[Cryptography] Non-deterministic PRF as a MAC-and-Nonce for AEAD?

Alfie John alfie at alfie.wtf
Sun Jun 3 00:28:57 EDT 2018

On Mon, May 21, 2018 at 12:37:13PM +0000, Jason Cooper wrote:
> On Mon, May 21, 2018 at 09:26:52AM +1000, Alfie John wrote:
> > Quick question on if this would work as a safe AEAD scheme:
> It'd help if you define "safe" and "AEAD" ;-)
> >   If you use a non-deterministic PRF instead of a MAC when doing
> > 	MAC-then-Encrypt, could the NDPRF be safely used as the nonce (or
> > 	used to deterministically generate a nonce) to the cipher as it
> > 	should never be repeated given the same plaintext?
> iiuc, which I'm pretty sure I don't, you're asking for a
> non-deterministic PRF to *deterministically* create a nonce...-EPARSE

Non-deterministic-deterministic functions is an oxymoron... i know :)

What I was trying to do was think of a way to get rid of the IV/nonce as
a parameter to an encrypt function call. I've seen code from many
organisation where the coder didn't know what to use for the IV
parameter, so they used the static values from examples copied from the
docs or even forum examples. Give a coder a footgun, and they'll use

So my thinking was to use a probablistic PRF when generating the MAC,
and overloading the MAC as a Subliminial Channal to generate the nonce.


Alfie John

More information about the cryptography mailing list