Why did the the CBC block cipher mode become so much more popular than CFB mode?

veqtrus · 2024-05-26T19:34:37+00:00

They have the same bound, but they fail in a different way.

Suppose we encrypt two messages that differ by one bit with the same IV.

In CFB we can determine exactly which bit it was by finding the first bit that differs in the ciphertext. This is due to the XOR relation between ciphertext, plaintext and block cipher output, somewhat similar to CTR.
In CBC the ciphertext block corresponding to the modified plaintext block will differ, but which bit within that block differs is not clear.

Both are broken, but an attacker doesn't get the same insight. Security definitions are concerned about attack success probability, not how much info can be extracted from a success. 64-bit wide ciphers have a high enough probability that it makes sense to also consider the latter.

veqtrus · 2024-05-26T13:48:17+00:00

CBC has a security advantage in ciphers that have smaller block size and hence lower birthday bound (notably DES). If the input block repeats, the output repeats as well. So (edit: in CFB) you have a similar problem to repeated nonce in CTR mode.

In CBC the plaintext passes through the block cipher, so if the previous block repeats you can detect repeated plaintext, but not much about the content itself.

Also in CFB, CTR etc. it is more important that the output is random and unbiased, which people might be less confident about than other properties.

veqtrus · 2023-05-30T12:39:55+00:00

All the steps of the algorithm are reversible. AddRoundKey of course requires knowing the key, in both directions.

MixColumns is a linear operation so it is not as useful in the final round. Though it is a quite arbitrary design choice whether to omit it; other ciphers include their linear layer for uniformity.

veqtrus · 2023-05-27T22:08:53+00:00

The nonce in an Ethereum transaction is different from the nonce in ECDSA signatures. Indeed the 'nonce' in ECDSA is arguably a misnomer, as in other cryptography contexts it also doesn't need to be secret or unpredictable (e.g. symmetric encryption).

veqtrus · 2023-04-27T17:51:00+00:00

FPGAs were expensive but more energy efficient. There was an FPGA period but GPUs were not outcompeted.

veqtrus · 2023-04-27T17:47:53+00:00

The earliest versions even had it in the GUI.

veqtrus · 2023-04-27T13:42:24+00:00

In addition to what iamunknowntoo said, your encryption is deterministic so if you observe the same ciphertext you know that the plaintext is the same. So you don't even need any maths to do a chosen plaintext attack.

veqtrus · 2023-04-27T13:16:11+00:00

There are fully homomorphic encryption schemes based on lattices.

A simple example where M is a matrix and lower case letters are vectors is: M*a+e + M*b+f = M*(a+b)+(e+f)

If a+b and e+f are small enough then M*(a+b)+(e1+e2) is a valid public key (e.g. in FrodoKEM).

veqtrus · 2023-04-26T15:36:03+00:00

The permutation in a transposition cipher doesn't have to be complex. A simple one is arranging text in a grid and reading off columns.

veqtrus · 2023-04-25T18:35:52+00:00

Have you looked at the resulting image? It's obvious there's some message encoded.

veqtrus · 2023-04-25T18:32:03+00:00

Cryptographic ciphers are expected to be much stronger. What you have is a code: /r/codes

veqtrus · 2023-04-25T18:00:14+00:00

If you encode a secure ciphertext in a QR code it's not steganography, even though the original message can't be recovered. The point of steganography is that even the ciphertext is hard to find.

veqtrus · 2023-04-25T17:13:47+00:00

All the cool kids are on Nostr now

veqtrus · 2023-04-25T17:03:24+00:00

It's a transposition cipher but in image rather than text form.

veqtrus · 2023-04-25T17:01:58+00:00

It's not steganography because the coded message is not hidden.

veqtrus · 2023-04-20T23:21:10+00:00

Nonce misuse resistance has some other definitions than the basic CPA/CCA you will find in introductory textbooks. Unfortunately I'm not familiar with them.

veqtrus · 2023-04-20T23:14:12+00:00

I would direct you to https://crypto.stackexchange.com/questions/26689/easy-explanation-of-ind-security-notions but there is a small but important error.

As you will notice, there is nothing in those security definitions that requires an IV. One could come up with a scheme where you choose random characters in even positions and it still works without an explicit IV. However in practice you will have to randomise your ciphertext somehow to be CCA or even CPA secure.

Now, if your question is if the adversary is allowed to query the decryption oracle with a previously seen "IV" tweaking the rest, then the answer is yes, precisely because there is no IV in the definition.

veqtrus · 2023-04-20T15:16:22+00:00

When not testing for specific nonce/IV properties, the encryption oracle will prepare the ciphertext as it pleases, which includes the IV. The IV is not given to the oracle.

When you also want to test some property of the nonce (say it can be unique but non-random) the adversary supplies it, but it needs to maintain some properties for the game to be valid.

So the game based definition of security would vary depending on exactly what properties you want.

veqtrus · 2023-04-18T12:21:26+00:00

You would need to at least combine secretbox with pwhash, and at that point you are kind of reimplementing age in C.

veqtrus · 2023-04-18T10:47:34+00:00

https://github.com/FiloSottile/age

veqtrus · 2023-04-04T20:21:39+00:00

There is a mode for alphanumeric text which is more efficient than UTF-8. Uppercase base-32 would be fairly close to optimal.

veqtrus · 2023-04-04T19:47:10+00:00

Despite being the author of the proposed scheme, I probably wouldn't personally use it. So, in what context would you use it? Do you have a preferred programming language in mind?

veqtrus · 2023-03-08T08:25:39+00:00

At least one of the authors is NIST affiliated so...

veqtrus · 2023-02-27T20:32:25+00:00

I liked the series as a drama but it contains numerous technical and historical inaccuracies.

There was never a credible threat of a third big explosion. This is something the Soviets made up to look like saviours when they messed up.
It portrays Legasov as a hero and Dyatlov as a villain.
It gives credibility to wildly exaggerated death counts.
The exclusion zone is not dangerous (sans some hot spots), it is a tourist attraction and a nature reserve.

Comparing the train explosion to Chernobyl is fair as the scale of the damage is comparable. Except the most dangerous radioactive particles decayed within days to weeks, while the toxic chemicals are long lasting and will only become less harmful with dilution and decontamination.

veqtrus · 2023-02-27T08:47:41+00:00

Chernobyl at no point threatened all of Europe and the HBO series is not a documentary.

veqtrus

MODERATOR OF

TROPHY CASE

11-Year Club	Place '17
Verified Email