[Cryptography] Severe flaw in all generality : key or nonce reuse
Ray Dillinger
bear at sonic.net
Fri Oct 20 17:20:15 EDT 2017
On 10/18/2017 12:45 PM, John Denker via cryptography wrote:
> On 10/17/2017 10:39 PM, Peter Gutmann wrote:
>> RC4 is a stream cipher for which key/nonce reuse results in a catastrophic
>> failure of the cryptosystem.
>> GCM is a stream cipher for which key/nonce reuse results in a catastrophic
>> failure of the cryptosystem.
> I hate to ask silly questions, but is there any cryptosystem or any
> mode whatsoever where key/nonce reuse is acceptable?
How about - and this may be a radical notion here - but how about
NOT A STREAM CIPHER?
Stream ciphers are letters of flame writ forty feet high on a basalt
cliffside which say,
"The designer of this protocol had no idea what the F**K he was doing!"
Seriously, give me any modern block cipher in any chaining mode, and
reuse of keys and IVs exposes far less than any stream cipher.
> It seems to me that chaining modes depend on the randomness of the
> plaintext.
True. In CBC mode, reusing key and IV means an analyst can tell how big
a prefix in blocks two messages have in common. That failure is
*DRASTICALLY* better than the way a stream cipher fails when key and IV
is reused.
> Unless you can reliably establish a hefty lower bound
> the amount of such randomness -- which seems hard to do since the
> plaintext is not known in advance -- using it as a substitute for
> a random key/nonce seems exceedingly unsafe.
I'm pretty sure nobody was talking about that. The issue is about what
happens when people get it wrong, not about what we will consider right.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171020/d683d33a/attachment.sig>
More information about the cryptography
mailing list