Can you offer any quantification? How much stronger is DES CBC if the IVs are
kept secret?
There is no way for us to quantify the strength of an algorithm except by
assuming brute force (unless someone knows a better attack than
Shamir's)... :-)
For brute-force attacks on DES, IV secrecy doesn't help at all, if the
attack is ciphertext only. If the attack is known-plaintext and the enemy
knows arbitrary plaintext (or if it's chosen plaintext), the IV doesn't
matter at all because it has its effect only on the first bytes.
If the attack is known-plaintext and the only plaintext known is at the
beginning of the message (1st 8 bytes, or 1st 24 if 3 IVs), then the IVs
act like a pre-encryption of the message starting bytes with a one-time-pad
(assuming IV bits are truly random) and that gives that portion of the
message the only provably unbreakable security. That rules out that small
portion for the cryptanalyst.
So, in this one case (all known plaintext in the bytes covered by the IV;
the only attack better than brute force requiring known plaintext), secrecy
of the IV can make all the difference. However, this is a small subset of
the possibilities of attack.
- Carl