[cryptography] fragilities of CTR vs CBC (Re: Tigerspike claims world first with Karacell for mobile security)

Adam Back adam at cypherspace.org
Thu Dec 27 13:54:36 EST 2012

I think you could say CTR mode is fragile against counter reuse exposing
plaintext pair XORs, but CBC is also somewhat fragile against IV reuse,
forming an ECB code book around the set of same IV messages.

CBC itself has other issues eg using non-repeating (but non-random) IVs, for
example using sector number as IV in a file system, I have seen that
introduces a few % of first ciphertext block (per sector) where in practice
using real OS/app disk data the IV cancels with the plaintext.  ie IV1 xor
P1 == IV2 xor P2 (and consequently C1 == C2 as C1 = E(IV1 xor P1)) which
tells you the plaintext difference given the IVs are known.  ie structured
IV cancels with structured plaintext.


On Thu, Dec 27, 2012 at 06:35:27PM +0000, Ben Laurie wrote:
>On Thu, Dec 27, 2012 at 9:18 AM, Russell Leidich <pkejjy at gmail.com> wrote:
>> there are plenty of Googleable papers showing the Counter Mode is weak
>> relative to (conventional) cipher-block-chaining (CBC) AES.
>Really? For example?

More information about the cryptography mailing list