[Cryptography] Odd bit of security advice

Christian Huitema huitema at huitema.net
Mon Jun 4 22:44:13 EDT 2018


> On Jun 4, 2018, at 5:27 PM, Jerry Leichter <leichter at lrw.com> wrote:
> In another thread, Jason Cooper quoted the following:
> [1] https://datatracker.ietf.org/doc/rfc7539/?include_text=1
>    Section 4: Security Considerations
> "The most important security consideration in implementing this
>  document is the uniqueness of the nonce used in ChaCha20.  Counters
>  and LFSRs are both acceptable ways of generating unique nonces, as is
>  encrypting a counter using a 64-bit cipher such as DES.  Note that it
>  is not acceptable to use a truncation of a counter encrypted with a
>  128-bit or 256-bit cipher, because such a truncation may repeat after
>  a short time."
> It's that last comment - that the bottom 64 bits of a counter encrypted with a 128- or 256-bit cipher may repeat after a short time - that really puzzles me.  Surely any 128- or 256-bit cipher with this property would immediately fail certification, as it would be easily distinguishable from a random permutation.
> What am I missing?
>                                                        --
You are missing the birthday paradox.   Encrypting a counter is a bijection that guarantees uniqueness. Truncating the encryption yields a random number that has no such guarantee.

-- Christian Huitema 

More information about the cryptography mailing list