[noise] Thoughts on semi-deterministic encryption
Tony Arcieri
bascule at gmail.com
Wed Aug 27 21:49:43 PDT 2014
On Wed, Aug 27, 2014 at 6:12 PM, Jonathan Moore <moore at eds.org> wrote:
> Sure, but counters and clocks are different things, and there are
> interesting environments with out storage at all. I understand that I am
> not discussing ideas that might not get used every day but they are not
> uninteresting which is what it feels like you are trying to argue for.
>
I'm just saying if nonce reuse due to poor RNGs is the only purpose, it
seems like overkill.
If your use case is a content addressable system like Tahoe-LAFS, it's much
more interesting. Adding in the convergence secret, as Brian mentioned,
mitigates a wide range of attacks on convergent encryption systems. Beyond
that, you can simply derive a unique key per message (via, as mentioned,
something like HKDF) from the content hash and the convergence secret, at
which point (also as Brian mentioned) you eliminate the problem of having
to choose a nonce entirely or worry about protocols like SIV, while still
providing a content addressable, deterministic encryption scheme.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140827/9b0e09f0/attachment.html>
More information about the Noise
mailing list