[Cryptography] Severe flaw in all generality : key or nonce reuse

[Jerry Leichter]

>> There are modes [in which every bit of output depends on every bit of input] - going back to Rivest's package transforms - and there are fairly natural definitions of security that end up, after analysis, requiring it. The problem, of course, is that such a mode cannot be on-line....
>> 
>> An alternative is to work in blocks of some fixed length, with the property that ever bit of block i of the ciphertext depends on every bit of blocks 0 ... i of the plaintext.  There are modes like that, too....
> ...As for the performance constraints, they certainly are practical issues when the messages are long, but there are applications in which messages are fairly short. Take for example IPSEC: the unit of encryption is an IP packet, which in practice is at most 1500 bytes. TLS over TCP can have messages of up to 2^14 bytes, but when using TLS with UDP for DTLS or QUIC, the message size is again at most 1500 bytes. 1500 bytes is not all that long.
Careful here.  The point of the security definitions and modes is to provide strong *semantic* security over the message *as defined by the user of the system*.  You can't arbitrarily break the message into pieces and say the *pieces* meet the definition individually.  Take this to the limit - send one bit at a time.  You now have a simple stream cipher.
                                                        -- Jerry