Sasasu <i@sasa.su> wrote:
> On 2021/10/6 23:01, Robert Haas wrote:
> > This seems wrong to me. CTR requires that you not reuse the IV. If you
> > re-encrypt the page with a different IV, torn pages are a problem. If
> > you re-encrypt it with the same IV, then it's not secure any more.
> for CBC if the IV is predictable will case "dictionary attack".
The following sounds like IV *uniqueness* is needed to defend against "known
plaintext attack" ...
> and for CBC and GCM reuse IV will case "known plaintext attack".
... but here you seem to say that *randomness* is also necessary:
> XTS works like CBC but adds a tweak step. the tweak step does not add
> randomness. It means XTS still has "known plaintext attack",
(I suppose you mean "XTS with incorrect (e.g. non-random) IV", rather than XTS
as such.)
> due to the same reason from CBC.
According to the Appendix C of
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf
CBC requires *unpredictability* of the IV, but that does not necessarily mean
randomness: the unpredictable IV can be obtained by applying the forward
cipher function to an unique value.
Can you please try to explain once again what you consider a requirement
(uniqueness, randomness, etc.) on the IV for the XTS mode? Thanks.
--
Antonin Houska
Web: https://www.cybertec-postgresql.com
