[Cryptography] Non-deterministic PRF as a MAC-and-Nonce for AEAD?

Phillip Hallam-Baker phill at hallambaker.com
Tue Jul 3 21:59:44 EDT 2018

On Mon, Jul 2, 2018 at 12:09 PM, Jason Cooper <cryptography at lakedaemon.net>

> Well, sure.  But that's a protocol design decision.  Do you really want
> the developer who needs to have their hand held regarding nonce
> generation to be designing cryptographic protocols?

​Everyone needs their hand held. Everyone.

I have seen enough screw ups to know that Crypto is something best done as
a team exercise.

To the original point, back in the 1990s it was ok to just design a
protocol that was secure when implemented properly. That is no longer the
case and we demand protocols to break gracefully.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180703/d420cbe7/attachment.html>

More information about the cryptography mailing list