[Cryptography] Shortening block cipher length...

Adam P. Goucher apgoucher at gmx.com
Wed Jul 21 03:42:36 EDT 2021


> >I don't think NaCl as it is today is vulnerable
>
> Unless it's changed recently, the NaCL API assumes the nonce is user-supplied,
> which means it's completely vulnerable.  It's RC4 as used in the 1990s all
> over again.

RC4 has additional problems with it, such as statistical biases in the output,
even when used 'correctly'; see _A Practical Attack on Broadcast RC4_ by
Mantin and Shamir:

https://link.springer.com/content/pdf/10.1007%2F3-540-45473-X_13.pdf



Best wishes,


Adam P. Goucher


More information about the cryptography mailing list