[Cryptography] Severe flaw in all generality : key or nonce reuse

[Ángel]

On 2017-10-19 at 05:55 -0700, John Denker wrote:
> AFAICT all of the following are incompatible with all chaining modes,
> including (but not limited to) fancy wraparound modes.  These
> categories are not mutually exclusive:
>  -- streaming services (since users commonly join in mid-stream)

Not at all!

Take a service that simply used CBC with an out-of-band preshared key. A
client connects, takes the first block as the nonce (IV) and the next
blocks as the CBC-encoded data.
When, several hours later, another client joins to the same stream, it
will takes the first block as the nonce (it will actually be data for
the original client) and the next blocks as the CBC-encoded data… which
will decode successfully without further action.

Now, let's suppose that rather than rather than using the prior
ciphertext block, we wanted to xor the plaintext with a hash of the
concatenation of the nonce and all prior ciphertext.¹ In that case, it
is not suitable for the client to process all prior data in order to
calculate it, but the server can share the running hash that it is
internally using and provide it as a IV value for this block cipher
mode, and thus the client would be able to decrypt it as well, despite
being a streaming service, and the hash covering the full previous
input.




¹ Has something like this been proposed before? Apparently, this
construction seem it would be OK