Phil Rogaway and Bruce Murray have identified and pointed out a flaw in current guideline/ recommendation given for fresh IVs generation for IOC AE mode.
If P1 = 0, then I1= Ek{S} and O1= E k{E k{S}}, but worst of all: C 1 = 2·E k{E k{S}} and all the bits of the inner vector O1 but the most significant one are known to an attacker and the secrecy of the inner vectors is not satisfied anymore !
There are plenty of possibilities to fix it up. Thus, IOC operational guidelines are at this moment under revision and a new version will be published after the winner solution is chosen.
Update - July 2013
After analyzing carefully the possibility of exchanging IVa and IVb initializing vectors to solve the above flaw, Bruce Murray (NXP Electronics) has concluded finally that it doesn't seem a good idea. In general, if the IVs are built using the same encryption algorithm and the same ciphering key than for plain text encryption, then there could be some intrinsic weakness.
Click on the next diagram for Bruce Murray analysis (and also a link to the former analysis at the figure bottom that includes some background concepts):
I find Bruce cryptanalysis very interesting and meaningful since raises the fact that the operational requirement on IVs generation that states that they shall be random shall be extended to state also explicitly that in order to achieve this randomness the process shall be totally uncorrelated with IOC logics. Thanks Bruce ! your analysis is paramount in order to produce a final and mature IOC specification ...
No hay comentarios:
Publicar un comentario