[Cryptography] Severe flaw in all generality : key or nonce reuse
Tony Arcieri
bascule at gmail.com
Thu Oct 19 17:51:28 EDT 2017
On Wed, Oct 18, 2017 at 12:45 PM, John Denker via cryptography <
cryptography at metzdowd.com> wrote:
> On 10/17/2017 10:39 PM, Peter Gutmann wrote:
> > RC4 is a stream cipher for which key/nonce reuse results in a
> catastrophic
> > failure of the cryptosystem.
> >
> > GCM is a stream cipher for which key/nonce reuse results in a
> catastrophic
> > failure of the cryptosystem.
>
> I hate to ask silly questions, but is there any cryptosystem or any
> mode whatsoever where key/nonce reuse is acceptable?
Aside from the "nonce reuse under the same message reveals you encrypted
the same message twice" property, this is true of AES-SIV (based on CMAC)
and its parallelizable variant AES-PMAC-SIV, which I just released in
Miscreant:
http://www.metzdowd.com/pipermail/cryptography/2017-October/032910.html
An alternative is to work in blocks of some fixed length, with the property
> that ever bit of block i of the ciphertext depends on every bit of blocks 0
> ... i of the plaintext. There are modes like that, too.
> This is discussed in the introduction to http://web.cs.ucdavis.edu/%
> 7Erogaway/papers/oae.pdf
> <http://web.cs.ucdavis.edu/~rogaway/papers/oae.pdf>
And I am interested in supporting both CHAIN and STREAM as online
authenticated encryption (OAE2/nOAE) modes!
https://github.com/miscreant/miscreant/issues/32
https://github.com/miscreant/miscreant/issues/33
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171019/1c236c12/attachment.html>
More information about the cryptography
mailing list