OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Crypto Archives: Re: OAEP before symmetric encryption ?

Re: OAEP before symmetric encryption ?

Julius Duque (Julius.Duquesecuretrade.com)
Tue, 23 Nov 1999 17:35:31 +0800

> Are there better padding schemes out there,

It depends on your needs.

> or is padding usually not used b/c one can run the cipher in CBC mode?

If you're going to use a block cipher like IDEA, you should use
padding.

> With CBC mode, it seems that I could get the property if I kept the IV
> secret, but now I need to send the IV to a recipient.

With CBC, you don't need to hide the IV; you just have to make it
random and not use it more than once. To convince yourself, here's
a practical proof: We know that the last block of the ciphertext
uses the next-to-last block as its own IV. Now, the next-to-last block
similarly uses the block previous to it as its IV. You continue this
until you get to the starting block of the ciphertext and consequently
to the IV itself. Assume that the attacker got hold of the ciphertext,
it's now obvious that you can't conceal the IV. In fact, the whole
ciphertext is a series of IVs chained together. Also, since the IV is
discarded when the ciphertext is finally decrypted, you don't need to
keep it a secret. But DON't use the same IV more than once!

> are there any theoretical results about how "random" CBC is?

Lars Knudsen's PhD thesis has a pictorial proof of this.

Julius

This archive was generated by hypermail 2.0b3 on Tue Nov 23 1999 - 06:14:23 CST