[Cryptography] Non-deterministic PRF as a MAC-and-Nonce for AEAD?

Jason Cooper cryptography at lakedaemon.net
Mon May 21 08:37:13 EDT 2018


Hi Alfie,

On Mon, May 21, 2018 at 09:26:52AM +1000, Alfie John wrote:
> Quick question on if this would work as a safe AEAD scheme:

It'd help if you define "safe" and "AEAD" ;-)

>   If you use a non-deterministic PRF instead of a MAC when doing
> 	MAC-then-Encrypt, could the NDPRF be safely used as the nonce (or
> 	used to deterministically generate a nonce) to the cipher as it
> 	should never be repeated given the same plaintext?

iiuc, which I'm pretty sure I don't, you're asking for a
non-deterministic PRF to *deterministically* create a nonce...-EPARSE

It's also possible that you're asking if the traditional MAC of an AEAD
could also be used as the nonce for the AEAD (perhaps to save space on
the wire?).  In short, no.  The nonce is an input value to the
encryption function, the MAC is an output (regardless how it's created).

Perhaps you could give us the scenario you have and the constraints
you're dealing with?

fwiw, Take a look at XSalsa20 and XChacha20.  These two ciphers are
capable of taking a purely random nonce under the same key.  In short,
the nonce is large enough, that the chance of randomly selecting the
same nonce while under the same key is sufficiently small.

Is that what you're after?  If so, you might be interested in
libsodium's xchacha20poly1305 AEAD.

hth,

Jason.


More information about the cryptography mailing list