[Cryptography] Derive IV from time in ticks.
Nico Williams
nico at cryptonector.com
Tue Feb 7 14:56:22 EST 2023
On Mon, Feb 06, 2023 at 11:48:40PM -0500, Phillip Hallam-Baker wrote:
> On Mon, Feb 6, 2023 at 5:32 PM Nico Williams <nico at cryptonector.com> wrote:
> > RFC 7253, section 5.1, Nonce Requirements:
> >
> > [...]
>
> I certainly would not. What Rogaway is saying there is that he can't prove
> the correctness of the construction with nonce reuse. And I am not in the
> least bit surprised that he can't. But not being able to formulate a formal
> proof is not the same as 'collapses'. GCM definitely collapses, no question.
That's fair. Kinda like confounder reuse in Kerberos' confounded CTS
HMAC construction: there is insufficient cryptanalysis to know how bad
it is, but it seems secure enough in the face of reuse that one
needn't move mountains to avoid it.
Nico
--
More information about the cryptography
mailing list