[messaging] Deterministic nonce generation for AES-CTR

Joseph Bonneau jbonneau at cs.stanford.edu
Thu Nov 12 14:13:55 PST 2015


On Thu, Nov 12, 2015 at 1:15 PM, Nick Badger <nbadger1 at gmail.com> wrote:

> I'm merging message trees here to avoid multiple replies.
>
> Re: Joe --
>
>
>> Your proposed scheme might be secure there, but the straightforward way
>> to do what you're trying to do is compute a MAC of the plaintext and use
>> that as your IV. Key-reuse is a problem for provable security, as you point
>> out. The simplest thing is to just have two keys, one for the MAC
>> computation and one for the encryption.
>>
>
> MACs are definitely simpler and feel more elegant, but if possible, I'd
> prefer to stick with an encrypt-then-MAC/sign approach all around (the
> containers themselves are signed, not MAC'd).
>

Note that what I was suggesting is exactly what AES-SIV does: CMAC is
computed with one key over the entire plaintext (plus additional
authenticated data), this MAC is used directly as the IV, CTR encryption is
applied, and then the ciphertext is sent along with the MAC. If you had
asked me this morning I might have said "I'm not sure using the same MAC as
your IV and MAC has no security gotchas, would have to think to be sure
there are no gotchas" and suggested maybe adding a second MAC over the
whole ciphertext to be safe. Fortunately the security analysis has already
been done to show that re-using the MAC in this was an IV is safe, leading
to AES-SIV: https://www.iacr.org/archive/eurocrypt2006/40040377/40040377.pdf

So I would suggest using that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151112/60c60ede/attachment.html>


More information about the Messaging mailing list