[messaging] Deterministic nonce generation for AES-CTR
Taylor R Campbell
campbell+moderncrypto at mumble.net
Fri Nov 13 11:16:19 PST 2015
Date: Thu, 12 Nov 2015 13:15:16 -0800
From: Nick Badger <nbadger1 at gmail.com>
Re: Taylor --
> What you describe is roughly the SIV construction of RFC 5297. The
> 128-bit block size of AES makes me nervous for random nonces, no
> matter how you carve it up or mix it up for nonce and counter
SIV is an awesome thing that I didn't know about, thanks. Wouldn't the
128-bit block size then be an argument *for* deterministic nonce
generation? It's a bit tough for me to tell from your message. For our
application, deterministic nonce generation is highly desirable, but we
don't want that to compromise security. Point is, we're already on the side
of non-random.
The critical distinction I meant to make was not between
nondeterministic versus deterministic nonces, but rather between
(pseudo)random versus sequential nonces.
If you first use 0, then 1, then 2, &c., you are guaranteed never to
repeat in a (say) 96-bit string.
If you first use AES-CMAC_k(p0), then AES-CMAC_k(p1), &c., or use
successive outputs of a PRNG, or use fresh observations from an
avalanche transistor, then after 2^64 nonces the chance of a collision
is about 1/2. (Here p0, p1, ..., are the plaintext messages.)
You could stop after fewer nonces, but if you stop after, say, 2^32
messages, the chance of collision is about 2^-65 -- small, but not
unimaginably so. (The Bitcoin network computes about 2^65 hashes
every minute.)
You could use a PRP: AES_k(0), AES_k(1), AES_k(2), ... -- but then you
might as well just use 0, 1, 2, ..., since you can obviously maintain
state between messages.
Re: Joe --
> Your proposed scheme might be secure there, but the straightforward way to
> do what you're trying to do is compute a MAC of the plaintext and use that
> as your IV. Key-reuse is a problem for provable security, as you point out.
MACs are definitely simpler and feel more elegant, but if possible, I'd
prefer to stick with an encrypt-then-MAC/sign approach all around (the
containers themselves are signed, not MAC'd).
Note that the word you want here is `PRF', not `MAC', for deriving an
unpredictable string from a key and a plaintext. A good PRF makes a
good MAC (e.g., keyed blake2s), but the converse is not necessarily
true (e.g., poly1305).
More information about the Messaging
mailing list