[Cryptography] Odd bit of security advice

Jerry Leichter leichter at lrw.com
Mon Jun 4 20:27:54 EDT 2018

In another thread, Jason Cooper quoted the following:

[1] https://datatracker.ietf.org/doc/rfc7539/?include_text=1
	Section 4: Security Considerations
 "The most important security consideration in implementing this
  document is the uniqueness of the nonce used in ChaCha20.  Counters
  and LFSRs are both acceptable ways of generating unique nonces, as is
  encrypting a counter using a 64-bit cipher such as DES.  Note that it
  is not acceptable to use a truncation of a counter encrypted with a
  128-bit or 256-bit cipher, because such a truncation may repeat after
  a short time."

It's that last comment - that the bottom 64 bits of a counter encrypted with a 128- or 256-bit cipher may repeat after a short time - that really puzzles me.  Surely any 128- or 256-bit cipher with this property would immediately fail certification, as it would be easily distinguishable from a random permutation.

What am I missing?
                                                        -- Jerry

More information about the cryptography mailing list