[cryptography] "Combined" cipher modes

Jonathan Katz jkatz at cs.umd.edu
Mon Feb 20 07:12:58 EST 2012


On Mon, 20 Feb 2012, Harald Hanche-Olsen wrote:

> ["Kevin W. Wall" <kevin.w.wall at gmail.com> (2012-02-20 07:11:52 UTC)]

>> So my first question: Are there ANY "combined" cipher modes
>> for block ciphers that do not cause the ciphers to act as a key
>> stream? (That seems to be cause most of the ones I found build
>> the confidentiality piece around CTR mode.) If "yes", please name
>> a few (especially those with no patent restrictions).

You can always construct a "combined" mode (also caled an "authenticated 
encryption scheme") by combining a secure encryption scheme with a message 
authentication code (MAC) -- applying the MAC to the ciphertext, using 
independent keys. The NIST modes and others you have seen are slightly 
more efficient, however.

>> So my second question is, if all the "combined" cipher modes all
>> cause a cipher to act as if it is in a streaming mode, is it okay
>> to just choose a completely RANDOM IV for each encryption?
>
> I'll bite on this one, leaving the harder part of your question to the
> real experts. Yes, that should be okay, PROVIDED you have access to a
> good source of entropy (aka randomness). See the long, long thread on
> duplicate primes in RSA moduli to get a notion of how horribly wrong
> things can go if you don't.

What he said. Note also that the potential problems with IV reuse, etc., 
don't go away by choosing a non-streaming mode, anyway. But modes are 
designed to be secure assuming the IVs are randmly chosen.



More information about the cryptography mailing list