[Cryptography] Odd bit of security advice
Christian Huitema
huitema at huitema.net
Mon Jun 4 22:44:13 EDT 2018
> On Jun 4, 2018, at 5:27 PM, Jerry Leichter <leichter at lrw.com> wrote:
>
> In another thread, Jason Cooper quoted the following:
>
> [1] https://datatracker.ietf.org/doc/rfc7539/?include_text=1
> Section 4: Security Considerations
> "The most important security consideration in implementing this
> document is the uniqueness of the nonce used in ChaCha20. Counters
> and LFSRs are both acceptable ways of generating unique nonces, as is
> encrypting a counter using a 64-bit cipher such as DES. Note that it
> is not acceptable to use a truncation of a counter encrypted with a
> 128-bit or 256-bit cipher, because such a truncation may repeat after
> a short time."
>
> It's that last comment - that the bottom 64 bits of a counter encrypted with a 128- or 256-bit cipher may repeat after a short time - that really puzzles me. Surely any 128- or 256-bit cipher with this property would immediately fail certification, as it would be easily distinguishable from a random permutation.
>
> What am I missing?
> --
You are missing the birthday paradox. Encrypting a counter is a bijection that guarantees uniqueness. Truncating the encryption yields a random number that has no such guarantee.
-- Christian Huitema
More information about the cryptography
mailing list