[Cryptography] Odd bit of security advice
Jerry Leichter
leichter at lrw.com
Mon Jun 4 20:27:54 EDT 2018
In another thread, Jason Cooper quoted the following:
[1] https://datatracker.ietf.org/doc/rfc7539/?include_text=1
Section 4: Security Considerations
"The most important security consideration in implementing this
document is the uniqueness of the nonce used in ChaCha20. Counters
and LFSRs are both acceptable ways of generating unique nonces, as is
encrypting a counter using a 64-bit cipher such as DES. Note that it
is not acceptable to use a truncation of a counter encrypted with a
128-bit or 256-bit cipher, because such a truncation may repeat after
a short time."
It's that last comment - that the bottom 64 bits of a counter encrypted with a 128- or 256-bit cipher may repeat after a short time - that really puzzles me. Surely any 128- or 256-bit cipher with this property would immediately fail certification, as it would be easily distinguishable from a random permutation.
What am I missing?
-- Jerry
More information about the cryptography
mailing list