[Cryptography] One-time pads in modern crypto software?

[jrzx]

On Saturday, February 20, 2021 5:00 AM, Kristian Gjøsteen <kristian.gjosteen at ntnu.no> wrote:

> The attacks on GCM-AES and similar constructions that we have seen
> discussed here lately, almost always reduce to either key management
> or nonce management. While these problems are theoretically simple to
> solve, it turns out that this is not easy to solve for engineers

The solution is easy. Don't do that.

The point of nonces is to reuse expensive shared secrets, but shared secrets
are no longer expensive.

Make a new one time secret from a new one time public key every time
you start a stream.

The problem is that the elaborate infrastructure for re-use of of precious
shared secrets is complicated to implement, and easy to implement wrong.
Don't reuse them.

A stream cipher such as ChaCha20 can be though of as enormous widely
known and widely shared one time pad

Despite being universally known, the pad is still one time because it is so
enormous, that if you always start at a random secret point in the pad,
no one is ever going to reuse.

The pad is composed of 2^384 512 bit blocks, and the 256 bit secret is the
high order part of the position in the pad, the nonce is some part of the
remaining 128 bits of the position, and message position of the 512 bit
block is the remaining position bits after the nonce.

If you do lots of clever stuff handling different parts of the position differently,
you are bound to foul up, and wind up re-using some tiny part of this
enormous pad. Don't do that. Don't re-use shared secrets.

Shared secrets are cheap. If no nonces, if the "nonce" and the start position
are just some more bits of the shared secret, no nonce management.
If no shared secret re-use, no shared secret management.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210220/0f1a480a/attachment.htm>