[Cryptography] WhatsApp, Curve25519 workspace etc.

Gé Weijers ge at weijers.org
Tue May 3 18:52:47 EDT 2016


>
>
> FWIW I am not :)
> both vcm and chacha20-poly1305 are not nonce resistant and standard
> AES-GCM (with 92 bits nonce) can be safely be used “only” for 2^32 times :)
>

To quote SP-800-38D:

In other words, unless an implementation only uses 96-bit IVs that are
generated by the deterministic construction:
The total number of invocations of the authenticated encryption function
shall not exceed 2^32, including all IV lengths and all instances of the
authenticated encryption function with the given key.


 Or: if you use a counter for the nonce after doing a Diffie-Hellman
exchange to generate fresh keys you can go safely beyond 2^32. The
requirement is that repeating a nonce should have a probability < 2^-32,
and using a counter you can trivially meet that requirement.


--
Gé
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160503/12185def/attachment.html>


More information about the cryptography mailing list