[Cryptography] Severe flaw in all generality : key or nonce reuse

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Oct 19 06:38:24 EDT 2017

John Denker via cryptography <cryptography at metzdowd.com> writes:

>I hate to ask silly questions, but is there any cryptosystem or any mode
>whatsoever where key/nonce reuse is acceptable?

It depends on what you mean by "acceptable".  As I mentioned in my previous
message, CBC turns a catastrophic failure (GCM) into a minor information leak,
and is pretty much universally deployed in crypto libraries and hardware (CBC
is actually remarkably abuse-tolerant for something that wasn't designed for
this role).  So you've already got something right now that's probably good
enough in most cases.

If you want something that's fully reuse-tolerant then there are a pile of
very recent modes and mechanisms that typically make two passes over the data
and use the output from the first pass as a randomiser for the second pass
(although the first use of such modes dates back to at least the early 1990s).
Downside is that there's almost no support for them in anything, and you need
to make two passes, which both slows things down and makes streaming


More information about the cryptography mailing list