"Uri" == Uri Blumenthal <uri(_at_)watson(_dot_)ibm(_dot_)com> writes:
Uri> hal(_at_)rain(_dot_)org says:
IV length normally is equal to the block size. I see no reason
to > divert from this.
With regard to the secret key encryption: The only real
requirement on an IV is that it is unique for that key, that it
does not match any other IV's and it doesn't match any of the
ciphertext blocks which are used with that key. For this purpose,
64 bits should be adequate unless we store more than 4 billion
(2^32) private keys using the same passphrase (and even then the
unique salt would save us). So a 64 bit IV is plenty big.
Uri> True. But:
However in the interests of convenience and consistency it would
probably make more sense to use the block size. This avoids any
ambiguities about whether a shorter IV should be left or right
justified and how the remaining bits of the block should be filled
in.
Uri> Exactly!
I'm very hard pressed to see ANY valid argument for making an IV
smaller than the blocksize. Even if it technically possible (which I
guess it is with CFB mode) it should not be done. There is no benefit
I can see, and a very clear issue: if you have a cypher with 128 bit
blocks, 128 bit strength, etc., what conceivable cryptographic merit
is there in introducing a 64 bit component into the puzzle? Why go
through the process of analyzing the security implications and
demonstrating that there aren't any when there is no benefit to be
had? Or of there is one, certainly not one that justifies months of
analysis?
My impression from watching AES discussions is that weaknesses that
open up O(2^64) attacks of any kind are considered things to be
concerned about. Not being an academically trained cryptographer I
may be reading too much into the discussion, but even so, that seems
like a logical position to take.
paul