[Cryptography] Shortening block cipher length...

Ray Dillinger bear at sonic.net
Mon Jul 19 22:06:46 EDT 2021 


On 7/19/21 1:16 PM, Patrick Chkoreff wrote:
> Ray Dillinger wrote on 7/17/21 12:23 PM:
>
>>       What's wrong with 'counter mode' is that the ciphertext is the
>> plaintext XOR some deterministic stream of bits.  This is categorically
>> wrong.  This is old-style XOR stream cipher construction and should
>> never ever be used anywhere.
>
> Do you consider NaCl to be vulnerable in that regard?
>
    I don't think NaCl as it is today is vulnerable - but I do think
that if and when it gets updated in the future by anyone who isn't DJB,
it is ten times more likely to be updated in a way that leaves it
vulnerable.  Everything has to be just so for an XOR-plaintext system to
be secure.  "bright ideas" are more likely to break them.

     Like you, I trust DJB. He's good.  He knows why it's secure and
knows what would poison that security and knows to refuse to do those
things.  NaCl has withstood several years of use and scrutiny at this
point.   I'd consider it usable but it's usable because the implementor
is doing a thing that is in fact fairly hard.  The construction isn't
insecure because it's based on flawed theory; the theory's sound.  It's
almost-insecure because most implementors don't manage to implement it
correctly, or don't manage to implement it in ways their clients can't
somehow bungle, or don't manage to maintain the invariants that made the
earlier versions secure while "extending" it later.

     DJB's "never re-use a nonce" rule is one of the most rock-solid
requirements of such systems. It's not even up for discussion.  But the
fact that you noticed it means you have experience of systems where
reusing a nonce is possible.  Any such system is already halfway to
broken.  But there are dozens of "bright ideas" that involve reusing
nonces, and somebody sooner or later will want to add "extra
functionality" to a working system.  As long as DJB's maintaining it,
you can trust him to tell them FOAD.  But we don't know how long that'll
be.  In the base case, the XOR-Plaintext construction means you must be
on guard against updates.

>     I would be willing to implement different primitives for
authenticated encryption, other
> than DJB's.  I find your "superior counter mode" quite appealing. 
However, I would need a very solid
> and stable algorithm with plenty of known test cases.

     I recommend using OCB mode instead of Counter mode.  It's a well
studied, long standing standard and many freely available well tested
implementations exist. It's a negligible fraction slower than Counter
mode, but structurally it's a drop-in replacement.

                Bear

More information about the cryptography mailing list