Go choke on a bucket of cocks

[ciphergoth]

I've posted before about the generally dreadful nature of cryptographic products. Yesterday I got into an argument on bloody Slashdot with a developer about whether he should try to use good crypto or not. Now, unlike jwz I can see that he's not the only one with attitude in this thread, but the result still gets me down.

http://slashdot.org/comments.pl?sid=195651&cid=16032881

Next time you use something that uses crypto, bear in mind that it was probably written by the likes of this guy.

Comments

[sjmurdoch.livejournal.com]

Amusing thread :-)

Perhaps I am missing something, but is there a need for unpredictable IVs? They should be unique, but wouldn't a counter be adequate, assuming you had sufficient locking to ensure no repetition?

On single pass encryption and authentication, I recently was reading about IGE mode, implemented in OpenSSL. It only needs an extra xor over CBC so looks pretty good.

[ciphergoth.livejournal.com]

What you say is true about CTR mode. However in CBC mode there's an attack in which the attacker chooses the first block of the plaintext based on the IV, so the proofs of security only work if the IVs are random and unpredictable.

IGE mode has been proposed several times with different names over the years; I proposed it about nine years ago and called it SBC, then discovered that Michael Brown at Dublin University had proposed it about eighteen months earlier and called it X-CBC. ABC seems to be an interesting extension. However, many similar attempts to build one-pass authenticated-encryption modes of operation have been broken, and as a result these days people tend to demand a proof of security. All the modes I'm advocating, as well as other patent-encumbered modes such as OCB, come with such a proof. I think it would be foolhardy to opt for a mode that does not have such a proof. The extra cost of GGM over CBC is pretty small - a single multiply in GF(2^128). And unlike CBC, GGM is parallelizable.

[ciphergoth.livejournal.com]

ABC (and thus IGE) are broken. See

http://www-cse.ucsd.edu/users/mihir/papers/olc.html

Oh no they aren't!

[(Anonymous)]

You should try reading the paper a little more carefully. It assumes fixed IVs, which is patently dumb.

Re: Oh no they aren't!

[ciphergoth.livejournal.com]

Heh - you can tell how carefully I read the paper by the timestamps on my replies. Thanks. I still wouldn't recommend it though; I'd like to see a security reduction first.

Incidentally, I don't usually unscreen anonymous comments; please at least sign with a nom. Thanks!

[ciphergoth.livejournal.com]

By the way, just saw your temperature/clock skew result on Light Blue Touchpaper. That is just incredibly cool and scary.