[Cryptography] Derive IV from time in ticks.

[Phillip Hallam-Baker]

On Tue, Feb 7, 2023 at 2:56 PM Nico Williams <nico at cryptonector.com> wrote:

> On Mon, Feb 06, 2023 at 11:48:40PM -0500, Phillip Hallam-Baker wrote:
> > On Mon, Feb 6, 2023 at 5:32 PM Nico Williams <nico at cryptonector.com>
> wrote:
> > > RFC 7253, section 5.1, Nonce Requirements:
> > >
> > > [...]
> >
> > I certainly would not. What Rogaway is saying there is that he can't
> prove
> > the correctness of the construction with nonce reuse. And I am not in the
> > least bit surprised that he can't. But not being able to formulate a
> formal
> > proof is not the same as 'collapses'. GCM definitely collapses, no
> question.
>
> That's fair.  Kinda like confounder reuse in Kerberos' confounded CTS
> HMAC construction: there is insufficient cryptanalysis to know how bad
> it is, but it seems secure enough in the face of reuse that one
> needn't move mountains to avoid it.


I had email exchanges with Phil on OCB after he wrote that paper and he
didn't say not to use it. He renounced the remaining patent rights shortly
after.

What Phil is trying to do is to come up with ultra precise understanding of
the security a construction delivers. But my understanding is that we still
don't have a construction that can be considered ideal in every respect and
we might not have finished enumerating the requirements.

Similarly, I have moved on from my approach in the 1990s when I was
satisfied with foiling the attacker with a single layer of defense. These
days, I am looking at multi-layer systems and attempting to use different
principles of construction at each. I don't rely on transport/presentation
security for more than preventing traffic analysis but I do require that it
protect confidentiality and integrity of the payload even though those are
also protected end-to-end.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20230208/01bf86f0/attachment.htm>