[Cryptography] Crypto best practices
Kristian Gjøsteen
kristian.gjosteen at ntnu.no
Tue Mar 21 05:30:07 EDT 2017
20. mar. 2017 kl. 19.54 skrev Natanael <natanael.l at gmail.com>:
>
> Den 19 mar 2017 23:50 skrev "Kristian Gjøsteen" <kristian.gjosteen at ntnu.no>:
>
>> What practical people appear to worry about is that you need to process the entire message before you can begin producing ciphertext. This seems to be a requirement for misuse-resistant modes, and it is probably possible to prove a theorem to that effect.
>
> As for a quick demonstration of that you can have secure "streaming behavior" without needing to start off with a full pass on the plaintext / ciphertext before final encryption / decryption:
Note that misuse-resistant means that in the event of IV reuse, all you reveal is whether two plaintexts are equal.
Your proposals reveal whether two plaintexts have an identical prefix, which is too much. So in the context of my claim, they are irrelevant.
Quoting from p. 4 of the AEZ paper: "Since McOE and COPA [2,23], some recent AE schemes have been advertised as nonce-reuse misuse-resistant despite being online.8 But online schemes are never misuse-resistant in the sense originally defined [51].9"
Furthermore, if you use a tweakable block cipher in a too naive mode, you are left with something that inherits a lot of weaknesses from ECB mode in the event of IV reuse.
Paraphrasing from the AEZ paper: misuse-resistance makes it easier to use a scheme, it does not make it easier to design or understand a scheme.
--
Kristian Gjøsteen
More information about the cryptography
mailing list