[messaging] Deterministic nonce generation for AES-CTR

Joseph Bonneau jbonneau at cs.stanford.edu
Thu Nov 12 11:18:25 PST 2015

On Thu, Nov 12, 2015 at 11:05 AM, Nick Badger <nbadger1 at gmail.com> wrote:

> Second question: assuming it is reasonable, what's the best way to do
> this? We do have to be concerned about leaking information from the inner
> container, so our current process is NONCE = AES-ECB( message_key, HASH(
> plaintext ) ) with the hash truncated to match the symmetric block size.
> Frankly though, that seems off to me, at the very least because we're
> reusing the message key. We should probably transition the message key to a
> master key, and use a KDF to generate both the nonce key and the message
> key. To that end, would NONCE = AES-ECB( KDF( master_key, HASH(plaintext)
> ), HASH(plaintext) ) make more sense? The "extra" AES here is to protect
> from dictionary attacks and against potential hash compromise.

Your proposed scheme might be secure there, but the straightforward way to
do what you're trying to do is compute a MAC of the plaintext and use that
as your IV. Key-reuse is a problem for provable security, as you point out.
The simplest thing is to just have two keys, one for the MAC computation
and one for the encryption.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151112/a49eaffc/attachment.html>

More information about the Messaging mailing list