptography at

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the liberationtech mailing list